Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26-12-2024 07:16
General
-
Target
30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834eN.exe
-
Size
298KB
-
MD5
54df9ac7d36d7ba1259a43c114ec5ce0
-
SHA1
ee9aa1bfbbcf37abe0490c3802099caadd9041ad
-
SHA256
30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834e
-
SHA512
457e144f3402c143fab04b7fdb5cfcd705bc12df45c261c25f716e9b7cd5fe002f53d1d96fa116fd8ff1283e6fd3d76bf9cb54e87c511804f4ffeadf1e0bb9a8
-
SSDEEP
6144:n3C9BRo/AIuuOthLmH403Pyr6UWO6jUl7sPgvs:n3C9uDVOXLmHBKWyn+Pgvs
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834eN.exe"C:\Users\Admin\AppData\Local\Temp\30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834eN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\4822880.exec:\4822880.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pdpd.exec:\1pdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\422660.exec:\422660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26680.exec:\26680.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlrlrx.exec:\9rlrlrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjp.exec:\pjjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtbnn.exec:\thtbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26680.exec:\26680.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnthh.exec:\btnthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u684640.exec:\u684640.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\648466.exec:\648466.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\428800.exec:\428800.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjjj.exec:\dpjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\660402.exec:\660402.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllflll.exec:\fllflll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64224.exec:\64224.exe17⤵
- Executes dropped EXE
-
\??\c:\e48400.exec:\e48400.exe18⤵
- Executes dropped EXE
-
\??\c:\268800.exec:\268800.exe19⤵
- Executes dropped EXE
-
\??\c:\2028002.exec:\2028002.exe20⤵
- Executes dropped EXE
-
\??\c:\08044.exec:\08044.exe21⤵
- Executes dropped EXE
-
\??\c:\86666.exec:\86666.exe22⤵
- Executes dropped EXE
-
\??\c:\6244446.exec:\6244446.exe23⤵
- Executes dropped EXE
-
\??\c:\q46684.exec:\q46684.exe24⤵
- Executes dropped EXE
-
\??\c:\4268484.exec:\4268484.exe25⤵
- Executes dropped EXE
-
\??\c:\9nhtnn.exec:\9nhtnn.exe26⤵
- Executes dropped EXE
-
\??\c:\6088002.exec:\6088002.exe27⤵
- Executes dropped EXE
-
\??\c:\7dddd.exec:\7dddd.exe28⤵
- Executes dropped EXE
-
\??\c:\rxfrrlr.exec:\rxfrrlr.exe29⤵
- Executes dropped EXE
-
\??\c:\vpddp.exec:\vpddp.exe30⤵
- Executes dropped EXE
-
\??\c:\u626824.exec:\u626824.exe31⤵
- Executes dropped EXE
-
\??\c:\9nbbbh.exec:\9nbbbh.exe32⤵
- Executes dropped EXE
-
\??\c:\646062.exec:\646062.exe33⤵
- Executes dropped EXE
-
\??\c:\2066284.exec:\2066284.exe34⤵
- Executes dropped EXE
-
\??\c:\9thhnn.exec:\9thhnn.exe35⤵
- Executes dropped EXE
-
\??\c:\8666224.exec:\8666224.exe36⤵
- Executes dropped EXE
-
\??\c:\484262.exec:\484262.exe37⤵
- Executes dropped EXE
-
\??\c:\pdpdj.exec:\pdpdj.exe38⤵
- Executes dropped EXE
-
\??\c:\640448.exec:\640448.exe39⤵
- Executes dropped EXE
-
\??\c:\200488.exec:\200488.exe40⤵
- Executes dropped EXE
-
\??\c:\9jvvv.exec:\9jvvv.exe41⤵
- Executes dropped EXE
-
\??\c:\042826.exec:\042826.exe42⤵
- Executes dropped EXE
-
\??\c:\frxxlxf.exec:\frxxlxf.exe43⤵
- Executes dropped EXE
-
\??\c:\djvjj.exec:\djvjj.exe44⤵
- Executes dropped EXE
-
\??\c:\6466228.exec:\6466228.exe45⤵
- Executes dropped EXE
-
\??\c:\7nbbhh.exec:\7nbbhh.exe46⤵
- Executes dropped EXE
-
\??\c:\q64400.exec:\q64400.exe47⤵
- Executes dropped EXE
-
\??\c:\1pddj.exec:\1pddj.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ffrlrrx.exec:\ffrlrrx.exe49⤵
- Executes dropped EXE
-
\??\c:\fxxrrxf.exec:\fxxrrxf.exe50⤵
- Executes dropped EXE
-
\??\c:\266644.exec:\266644.exe51⤵
- Executes dropped EXE
-
\??\c:\tnhnnt.exec:\tnhnnt.exe52⤵
- Executes dropped EXE
-
\??\c:\ttbntb.exec:\ttbntb.exe53⤵
- Executes dropped EXE
-
\??\c:\u800628.exec:\u800628.exe54⤵
- Executes dropped EXE
-
\??\c:\7dvdp.exec:\7dvdp.exe55⤵
- Executes dropped EXE
-
\??\c:\880688.exec:\880688.exe56⤵
- Executes dropped EXE
-
\??\c:\nhbbtt.exec:\nhbbtt.exe57⤵
- Executes dropped EXE
-
\??\c:\7vjdj.exec:\7vjdj.exe58⤵
- Executes dropped EXE
-
\??\c:\2244002.exec:\2244002.exe59⤵
- Executes dropped EXE
-
\??\c:\o200224.exec:\o200224.exe60⤵
- Executes dropped EXE
-
\??\c:\002802.exec:\002802.exe61⤵
- Executes dropped EXE
-
\??\c:\0480006.exec:\0480006.exe62⤵
- Executes dropped EXE
-
\??\c:\8202440.exec:\8202440.exe63⤵
- Executes dropped EXE
-
\??\c:\80680.exec:\80680.exe64⤵
- Executes dropped EXE
-
\??\c:\0484224.exec:\0484224.exe65⤵
- Executes dropped EXE
-
\??\c:\488840.exec:\488840.exe66⤵
-
\??\c:\42068.exec:\42068.exe67⤵
-
\??\c:\thtttn.exec:\thtttn.exe68⤵
-
\??\c:\ttttbb.exec:\ttttbb.exe69⤵
-
\??\c:\lxllfrl.exec:\lxllfrl.exe70⤵
-
\??\c:\426022.exec:\426022.exe71⤵
-
\??\c:\5nhntb.exec:\5nhntb.exe72⤵
-
\??\c:\3xrxxxl.exec:\3xrxxxl.exe73⤵
-
\??\c:\frllflx.exec:\frllflx.exe74⤵
-
\??\c:\a6440.exec:\a6440.exe75⤵
-
\??\c:\bthhbh.exec:\bthhbh.exe76⤵
-
\??\c:\rlflxxl.exec:\rlflxxl.exe77⤵
-
\??\c:\lfrrffr.exec:\lfrrffr.exe78⤵
-
\??\c:\5vjjj.exec:\5vjjj.exe79⤵
-
\??\c:\08602.exec:\08602.exe80⤵
-
\??\c:\1ppdj.exec:\1ppdj.exe81⤵
-
\??\c:\0462880.exec:\0462880.exe82⤵
-
\??\c:\xrlrxfl.exec:\xrlrxfl.exe83⤵
-
\??\c:\xrflrxl.exec:\xrflrxl.exe84⤵
-
\??\c:\604422.exec:\604422.exe85⤵
-
\??\c:\26840.exec:\26840.exe86⤵
-
\??\c:\hbhnhh.exec:\hbhnhh.exe87⤵
-
\??\c:\hbnntb.exec:\hbnntb.exe88⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe89⤵
-
\??\c:\dpvpd.exec:\dpvpd.exe90⤵
-
\??\c:\24828.exec:\24828.exe91⤵
-
\??\c:\ffrxflr.exec:\ffrxflr.exe92⤵
-
\??\c:\hbnthn.exec:\hbnthn.exe93⤵
-
\??\c:\jvpdj.exec:\jvpdj.exe94⤵
-
\??\c:\fxrxllr.exec:\fxrxllr.exe95⤵
-
\??\c:\6088046.exec:\6088046.exe96⤵
-
\??\c:\rlxrxrf.exec:\rlxrxrf.exe97⤵
-
\??\c:\8680606.exec:\8680606.exe98⤵
-
\??\c:\7rlxffr.exec:\7rlxffr.exe99⤵
-
\??\c:\60468.exec:\60468.exe100⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe101⤵
-
\??\c:\082628.exec:\082628.exe102⤵
-
\??\c:\lfrxffr.exec:\lfrxffr.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5rxfllr.exec:\5rxfllr.exe104⤵
-
\??\c:\6462062.exec:\6462062.exe105⤵
-
\??\c:\200662.exec:\200662.exe106⤵
-
\??\c:\5jvdj.exec:\5jvdj.exe107⤵
-
\??\c:\nnbtnt.exec:\nnbtnt.exe108⤵
-
\??\c:\5tnbth.exec:\5tnbth.exe109⤵
-
\??\c:\2424846.exec:\2424846.exe110⤵
-
\??\c:\hhhnhb.exec:\hhhnhb.exe111⤵
-
\??\c:\pdjjv.exec:\pdjjv.exe112⤵
-
\??\c:\420288.exec:\420288.exe113⤵
-
\??\c:\5tnntn.exec:\5tnntn.exe114⤵
-
\??\c:\5rlffxl.exec:\5rlffxl.exe115⤵
-
\??\c:\lfrxffr.exec:\lfrxffr.exe116⤵
-
\??\c:\64624.exec:\64624.exe117⤵
-
\??\c:\64068.exec:\64068.exe118⤵
-
\??\c:\lfrxrxl.exec:\lfrxrxl.exe119⤵
-
\??\c:\tnnttb.exec:\tnnttb.exe120⤵
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-