Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26-12-2024 07:17
General
-
Target
bd701f5de0b7b5bfa06088d76f868e944858a57141b977d0e079836635037f6f.exe
-
Size
54KB
-
MD5
b811c51873a98c783ac102140f14a5db
-
SHA1
d2e5683d0e1771ce6b79a952bb3c410cd15e4651
-
SHA256
bd701f5de0b7b5bfa06088d76f868e944858a57141b977d0e079836635037f6f
-
SHA512
69c42f8c50f39d15ef79033152e6fa27d246859b2d1c56d1a680e7b4f1dfb92755b0d63bdb824622d345f3e28117fa078b77d506b7313419d351fce3d59b50b3
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvlNJV2:0cdpeeBSHHMHLf9RyIET2
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 58 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd701f5de0b7b5bfa06088d76f868e944858a57141b977d0e079836635037f6f.exe"C:\Users\Admin\AppData\Local\Temp\bd701f5de0b7b5bfa06088d76f868e944858a57141b977d0e079836635037f6f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjdj.exec:\jvjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nbbbh.exec:\3nbbbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k84466.exec:\k84466.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\488006.exec:\488006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxllrrf.exec:\xxllrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppp.exec:\vpppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpvd.exec:\pjpvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpvp.exec:\vjpvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrrlr.exec:\rffrrlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhtnb.exec:\hbhtnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\640066.exec:\640066.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6466262.exec:\6466262.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k82022.exec:\k82022.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjd.exec:\jjpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdp.exec:\vpjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a0602.exec:\a0602.exe17⤵
- Executes dropped EXE
-
\??\c:\lfxlllx.exec:\lfxlllx.exe18⤵
- Executes dropped EXE
-
\??\c:\m2000.exec:\m2000.exe19⤵
- Executes dropped EXE
-
\??\c:\xlrfxll.exec:\xlrfxll.exe20⤵
- Executes dropped EXE
-
\??\c:\26840.exec:\26840.exe21⤵
- Executes dropped EXE
-
\??\c:\flrlflf.exec:\flrlflf.exe22⤵
- Executes dropped EXE
-
\??\c:\nhnttn.exec:\nhnttn.exe23⤵
- Executes dropped EXE
-
\??\c:\46640.exec:\46640.exe24⤵
- Executes dropped EXE
-
\??\c:\2622622.exec:\2622622.exe25⤵
- Executes dropped EXE
-
\??\c:\828402.exec:\828402.exe26⤵
- Executes dropped EXE
-
\??\c:\8022684.exec:\8022684.exe27⤵
- Executes dropped EXE
-
\??\c:\lfrxffl.exec:\lfrxffl.exe28⤵
- Executes dropped EXE
-
\??\c:\8240044.exec:\8240044.exe29⤵
- Executes dropped EXE
-
\??\c:\48000.exec:\48000.exe30⤵
- Executes dropped EXE
-
\??\c:\w86200.exec:\w86200.exe31⤵
- Executes dropped EXE
-
\??\c:\8208024.exec:\8208024.exe32⤵
- Executes dropped EXE
-
\??\c:\008866.exec:\008866.exe33⤵
- Executes dropped EXE
-
\??\c:\q48468.exec:\q48468.exe34⤵
- Executes dropped EXE
-
\??\c:\ffrrflx.exec:\ffrrflx.exe35⤵
- Executes dropped EXE
-
\??\c:\820628.exec:\820628.exe36⤵
- Executes dropped EXE
-
\??\c:\hhnhht.exec:\hhnhht.exe37⤵
- Executes dropped EXE
-
\??\c:\rrxxffr.exec:\rrxxffr.exe38⤵
- Executes dropped EXE
-
\??\c:\9vpjv.exec:\9vpjv.exe39⤵
- Executes dropped EXE
-
\??\c:\a6844.exec:\a6844.exe40⤵
- Executes dropped EXE
-
\??\c:\vvjjv.exec:\vvjjv.exe41⤵
- Executes dropped EXE
-
\??\c:\k86644.exec:\k86644.exe42⤵
- Executes dropped EXE
-
\??\c:\7pdvd.exec:\7pdvd.exe43⤵
- Executes dropped EXE
-
\??\c:\vdvdp.exec:\vdvdp.exe44⤵
- Executes dropped EXE
-
\??\c:\1ffllrl.exec:\1ffllrl.exe45⤵
- Executes dropped EXE
-
\??\c:\48060.exec:\48060.exe46⤵
- Executes dropped EXE
-
\??\c:\jjddp.exec:\jjddp.exe47⤵
- Executes dropped EXE
-
\??\c:\66624.exec:\66624.exe48⤵
- Executes dropped EXE
-
\??\c:\822800.exec:\822800.exe49⤵
- Executes dropped EXE
-
\??\c:\o028628.exec:\o028628.exe50⤵
- Executes dropped EXE
-
\??\c:\vjpdj.exec:\vjpdj.exe51⤵
- Executes dropped EXE
-
\??\c:\3jvjp.exec:\3jvjp.exe52⤵
- Executes dropped EXE
-
\??\c:\1hntbh.exec:\1hntbh.exe53⤵
- Executes dropped EXE
-
\??\c:\486264.exec:\486264.exe54⤵
- Executes dropped EXE
-
\??\c:\82484.exec:\82484.exe55⤵
- Executes dropped EXE
-
\??\c:\5nhntt.exec:\5nhntt.exe56⤵
- Executes dropped EXE
-
\??\c:\pjjjp.exec:\pjjjp.exe57⤵
- Executes dropped EXE
-
\??\c:\602044.exec:\602044.exe58⤵
- Executes dropped EXE
-
\??\c:\42440.exec:\42440.exe59⤵
- Executes dropped EXE
-
\??\c:\4488468.exec:\4488468.exe60⤵
- Executes dropped EXE
-
\??\c:\3frxxff.exec:\3frxxff.exe61⤵
- Executes dropped EXE
-
\??\c:\u824224.exec:\u824224.exe62⤵
- Executes dropped EXE
-
\??\c:\002468.exec:\002468.exe63⤵
- Executes dropped EXE
-
\??\c:\260682.exec:\260682.exe64⤵
- Executes dropped EXE
-
\??\c:\9hhbhh.exec:\9hhbhh.exe65⤵
- Executes dropped EXE
-
\??\c:\82262.exec:\82262.exe66⤵
-
\??\c:\dpddd.exec:\dpddd.exe67⤵
-
\??\c:\3nbtbn.exec:\3nbtbn.exe68⤵
-
\??\c:\ddppd.exec:\ddppd.exe69⤵
-
\??\c:\4248480.exec:\4248480.exe70⤵
-
\??\c:\dvpvv.exec:\dvpvv.exe71⤵
-
\??\c:\5vpvd.exec:\5vpvd.exe72⤵
-
\??\c:\a0660.exec:\a0660.exe73⤵
-
\??\c:\xllrlrr.exec:\xllrlrr.exe74⤵
-
\??\c:\m8624.exec:\m8624.exe75⤵
-
\??\c:\llrxrxr.exec:\llrxrxr.exe76⤵
-
\??\c:\486260.exec:\486260.exe77⤵
-
\??\c:\6066880.exec:\6066880.exe78⤵
-
\??\c:\s8000.exec:\s8000.exe79⤵
-
\??\c:\6042606.exec:\6042606.exe80⤵
-
\??\c:\4406622.exec:\4406622.exe81⤵
-
\??\c:\i684088.exec:\i684088.exe82⤵
-
\??\c:\3htbtn.exec:\3htbtn.exe83⤵
-
\??\c:\084684.exec:\084684.exe84⤵
-
\??\c:\82844.exec:\82844.exe85⤵
-
\??\c:\42882.exec:\42882.exe86⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\862882.exec:\862882.exe88⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe89⤵
-
\??\c:\w46288.exec:\w46288.exe90⤵
-
\??\c:\m2646.exec:\m2646.exe91⤵
-
\??\c:\ddjvv.exec:\ddjvv.exe92⤵
-
\??\c:\fxxrrlx.exec:\fxxrrlx.exe93⤵
-
\??\c:\dddjv.exec:\dddjv.exe94⤵
-
\??\c:\xrfxfxx.exec:\xrfxfxx.exe95⤵
-
\??\c:\rlrffxx.exec:\rlrffxx.exe96⤵
-
\??\c:\9nbbtn.exec:\9nbbtn.exe97⤵
-
\??\c:\tthnht.exec:\tthnht.exe98⤵
-
\??\c:\5djjj.exec:\5djjj.exe99⤵
-
\??\c:\220660.exec:\220660.exe100⤵
-
\??\c:\rlfxffr.exec:\rlfxffr.exe101⤵
-
\??\c:\m8624.exec:\m8624.exe102⤵
-
\??\c:\88066.exec:\88066.exe103⤵
-
\??\c:\42208.exec:\42208.exe104⤵
-
\??\c:\e08840.exec:\e08840.exe105⤵
-
\??\c:\5pjjp.exec:\5pjjp.exe106⤵
-
\??\c:\226860.exec:\226860.exe107⤵
-
\??\c:\44424.exec:\44424.exe108⤵
-
\??\c:\xflllff.exec:\xflllff.exe109⤵
-
\??\c:\vppvp.exec:\vppvp.exe110⤵
-
\??\c:\42884.exec:\42884.exe111⤵
-
\??\c:\tthhnh.exec:\tthhnh.exe112⤵
-
\??\c:\jppvd.exec:\jppvd.exe113⤵
-
\??\c:\820222.exec:\820222.exe114⤵
-
\??\c:\04064.exec:\04064.exe115⤵
-
\??\c:\5pdvv.exec:\5pdvv.exe116⤵
-
\??\c:\ttnbhh.exec:\ttnbhh.exe117⤵
-
\??\c:\9jdjp.exec:\9jdjp.exe118⤵
-
\??\c:\9bnntt.exec:\9bnntt.exe119⤵
-
\??\c:\vvddp.exec:\vvddp.exe120⤵
-
\??\c:\04620.exec:\04620.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-