Analysis
-
max time kernel
109s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26-12-2024 06:39
General
-
Target
2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe
-
Size
454KB
-
MD5
9905cdebb12c9d809cb654f2ab7e31c0
-
SHA1
2483a8b413242cc138d2a23f7d3a1a2359727167
-
SHA256
2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2d
-
SHA512
0eac586dffb1287c7e0e99cc488076d58b18cf1f0a7018819ee91c3069aa4c5855b4757321948faae80f1148ea945d8c9d54acc020ccf7c1d4ecb87b69cb41f2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 42 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 44 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe"C:\Users\Admin\AppData\Local\Temp\2c90fe875454c4e3a3e0460491e7f690dfa6eabcf9f1ea9b5a565c54d6193f2dN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\48624.exec:\48624.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\646626.exec:\646626.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjpd.exec:\jjjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rrfxlf.exec:\1rrfxlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20600.exec:\20600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24000.exec:\24000.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvv.exec:\pjvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfxrrx.exec:\frfxrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vpdv.exec:\3vpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hhbtn.exec:\9hhbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpjj.exec:\djpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2640280.exec:\2640280.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrfxfl.exec:\rfrfxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6482440.exec:\6482440.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\264462.exec:\264462.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\648482.exec:\648482.exe17⤵
- Executes dropped EXE
-
\??\c:\68488.exec:\68488.exe18⤵
- Executes dropped EXE
-
\??\c:\lflfxxl.exec:\lflfxxl.exe19⤵
- Executes dropped EXE
-
\??\c:\xlffrrf.exec:\xlffrrf.exe20⤵
- Executes dropped EXE
-
\??\c:\dpjvp.exec:\dpjvp.exe21⤵
- Executes dropped EXE
-
\??\c:\vvvjp.exec:\vvvjp.exe22⤵
- Executes dropped EXE
-
\??\c:\lxlxrrx.exec:\lxlxrrx.exe23⤵
- Executes dropped EXE
-
\??\c:\420080.exec:\420080.exe24⤵
- Executes dropped EXE
-
\??\c:\20222.exec:\20222.exe25⤵
- Executes dropped EXE
-
\??\c:\lfrflxx.exec:\lfrflxx.exe26⤵
- Executes dropped EXE
-
\??\c:\vjpvd.exec:\vjpvd.exe27⤵
- Executes dropped EXE
-
\??\c:\tttbnt.exec:\tttbnt.exe28⤵
- Executes dropped EXE
-
\??\c:\5dpdp.exec:\5dpdp.exe29⤵
- Executes dropped EXE
-
\??\c:\rfflrlx.exec:\rfflrlx.exe30⤵
- Executes dropped EXE
-
\??\c:\rlxfflx.exec:\rlxfflx.exe31⤵
- Executes dropped EXE
-
\??\c:\4868406.exec:\4868406.exe32⤵
- Executes dropped EXE
-
\??\c:\nbtthn.exec:\nbtthn.exe33⤵
- Executes dropped EXE
-
\??\c:\lrrrxrf.exec:\lrrrxrf.exe34⤵
- Executes dropped EXE
-
\??\c:\xrllrrf.exec:\xrllrrf.exe35⤵
- Executes dropped EXE
-
\??\c:\xxlxrxl.exec:\xxlxrxl.exe36⤵
- Executes dropped EXE
-
\??\c:\hnbhnt.exec:\hnbhnt.exe37⤵
- Executes dropped EXE
-
\??\c:\84624.exec:\84624.exe38⤵
- Executes dropped EXE
-
\??\c:\202226.exec:\202226.exe39⤵
- Executes dropped EXE
-
\??\c:\7tbbbb.exec:\7tbbbb.exe40⤵
- Executes dropped EXE
-
\??\c:\3rxxxfl.exec:\3rxxxfl.exe41⤵
- Executes dropped EXE
-
\??\c:\08888.exec:\08888.exe42⤵
- Executes dropped EXE
-
\??\c:\lxlfrlr.exec:\lxlfrlr.exe43⤵
- Executes dropped EXE
-
\??\c:\26006.exec:\26006.exe44⤵
- Executes dropped EXE
-
\??\c:\vvjjp.exec:\vvjjp.exe45⤵
- Executes dropped EXE
-
\??\c:\3ddjj.exec:\3ddjj.exe46⤵
- Executes dropped EXE
-
\??\c:\62666.exec:\62666.exe47⤵
- Executes dropped EXE
-
\??\c:\24048.exec:\24048.exe48⤵
- Executes dropped EXE
-
\??\c:\264440.exec:\264440.exe49⤵
- Executes dropped EXE
-
\??\c:\hbtthh.exec:\hbtthh.exe50⤵
- Executes dropped EXE
-
\??\c:\0840002.exec:\0840002.exe51⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe52⤵
- Executes dropped EXE
-
\??\c:\80082.exec:\80082.exe53⤵
- Executes dropped EXE
-
\??\c:\u040006.exec:\u040006.exe54⤵
- Executes dropped EXE
-
\??\c:\0466222.exec:\0466222.exe55⤵
- Executes dropped EXE
-
\??\c:\5xffrrr.exec:\5xffrrr.exe56⤵
- Executes dropped EXE
-
\??\c:\86840.exec:\86840.exe57⤵
- Executes dropped EXE
-
\??\c:\2460600.exec:\2460600.exe58⤵
- Executes dropped EXE
-
\??\c:\68044.exec:\68044.exe59⤵
- Executes dropped EXE
-
\??\c:\6804666.exec:\6804666.exe60⤵
- Executes dropped EXE
-
\??\c:\w68282.exec:\w68282.exe61⤵
- Executes dropped EXE
-
\??\c:\nhbbbt.exec:\nhbbbt.exe62⤵
- Executes dropped EXE
-
\??\c:\pvjvv.exec:\pvjvv.exe63⤵
- Executes dropped EXE
-
\??\c:\jjvvd.exec:\jjvvd.exe64⤵
- Executes dropped EXE
-
\??\c:\68608.exec:\68608.exe65⤵
- Executes dropped EXE
-
\??\c:\thnhnh.exec:\thnhnh.exe66⤵
-
\??\c:\80228.exec:\80228.exe67⤵
-
\??\c:\028226.exec:\028226.exe68⤵
-
\??\c:\pdppp.exec:\pdppp.exe69⤵
-
\??\c:\46260.exec:\46260.exe70⤵
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe71⤵
-
\??\c:\64284.exec:\64284.exe72⤵
-
\??\c:\424440.exec:\424440.exe73⤵
-
\??\c:\442806.exec:\442806.exe74⤵
-
\??\c:\dpvjd.exec:\dpvjd.exe75⤵
-
\??\c:\9pvjd.exec:\9pvjd.exe76⤵
-
\??\c:\8688206.exec:\8688206.exe77⤵
-
\??\c:\6882888.exec:\6882888.exe78⤵
-
\??\c:\02884.exec:\02884.exe79⤵
-
\??\c:\fxllrrl.exec:\fxllrrl.exe80⤵
-
\??\c:\ppjdd.exec:\ppjdd.exe81⤵
-
\??\c:\46604.exec:\46604.exe82⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tnbtnb.exec:\tnbtnb.exe83⤵
-
\??\c:\2008002.exec:\2008002.exe84⤵
-
\??\c:\3frrrll.exec:\3frrrll.exe85⤵
-
\??\c:\c644602.exec:\c644602.exe86⤵
-
\??\c:\nbhnhb.exec:\nbhnhb.exe87⤵
-
\??\c:\i426604.exec:\i426604.exe88⤵
-
\??\c:\420000.exec:\420000.exe89⤵
-
\??\c:\jvjjj.exec:\jvjjj.exe90⤵
-
\??\c:\3vpdd.exec:\3vpdd.exe91⤵
-
\??\c:\u662884.exec:\u662884.exe92⤵
-
\??\c:\7xxlfxf.exec:\7xxlfxf.exe93⤵
-
\??\c:\bttbhn.exec:\bttbhn.exe94⤵
-
\??\c:\6028062.exec:\6028062.exe95⤵
-
\??\c:\g8044.exec:\g8044.exe96⤵
-
\??\c:\20888.exec:\20888.exe97⤵
-
\??\c:\m8000.exec:\m8000.exe98⤵
-
\??\c:\rfllllf.exec:\rfllllf.exe99⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe100⤵
-
\??\c:\5ntnnn.exec:\5ntnnn.exe101⤵
-
\??\c:\frflffl.exec:\frflffl.exe102⤵
-
\??\c:\20222.exec:\20222.exe103⤵
-
\??\c:\084066.exec:\084066.exe104⤵
-
\??\c:\086060.exec:\086060.exe105⤵
-
\??\c:\pdjvv.exec:\pdjvv.exe106⤵
-
\??\c:\3jppp.exec:\3jppp.exe107⤵
-
\??\c:\4244628.exec:\4244628.exe108⤵
-
\??\c:\g8628.exec:\g8628.exe109⤵
-
\??\c:\5bhhhh.exec:\5bhhhh.exe110⤵
-
\??\c:\pdppp.exec:\pdppp.exe111⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe112⤵
-
\??\c:\4828008.exec:\4828008.exe113⤵
-
\??\c:\08000.exec:\08000.exe114⤵
-
\??\c:\m2000.exec:\m2000.exe115⤵
-
\??\c:\nhbhtb.exec:\nhbhtb.exe116⤵
-
\??\c:\rlxxflr.exec:\rlxxflr.exe117⤵
-
\??\c:\0848484.exec:\0848484.exe118⤵
-
\??\c:\6840262.exec:\6840262.exe119⤵
-
\??\c:\0880224.exec:\0880224.exe120⤵
-
\??\c:\0462880.exec:\0462880.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-