Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26-12-2024 06:57
General
-
Target
9e9ecdfa61274a25ae56e40793842b137771f10041115a202e37c691d603312d.exe
-
Size
453KB
-
MD5
10f95a9f43eed76f708d4d64d0d60c1a
-
SHA1
848bcaf4e6f0c4c831b3ef4d59e3b9797fc9adc0
-
SHA256
9e9ecdfa61274a25ae56e40793842b137771f10041115a202e37c691d603312d
-
SHA512
5519c53a29f9d83bdf06ce3f8d47229cf57dea9b30c7d70d6d01ef48ce0d452b084e3137291d490d9d1194af76ab7f2e2ac78e5ec0fedfa27e7ebad88a772552
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 45 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e9ecdfa61274a25ae56e40793842b137771f10041115a202e37c691d603312d.exe"C:\Users\Admin\AppData\Local\Temp\9e9ecdfa61274a25ae56e40793842b137771f10041115a202e37c691d603312d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xjxjr.exec:\xjxjr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\ltxhrjh.exec:\ltxhrjh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjv.exec:\ppdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnxdh.exec:\nnxdh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tjfdr.exec:\tjfdr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlpp.exec:\lxlpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pflnt.exec:\pflnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fttjb.exec:\fttjb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jxfhndn.exec:\jxfhndn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xbxnnhr.exec:\xbxnnhr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\njvvrpd.exec:\njvvrpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfljf.exec:\xfljf.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\dlfnp.exec:\dlfnp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\trxvnvl.exec:\trxvnvl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfhjhj.exec:\xxfhjhj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tfxnf.exec:\tfxnf.exe17⤵
- Executes dropped EXE
-
\??\c:\nrprv.exec:\nrprv.exe18⤵
- Executes dropped EXE
-
\??\c:\jxnht.exec:\jxnht.exe19⤵
- Executes dropped EXE
-
\??\c:\ddfjdpf.exec:\ddfjdpf.exe20⤵
- Executes dropped EXE
-
\??\c:\tvlrl.exec:\tvlrl.exe21⤵
- Executes dropped EXE
-
\??\c:\djxhbvf.exec:\djxhbvf.exe22⤵
- Executes dropped EXE
-
\??\c:\xdrlhpx.exec:\xdrlhpx.exe23⤵
- Executes dropped EXE
-
\??\c:\nndrhdt.exec:\nndrhdt.exe24⤵
- Executes dropped EXE
-
\??\c:\xdfvlxj.exec:\xdfvlxj.exe25⤵
- Executes dropped EXE
-
\??\c:\lxndrf.exec:\lxndrf.exe26⤵
- Executes dropped EXE
-
\??\c:\lltxt.exec:\lltxt.exe27⤵
- Executes dropped EXE
-
\??\c:\vtnjbd.exec:\vtnjbd.exe28⤵
- Executes dropped EXE
-
\??\c:\jtdvf.exec:\jtdvf.exe29⤵
- Executes dropped EXE
-
\??\c:\dhldjv.exec:\dhldjv.exe30⤵
- Executes dropped EXE
-
\??\c:\thlxfd.exec:\thlxfd.exe31⤵
- Executes dropped EXE
-
\??\c:\jjxrvnl.exec:\jjxrvnl.exe32⤵
- Executes dropped EXE
-
\??\c:\vrvrh.exec:\vrvrh.exe33⤵
- Executes dropped EXE
-
\??\c:\hhprx.exec:\hhprx.exe34⤵
-
\??\c:\bxjxl.exec:\bxjxl.exe35⤵
- Executes dropped EXE
-
\??\c:\tbvlvxx.exec:\tbvlvxx.exe36⤵
- Executes dropped EXE
-
\??\c:\dptxr.exec:\dptxr.exe37⤵
- Executes dropped EXE
-
\??\c:\dtpxpt.exec:\dtpxpt.exe38⤵
- Executes dropped EXE
-
\??\c:\vvnlnrj.exec:\vvnlnrj.exe39⤵
- Executes dropped EXE
-
\??\c:\nvddxlx.exec:\nvddxlx.exe40⤵
- Executes dropped EXE
-
\??\c:\njprjh.exec:\njprjh.exe41⤵
- Executes dropped EXE
-
\??\c:\vffjl.exec:\vffjl.exe42⤵
- Executes dropped EXE
-
\??\c:\xtnjx.exec:\xtnjx.exe43⤵
- Executes dropped EXE
-
\??\c:\tbvlr.exec:\tbvlr.exe44⤵
- Executes dropped EXE
-
\??\c:\hnfdlpj.exec:\hnfdlpj.exe45⤵
- Executes dropped EXE
-
\??\c:\xthbnj.exec:\xthbnj.exe46⤵
- Executes dropped EXE
-
\??\c:\txvxtf.exec:\txvxtf.exe47⤵
- Executes dropped EXE
-
\??\c:\fbdnd.exec:\fbdnd.exe48⤵
- Executes dropped EXE
-
\??\c:\xnlxhnf.exec:\xnlxhnf.exe49⤵
- Executes dropped EXE
-
\??\c:\tfpjp.exec:\tfpjp.exe50⤵
- Executes dropped EXE
-
\??\c:\bjhxb.exec:\bjhxb.exe51⤵
- Executes dropped EXE
-
\??\c:\rxfjdjx.exec:\rxfjdjx.exe52⤵
- Executes dropped EXE
-
\??\c:\bddvj.exec:\bddvj.exe53⤵
- Executes dropped EXE
-
\??\c:\rthnpb.exec:\rthnpb.exe54⤵
- Executes dropped EXE
-
\??\c:\jfrjd.exec:\jfrjd.exe55⤵
- Executes dropped EXE
-
\??\c:\nhhrbp.exec:\nhhrbp.exe56⤵
- Executes dropped EXE
-
\??\c:\tfpll.exec:\tfpll.exe57⤵
- Executes dropped EXE
-
\??\c:\phjvpp.exec:\phjvpp.exe58⤵
- Executes dropped EXE
-
\??\c:\nrrjt.exec:\nrrjt.exe59⤵
- Executes dropped EXE
-
\??\c:\hvnjx.exec:\hvnjx.exe60⤵
- Executes dropped EXE
-
\??\c:\tlxdd.exec:\tlxdd.exe61⤵
- Executes dropped EXE
-
\??\c:\phvrlx.exec:\phvrlx.exe62⤵
- Executes dropped EXE
-
\??\c:\rhfvv.exec:\rhfvv.exe63⤵
- Executes dropped EXE
-
\??\c:\xvlpd.exec:\xvlpd.exe64⤵
- Executes dropped EXE
-
\??\c:\txhfnt.exec:\txhfnt.exe65⤵
- Executes dropped EXE
-
\??\c:\xvjfd.exec:\xvjfd.exe66⤵
- Executes dropped EXE
-
\??\c:\rphbl.exec:\rphbl.exe67⤵
-
\??\c:\dhhhjnb.exec:\dhhhjnb.exe68⤵
-
\??\c:\vtlpphp.exec:\vtlpphp.exe69⤵
-
\??\c:\fjppl.exec:\fjppl.exe70⤵
-
\??\c:\nfxjnv.exec:\nfxjnv.exe71⤵
-
\??\c:\dbbnj.exec:\dbbnj.exe72⤵
-
\??\c:\bfpxhr.exec:\bfpxhr.exe73⤵
-
\??\c:\rfjdrdh.exec:\rfjdrdh.exe74⤵
-
\??\c:\rxbxp.exec:\rxbxp.exe75⤵
-
\??\c:\nrnrl.exec:\nrnrl.exe76⤵
-
\??\c:\jjrbx.exec:\jjrbx.exe77⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tjnnnjn.exec:\tjnnnjn.exe78⤵
-
\??\c:\pdnbtf.exec:\pdnbtf.exe79⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dvtbpfl.exec:\dvtbpfl.exe80⤵
-
\??\c:\htpjlb.exec:\htpjlb.exe81⤵
-
\??\c:\ftfdj.exec:\ftfdj.exe82⤵
-
\??\c:\jddvnn.exec:\jddvnn.exe83⤵
-
\??\c:\ldhhptl.exec:\ldhhptl.exe84⤵
-
\??\c:\vxdnt.exec:\vxdnt.exe85⤵
-
\??\c:\fthptx.exec:\fthptx.exe86⤵
-
\??\c:\vbdpjdj.exec:\vbdpjdj.exe87⤵
-
\??\c:\hnnnr.exec:\hnnnr.exe88⤵
-
\??\c:\tdhphr.exec:\tdhphr.exe89⤵
-
\??\c:\nvfdl.exec:\nvfdl.exe90⤵
-
\??\c:\hhbxh.exec:\hhbxh.exe91⤵
-
\??\c:\jflfdb.exec:\jflfdb.exe92⤵
-
\??\c:\pbnvjrb.exec:\pbnvjrb.exe93⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lhvhnrp.exec:\lhvhnrp.exe94⤵
-
\??\c:\pvfdt.exec:\pvfdt.exe95⤵
-
\??\c:\plbhxd.exec:\plbhxd.exe96⤵
-
\??\c:\tdtbt.exec:\tdtbt.exe97⤵
-
\??\c:\bllvf.exec:\bllvf.exe98⤵
-
\??\c:\vthvll.exec:\vthvll.exe99⤵
-
\??\c:\plrtxnv.exec:\plrtxnv.exe100⤵
-
\??\c:\drbdhn.exec:\drbdhn.exe101⤵
-
\??\c:\fxddx.exec:\fxddx.exe102⤵
-
\??\c:\blxvxt.exec:\blxvxt.exe103⤵
-
\??\c:\btjtpp.exec:\btjtpp.exe104⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nrnfbh.exec:\nrnfbh.exe105⤵
-
\??\c:\fvlnrld.exec:\fvlnrld.exe106⤵
-
\??\c:\xtvbdt.exec:\xtvbdt.exe107⤵
-
\??\c:\pjddd.exec:\pjddd.exe108⤵
-
\??\c:\tvfvjh.exec:\tvfvjh.exe109⤵
-
\??\c:\jrlftj.exec:\jrlftj.exe110⤵
-
\??\c:\xhljpp.exec:\xhljpp.exe111⤵
-
\??\c:\xxjtbdb.exec:\xxjtbdb.exe112⤵
-
\??\c:\fxdxjjd.exec:\fxdxjjd.exe113⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bfltprf.exec:\bfltprf.exe114⤵
-
\??\c:\trpdlf.exec:\trpdlf.exe115⤵
-
\??\c:\dnlvlh.exec:\dnlvlh.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hhnfnbx.exec:\hhnfnbx.exe117⤵
-
\??\c:\rhbnb.exec:\rhbnb.exe118⤵
-
\??\c:\jdjtv.exec:\jdjtv.exe119⤵
-
\??\c:\rdvfv.exec:\rdvfv.exe120⤵
-
\??\c:\xltpth.exec:\xltpth.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-