Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26-12-2024 08:31
General
-
Target
f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe
-
Size
454KB
-
MD5
8e0c464984a43ff694affdee178e6330
-
SHA1
cd8b00ceafc63c4fbd3ad8c1158837f3f9762c7f
-
SHA256
f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163
-
SHA512
be7b8f028279f6189e31cb6116358900246df7d3626e0cc3f543a30e4d6bd1fd0c842dff2b93069b72ddb7105edcddb7645b5a5a7d7a8a1271d6e4f9e1f03531
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 41 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe"C:\Users\Admin\AppData\Local\Temp\f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppd.exec:\vvppd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhtb.exec:\tnhhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddj.exec:\jdddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xxrxfl.exec:\5xxrxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnttt.exec:\hbnttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvdj.exec:\vjvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lffllr.exec:\7lffllr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjp.exec:\jjvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvv.exec:\jpvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nbhnb.exec:\7nbhnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vjdd.exec:\5vjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtttt.exec:\hhtttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djjd.exec:\5djjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrrll.exec:\xlxrrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpjj.exec:\pdpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3fxfrrx.exec:\3fxfrrx.exe17⤵
- Executes dropped EXE
-
\??\c:\9tbntb.exec:\9tbntb.exe18⤵
- Executes dropped EXE
-
\??\c:\3xrlrxx.exec:\3xrlrxx.exe19⤵
- Executes dropped EXE
-
\??\c:\frflflx.exec:\frflflx.exe20⤵
- Executes dropped EXE
-
\??\c:\dvjpp.exec:\dvjpp.exe21⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe22⤵
- Executes dropped EXE
-
\??\c:\bthnnn.exec:\bthnnn.exe23⤵
- Executes dropped EXE
-
\??\c:\9pddp.exec:\9pddp.exe24⤵
- Executes dropped EXE
-
\??\c:\frffllr.exec:\frffllr.exe25⤵
- Executes dropped EXE
-
\??\c:\nhnbbb.exec:\nhnbbb.exe26⤵
- Executes dropped EXE
-
\??\c:\3rxfxxx.exec:\3rxfxxx.exe27⤵
- Executes dropped EXE
-
\??\c:\hbbbbt.exec:\hbbbbt.exe28⤵
- Executes dropped EXE
-
\??\c:\9vjjv.exec:\9vjjv.exe29⤵
- Executes dropped EXE
-
\??\c:\5vvpp.exec:\5vvpp.exe30⤵
- Executes dropped EXE
-
\??\c:\hhthbh.exec:\hhthbh.exe31⤵
- Executes dropped EXE
-
\??\c:\btnttt.exec:\btnttt.exe32⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe33⤵
- Executes dropped EXE
-
\??\c:\ffrxxfr.exec:\ffrxxfr.exe34⤵
- Executes dropped EXE
-
\??\c:\nhtnbt.exec:\nhtnbt.exe35⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe36⤵
- Executes dropped EXE
-
\??\c:\jvvdj.exec:\jvvdj.exe37⤵
- Executes dropped EXE
-
\??\c:\5fxfxrf.exec:\5fxfxrf.exe38⤵
- Executes dropped EXE
-
\??\c:\nbnntt.exec:\nbnntt.exe39⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe40⤵
- Executes dropped EXE
-
\??\c:\djpvd.exec:\djpvd.exe41⤵
- Executes dropped EXE
-
\??\c:\xrlrffx.exec:\xrlrffx.exe42⤵
- Executes dropped EXE
-
\??\c:\ntbtbt.exec:\ntbtbt.exe43⤵
- Executes dropped EXE
-
\??\c:\vpjjp.exec:\vpjjp.exe44⤵
- Executes dropped EXE
-
\??\c:\7jjpv.exec:\7jjpv.exe45⤵
- Executes dropped EXE
-
\??\c:\frxrlxf.exec:\frxrlxf.exe46⤵
- Executes dropped EXE
-
\??\c:\rxfxxrl.exec:\rxfxxrl.exe47⤵
- Executes dropped EXE
-
\??\c:\hbnhnh.exec:\hbnhnh.exe48⤵
- Executes dropped EXE
-
\??\c:\pdpvd.exec:\pdpvd.exe49⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe50⤵
- Executes dropped EXE
-
\??\c:\fxfrxrf.exec:\fxfrxrf.exe51⤵
- Executes dropped EXE
-
\??\c:\hnhnnn.exec:\hnhnnn.exe52⤵
- Executes dropped EXE
-
\??\c:\bthnbb.exec:\bthnbb.exe53⤵
- Executes dropped EXE
-
\??\c:\dvpjp.exec:\dvpjp.exe54⤵
- Executes dropped EXE
-
\??\c:\7lrrxxr.exec:\7lrrxxr.exe55⤵
- Executes dropped EXE
-
\??\c:\tthhbn.exec:\tthhbn.exe56⤵
- Executes dropped EXE
-
\??\c:\htbtbt.exec:\htbtbt.exe57⤵
- Executes dropped EXE
-
\??\c:\9djdd.exec:\9djdd.exe58⤵
- Executes dropped EXE
-
\??\c:\3djjp.exec:\3djjp.exe59⤵
- Executes dropped EXE
-
\??\c:\fxxffff.exec:\fxxffff.exe60⤵
- Executes dropped EXE
-
\??\c:\bnttbt.exec:\bnttbt.exe61⤵
- Executes dropped EXE
-
\??\c:\vjvvd.exec:\vjvvd.exe62⤵
- Executes dropped EXE
-
\??\c:\jpvpp.exec:\jpvpp.exe63⤵
- Executes dropped EXE
-
\??\c:\3frlffl.exec:\3frlffl.exe64⤵
- Executes dropped EXE
-
\??\c:\5rflrll.exec:\5rflrll.exe65⤵
- Executes dropped EXE
-
\??\c:\nhhhtn.exec:\nhhhtn.exe66⤵
-
\??\c:\pjvjp.exec:\pjvjp.exe67⤵
-
\??\c:\vjdjd.exec:\vjdjd.exe68⤵
-
\??\c:\frrrrrx.exec:\frrrrrx.exe69⤵
-
\??\c:\9nbhnh.exec:\9nbhnh.exe70⤵
-
\??\c:\7hthnh.exec:\7hthnh.exe71⤵
-
\??\c:\5pjjd.exec:\5pjjd.exe72⤵
-
\??\c:\jvjjj.exec:\jvjjj.exe73⤵
-
\??\c:\xflffrx.exec:\xflffrx.exe74⤵
-
\??\c:\tnhnnh.exec:\tnhnnh.exe75⤵
-
\??\c:\9tnntn.exec:\9tnntn.exe76⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe77⤵
-
\??\c:\5xxxxxf.exec:\5xxxxxf.exe78⤵
-
\??\c:\9httnn.exec:\9httnn.exe79⤵
-
\??\c:\hnbtht.exec:\hnbtht.exe80⤵
-
\??\c:\9pjvv.exec:\9pjvv.exe81⤵
-
\??\c:\jjvvv.exec:\jjvvv.exe82⤵
-
\??\c:\lxxflfl.exec:\lxxflfl.exe83⤵
-
\??\c:\hntbtn.exec:\hntbtn.exe84⤵
-
\??\c:\vpddp.exec:\vpddp.exe85⤵
-
\??\c:\9pdvv.exec:\9pdvv.exe86⤵
-
\??\c:\rffxrrx.exec:\rffxrrx.exe87⤵
-
\??\c:\lxrxfff.exec:\lxrxfff.exe88⤵
-
\??\c:\tntbnn.exec:\tntbnn.exe89⤵
-
\??\c:\nhttnn.exec:\nhttnn.exe90⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe91⤵
-
\??\c:\xrllfxl.exec:\xrllfxl.exe92⤵
-
\??\c:\rflxlll.exec:\rflxlll.exe93⤵
-
\??\c:\hbnnbb.exec:\hbnnbb.exe94⤵
-
\??\c:\dpddp.exec:\dpddp.exe95⤵
-
\??\c:\dvjvd.exec:\dvjvd.exe96⤵
-
\??\c:\5flflrx.exec:\5flflrx.exe97⤵
-
\??\c:\frlrxrr.exec:\frlrxrr.exe98⤵
-
\??\c:\1bnhhh.exec:\1bnhhh.exe99⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pjpdj.exec:\pjpdj.exe100⤵
-
\??\c:\jvdvj.exec:\jvdvj.exe101⤵
-
\??\c:\fxxxxrx.exec:\fxxxxrx.exe102⤵
-
\??\c:\5nnnnh.exec:\5nnnnh.exe103⤵
-
\??\c:\tnbhnh.exec:\tnbhnh.exe104⤵
-
\??\c:\djppp.exec:\djppp.exe105⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rrxrrlr.exec:\rrxrrlr.exe106⤵
-
\??\c:\1xflllx.exec:\1xflllx.exe107⤵
-
\??\c:\nhnbnh.exec:\nhnbnh.exe108⤵
-
\??\c:\vpvpd.exec:\vpvpd.exe109⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe110⤵
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe111⤵
-
\??\c:\9xllxrf.exec:\9xllxrf.exe112⤵
-
\??\c:\httbbt.exec:\httbbt.exe113⤵
-
\??\c:\5jpvv.exec:\5jpvv.exe114⤵
-
\??\c:\pvddj.exec:\pvddj.exe115⤵
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe116⤵
-
\??\c:\hntttn.exec:\hntttn.exe117⤵
-
\??\c:\nhtttt.exec:\nhtttt.exe118⤵
-
\??\c:\pdjjp.exec:\pdjjp.exe119⤵
-
\??\c:\pdjdd.exec:\pdjdd.exe120⤵
-
\??\c:\lxffxrr.exec:\lxffxrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-