Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26-12-2024 09:37
General
-
Target
8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe
-
Size
454KB
-
MD5
73fd9cebc58cef28121ef5a9fcf2cb57
-
SHA1
258cf8a41c4d3be549207e17df6d8d166a7581d7
-
SHA256
8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43
-
SHA512
75da5e21d3fd6381842e8da705c3113f06928c7593be72534c78582d0b610239f4da7bed573f86c00e35bf40d740a3b24bf8e614497a15ccb2591acdb5081e82
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 40 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe"C:\Users\Admin\AppData\Local\Temp\8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vtndnj.exec:\vtndnj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxnljlp.exec:\rxnljlp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllbxhx.exec:\xllbxhx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rtplrn.exec:\rtplrn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvtldd.exec:\ddvtldd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dbvnfbh.exec:\dbvnfbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djllfrp.exec:\djllfrp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jtnnhv.exec:\jtnnhv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nvdhrpp.exec:\nvdhrpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnjhtvj.exec:\tnjhtvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vtnbt.exec:\vtnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vxpbx.exec:\vxpbx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dfrdb.exec:\dfrdb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thfrjh.exec:\thfrjh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rvbvvbv.exec:\rvbvvbv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhjnp.exec:\hhjnp.exe17⤵
- Executes dropped EXE
-
\??\c:\hdldthr.exec:\hdldthr.exe18⤵
- Executes dropped EXE
-
\??\c:\lbjfnr.exec:\lbjfnr.exe19⤵
- Executes dropped EXE
-
\??\c:\pfbtpx.exec:\pfbtpx.exe20⤵
- Executes dropped EXE
-
\??\c:\jftttnp.exec:\jftttnp.exe21⤵
- Executes dropped EXE
-
\??\c:\phlrvn.exec:\phlrvn.exe22⤵
- Executes dropped EXE
-
\??\c:\njtjn.exec:\njtjn.exe23⤵
- Executes dropped EXE
-
\??\c:\bpbtn.exec:\bpbtn.exe24⤵
- Executes dropped EXE
-
\??\c:\jnpnpv.exec:\jnpnpv.exe25⤵
- Executes dropped EXE
-
\??\c:\phnbxp.exec:\phnbxp.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhvpp.exec:\hhvpp.exe27⤵
- Executes dropped EXE
-
\??\c:\nrtdvxf.exec:\nrtdvxf.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\lbphptd.exec:\lbphptd.exe29⤵
- Executes dropped EXE
-
\??\c:\ttjxhj.exec:\ttjxhj.exe30⤵
- Executes dropped EXE
-
\??\c:\frtnxr.exec:\frtnxr.exe31⤵
- Executes dropped EXE
-
\??\c:\rrdnbp.exec:\rrdnbp.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xjlhp.exec:\xjlhp.exe33⤵
- Executes dropped EXE
-
\??\c:\plhvfdh.exec:\plhvfdh.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ntfpll.exec:\ntfpll.exe35⤵
- Executes dropped EXE
-
\??\c:\jxflrvp.exec:\jxflrvp.exe36⤵
- Executes dropped EXE
-
\??\c:\pttllnf.exec:\pttllnf.exe37⤵
- Executes dropped EXE
-
\??\c:\jnxrp.exec:\jnxrp.exe38⤵
- Executes dropped EXE
-
\??\c:\xlbflv.exec:\xlbflv.exe39⤵
- Executes dropped EXE
-
\??\c:\vxtrnlj.exec:\vxtrnlj.exe40⤵
- Executes dropped EXE
-
\??\c:\frflb.exec:\frflb.exe41⤵
- Executes dropped EXE
-
\??\c:\ndvld.exec:\ndvld.exe42⤵
- Executes dropped EXE
-
\??\c:\rdftfn.exec:\rdftfn.exe43⤵
- Executes dropped EXE
-
\??\c:\dndphhn.exec:\dndphhn.exe44⤵
- Executes dropped EXE
-
\??\c:\njxtr.exec:\njxtr.exe45⤵
- Executes dropped EXE
-
\??\c:\nllbrbr.exec:\nllbrbr.exe46⤵
- Executes dropped EXE
-
\??\c:\pbvxtj.exec:\pbvxtj.exe47⤵
- Executes dropped EXE
-
\??\c:\hxddld.exec:\hxddld.exe48⤵
- Executes dropped EXE
-
\??\c:\brdxhf.exec:\brdxhf.exe49⤵
- Executes dropped EXE
-
\??\c:\xlhxh.exec:\xlhxh.exe50⤵
- Executes dropped EXE
-
\??\c:\tfjhj.exec:\tfjhj.exe51⤵
- Executes dropped EXE
-
\??\c:\lvvnx.exec:\lvvnx.exe52⤵
- Executes dropped EXE
-
\??\c:\bbhbvnl.exec:\bbhbvnl.exe53⤵
- Executes dropped EXE
-
\??\c:\rdjrhbt.exec:\rdjrhbt.exe54⤵
- Executes dropped EXE
-
\??\c:\lbtxbht.exec:\lbtxbht.exe55⤵
- Executes dropped EXE
-
\??\c:\tfbnnn.exec:\tfbnnn.exe56⤵
- Executes dropped EXE
-
\??\c:\hljtt.exec:\hljtt.exe57⤵
- Executes dropped EXE
-
\??\c:\tvrxlr.exec:\tvrxlr.exe58⤵
- Executes dropped EXE
-
\??\c:\rvtbl.exec:\rvtbl.exe59⤵
- Executes dropped EXE
-
\??\c:\bbpttl.exec:\bbpttl.exe60⤵
- Executes dropped EXE
-
\??\c:\xhfdhtv.exec:\xhfdhtv.exe61⤵
- Executes dropped EXE
-
\??\c:\lbplddp.exec:\lbplddp.exe62⤵
- Executes dropped EXE
-
\??\c:\dptptxj.exec:\dptptxj.exe63⤵
- Executes dropped EXE
-
\??\c:\hnrnr.exec:\hnrnr.exe64⤵
- Executes dropped EXE
-
\??\c:\tbxdbhd.exec:\tbxdbhd.exe65⤵
- Executes dropped EXE
-
\??\c:\tbnxp.exec:\tbnxp.exe66⤵
-
\??\c:\pbhhdp.exec:\pbhhdp.exe67⤵
-
\??\c:\ddxhrl.exec:\ddxhrl.exe68⤵
-
\??\c:\txdhh.exec:\txdhh.exe69⤵
-
\??\c:\ddlfhb.exec:\ddlfhb.exe70⤵
-
\??\c:\vvhjhp.exec:\vvhjhp.exe71⤵
-
\??\c:\frpvltl.exec:\frpvltl.exe72⤵
-
\??\c:\fltdf.exec:\fltdf.exe73⤵
-
\??\c:\vlnnln.exec:\vlnnln.exe74⤵
-
\??\c:\txblr.exec:\txblr.exe75⤵
-
\??\c:\tjjbv.exec:\tjjbv.exe76⤵
-
\??\c:\djblvh.exec:\djblvh.exe77⤵
-
\??\c:\njpxlft.exec:\njpxlft.exe78⤵
-
\??\c:\ftnrnvf.exec:\ftnrnvf.exe79⤵
-
\??\c:\bbbxnx.exec:\bbbxnx.exe80⤵
-
\??\c:\ppxxhph.exec:\ppxxhph.exe81⤵
-
\??\c:\tddtt.exec:\tddtt.exe82⤵
-
\??\c:\rxdllhd.exec:\rxdllhd.exe83⤵
-
\??\c:\ltvtrbj.exec:\ltvtrbj.exe84⤵
-
\??\c:\rrtxvp.exec:\rrtxvp.exe85⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ptxxnt.exec:\ptxxnt.exe86⤵
-
\??\c:\lnfphb.exec:\lnfphb.exe87⤵
-
\??\c:\pttlrdt.exec:\pttlrdt.exe88⤵
-
\??\c:\jdjrnhx.exec:\jdjrnhx.exe89⤵
-
\??\c:\ljdfft.exec:\ljdfft.exe90⤵
-
\??\c:\hbndfh.exec:\hbndfh.exe91⤵
-
\??\c:\rprhtx.exec:\rprhtx.exe92⤵
-
\??\c:\jpxnjv.exec:\jpxnjv.exe93⤵
-
\??\c:\xdltr.exec:\xdltr.exe94⤵
-
\??\c:\xptxth.exec:\xptxth.exe95⤵
-
\??\c:\fddpt.exec:\fddpt.exe96⤵
-
\??\c:\jhxpl.exec:\jhxpl.exe97⤵
-
\??\c:\pxxjf.exec:\pxxjf.exe98⤵
-
\??\c:\vxrpn.exec:\vxrpn.exe99⤵
-
\??\c:\xvltrf.exec:\xvltrf.exe100⤵
-
\??\c:\jrxhnx.exec:\jrxhnx.exe101⤵
-
\??\c:\pdvrxxn.exec:\pdvrxxn.exe102⤵
-
\??\c:\jnphrj.exec:\jnphrj.exe103⤵
-
\??\c:\xpdxv.exec:\xpdxv.exe104⤵
-
\??\c:\bjnjj.exec:\bjnjj.exe105⤵
-
\??\c:\thlvfrx.exec:\thlvfrx.exe106⤵
-
\??\c:\rdptbh.exec:\rdptbh.exe107⤵
-
\??\c:\hnhjdl.exec:\hnhjdl.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\blbhj.exec:\blbhj.exe109⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rhjjp.exec:\rhjjp.exe110⤵
-
\??\c:\rphffl.exec:\rphffl.exe111⤵
-
\??\c:\pdlbp.exec:\pdlbp.exe112⤵
-
\??\c:\pttfhd.exec:\pttfhd.exe113⤵
-
\??\c:\ndlxl.exec:\ndlxl.exe114⤵
-
\??\c:\rtppr.exec:\rtppr.exe115⤵
-
\??\c:\btpjxrx.exec:\btpjxrx.exe116⤵
-
\??\c:\hvbxnlx.exec:\hvbxnlx.exe117⤵
-
\??\c:\nfdfp.exec:\nfdfp.exe118⤵
-
\??\c:\hjjph.exec:\hjjph.exe119⤵
-
\??\c:\fjnhrp.exec:\fjnhrp.exe120⤵
-
\??\c:\tbndf.exec:\tbndf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-