Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26-12-2024 10:49
General
-
Target
05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe
-
Size
453KB
-
MD5
2cac169befdb02e6b0f8c9a518976570
-
SHA1
cc7a4be941eb3127a8b8ee5ac678b210288b2cd3
-
SHA256
05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aa
-
SHA512
ea73b308d2abbcd8c6a3c53f984823336fb1b7c3628189e6cf7c0716c8e0ff25588b6b42240d9c67194f170c8edde4028986a35d5bb9b01d4c1b536839f00a78
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 43 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe"C:\Users\Admin\AppData\Local\Temp\05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3hbhnt.exec:\3hbhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnbb.exec:\btnnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnbb.exec:\bthnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjpv.exec:\jpjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbntt.exec:\hhbntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ntntt.exec:\7ntntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fflxlf.exec:\7fflxlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvpvd.exec:\jvpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrxrrf.exec:\fxrxrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdv.exec:\pvjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlxrxf.exec:\lrlxrxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnbnn.exec:\htnbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrllxxl.exec:\rrllxxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbbh.exec:\tnnbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfrffl.exec:\frfrffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnhtn.exec:\bnnhtn.exe17⤵
- Executes dropped EXE
-
\??\c:\vjpvv.exec:\vjpvv.exe18⤵
- Executes dropped EXE
-
\??\c:\rflrxfl.exec:\rflrxfl.exe19⤵
- Executes dropped EXE
-
\??\c:\jvvvj.exec:\jvvvj.exe20⤵
- Executes dropped EXE
-
\??\c:\1frrxfx.exec:\1frrxfx.exe21⤵
- Executes dropped EXE
-
\??\c:\bnhbhh.exec:\bnhbhh.exe22⤵
- Executes dropped EXE
-
\??\c:\jvvvv.exec:\jvvvv.exe23⤵
- Executes dropped EXE
-
\??\c:\bnhhtt.exec:\bnhhtt.exe24⤵
- Executes dropped EXE
-
\??\c:\xrxrxrf.exec:\xrxrxrf.exe25⤵
- Executes dropped EXE
-
\??\c:\hnhnnh.exec:\hnhnnh.exe26⤵
- Executes dropped EXE
-
\??\c:\pvvjd.exec:\pvvjd.exe27⤵
- Executes dropped EXE
-
\??\c:\hhtbhh.exec:\hhtbhh.exe28⤵
- Executes dropped EXE
-
\??\c:\vvdjp.exec:\vvdjp.exe29⤵
- Executes dropped EXE
-
\??\c:\ntnhbn.exec:\ntnhbn.exe30⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe31⤵
- Executes dropped EXE
-
\??\c:\1xlfllx.exec:\1xlfllx.exe32⤵
- Executes dropped EXE
-
\??\c:\thtbbh.exec:\thtbbh.exe33⤵
- Executes dropped EXE
-
\??\c:\3xlrlxf.exec:\3xlrlxf.exe34⤵
- Executes dropped EXE
-
\??\c:\rrlrrrf.exec:\rrlrrrf.exe35⤵
- Executes dropped EXE
-
\??\c:\ppjjv.exec:\ppjjv.exe36⤵
- Executes dropped EXE
-
\??\c:\llxxlrf.exec:\llxxlrf.exe37⤵
- Executes dropped EXE
-
\??\c:\nthttb.exec:\nthttb.exe38⤵
- Executes dropped EXE
-
\??\c:\9hbttt.exec:\9hbttt.exe39⤵
- Executes dropped EXE
-
\??\c:\dvjpd.exec:\dvjpd.exe40⤵
- Executes dropped EXE
-
\??\c:\frrfllr.exec:\frrfllr.exe41⤵
- Executes dropped EXE
-
\??\c:\9nhnnn.exec:\9nhnnn.exe42⤵
- Executes dropped EXE
-
\??\c:\ppdjv.exec:\ppdjv.exe43⤵
- Executes dropped EXE
-
\??\c:\5frrxxl.exec:\5frrxxl.exe44⤵
- Executes dropped EXE
-
\??\c:\9bhhtt.exec:\9bhhtt.exe45⤵
- Executes dropped EXE
-
\??\c:\7vvjp.exec:\7vvjp.exe46⤵
- Executes dropped EXE
-
\??\c:\ffxflrx.exec:\ffxflrx.exe47⤵
- Executes dropped EXE
-
\??\c:\frlrxxx.exec:\frlrxxx.exe48⤵
- Executes dropped EXE
-
\??\c:\7hbbbb.exec:\7hbbbb.exe49⤵
- Executes dropped EXE
-
\??\c:\pvdjp.exec:\pvdjp.exe50⤵
- Executes dropped EXE
-
\??\c:\lxxflrf.exec:\lxxflrf.exe51⤵
- Executes dropped EXE
-
\??\c:\nhnhnn.exec:\nhnhnn.exe52⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jvjdp.exec:\jvjdp.exe54⤵
- Executes dropped EXE
-
\??\c:\xrrrxfr.exec:\xrrrxfr.exe55⤵
- Executes dropped EXE
-
\??\c:\ntttbt.exec:\ntttbt.exe56⤵
- Executes dropped EXE
-
\??\c:\7dpdv.exec:\7dpdv.exe57⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe58⤵
- Executes dropped EXE
-
\??\c:\xrfllff.exec:\xrfllff.exe59⤵
- Executes dropped EXE
-
\??\c:\ttnhtt.exec:\ttnhtt.exe60⤵
- Executes dropped EXE
-
\??\c:\nbtntb.exec:\nbtntb.exe61⤵
- Executes dropped EXE
-
\??\c:\frlflff.exec:\frlflff.exe62⤵
- Executes dropped EXE
-
\??\c:\flxfxll.exec:\flxfxll.exe63⤵
- Executes dropped EXE
-
\??\c:\nhbhbh.exec:\nhbhbh.exe64⤵
- Executes dropped EXE
-
\??\c:\jjvdd.exec:\jjvdd.exe65⤵
- Executes dropped EXE
-
\??\c:\3rlfflr.exec:\3rlfflr.exe66⤵
-
\??\c:\5lfxrrx.exec:\5lfxrrx.exe67⤵
-
\??\c:\btbntb.exec:\btbntb.exe68⤵
-
\??\c:\vjvdd.exec:\vjvdd.exe69⤵
-
\??\c:\3lfrlrf.exec:\3lfrlrf.exe70⤵
-
\??\c:\thtntn.exec:\thtntn.exe71⤵
-
\??\c:\pjppv.exec:\pjppv.exe72⤵
-
\??\c:\vppvv.exec:\vppvv.exe73⤵
-
\??\c:\rlflffr.exec:\rlflffr.exe74⤵
-
\??\c:\bbbnnh.exec:\bbbnnh.exe75⤵
-
\??\c:\5vjdp.exec:\5vjdp.exe76⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe77⤵
-
\??\c:\xlrlxff.exec:\xlrlxff.exe78⤵
-
\??\c:\hhtbnn.exec:\hhtbnn.exe79⤵
-
\??\c:\1pddd.exec:\1pddd.exe80⤵
-
\??\c:\lfllllr.exec:\lfllllr.exe81⤵
-
\??\c:\5tbbbh.exec:\5tbbbh.exe82⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe83⤵
-
\??\c:\jddjv.exec:\jddjv.exe84⤵
-
\??\c:\rxlffxx.exec:\rxlffxx.exe85⤵
-
\??\c:\bthntt.exec:\bthntt.exe86⤵
-
\??\c:\vvppv.exec:\vvppv.exe87⤵
-
\??\c:\rfllxxf.exec:\rfllxxf.exe88⤵
-
\??\c:\lflrrlr.exec:\lflrrlr.exe89⤵
-
\??\c:\htnnnt.exec:\htnnnt.exe90⤵
-
\??\c:\vpppj.exec:\vpppj.exe91⤵
-
\??\c:\7jdvv.exec:\7jdvv.exe92⤵
-
\??\c:\fxxfrrl.exec:\fxxfrrl.exe93⤵
-
\??\c:\tnbhtn.exec:\tnbhtn.exe94⤵
-
\??\c:\tnbbnn.exec:\tnbbnn.exe95⤵
-
\??\c:\vvpvj.exec:\vvpvj.exe96⤵
-
\??\c:\ppddj.exec:\ppddj.exe97⤵
-
\??\c:\frfffrr.exec:\frfffrr.exe98⤵
-
\??\c:\tnbbbh.exec:\tnbbbh.exe99⤵
-
\??\c:\vpjjv.exec:\vpjjv.exe100⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe101⤵
-
\??\c:\xxlrllx.exec:\xxlrllx.exe102⤵
-
\??\c:\nnbhtb.exec:\nnbhtb.exe103⤵
-
\??\c:\nnnbnt.exec:\nnnbnt.exe104⤵
-
\??\c:\dvdjv.exec:\dvdjv.exe105⤵
-
\??\c:\xxllxfx.exec:\xxllxfx.exe106⤵
-
\??\c:\ntbbhb.exec:\ntbbhb.exe107⤵
-
\??\c:\7bnntt.exec:\7bnntt.exe108⤵
-
\??\c:\pdddp.exec:\pdddp.exe109⤵
-
\??\c:\ffrrfxl.exec:\ffrrfxl.exe110⤵
-
\??\c:\3lflrlx.exec:\3lflrlx.exe111⤵
-
\??\c:\tnhhbh.exec:\tnhhbh.exe112⤵
-
\??\c:\pjppp.exec:\pjppp.exe113⤵
-
\??\c:\xrflrxl.exec:\xrflrxl.exe114⤵
-
\??\c:\lrflxxl.exec:\lrflxxl.exe115⤵
-
\??\c:\hbtbtt.exec:\hbtbtt.exe116⤵
-
\??\c:\xlxflrr.exec:\xlxflrr.exe117⤵
-
\??\c:\3tbnhn.exec:\3tbnhn.exe118⤵
-
\??\c:\pdvdp.exec:\pdvdp.exe119⤵
-
\??\c:\rxrxrxl.exec:\rxrxrxl.exe120⤵
-
\??\c:\1thbht.exec:\1thbht.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-