Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26-12-2024 12:18
General
-
Target
850fe874201a706d6196307256f768e37c4026fe43cb4875a95824c9debab0cb.exe
-
Size
298KB
-
MD5
c48150ae1df943cec9e198000905216a
-
SHA1
5291d5b56a928717af19a756cdacde64cd9c0fdd
-
SHA256
850fe874201a706d6196307256f768e37c4026fe43cb4875a95824c9debab0cb
-
SHA512
565c590c3a124b9016ee1fb2d0f3686146c0d1511f90c8825f1f3d83d5291b42b11a4f40e1d70444f5bd179688cf6b31b96557a5a4146ac48ff73cd5db1be379
-
SSDEEP
6144:n3C9BRo/AIuuOthLmH403Pyr6UWO6jUl7sPgvU:n3C9uDVOXLmHBKWyn+PgvU
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\850fe874201a706d6196307256f768e37c4026fe43cb4875a95824c9debab0cb.exe"C:\Users\Admin\AppData\Local\Temp\850fe874201a706d6196307256f768e37c4026fe43cb4875a95824c9debab0cb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hpldpfh.exec:\hpldpfh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jrtdvj.exec:\jrtdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fthrjvd.exec:\fthrjvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\trrxtbl.exec:\trrxtbl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lnlxjdf.exec:\lnlxjdf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtrt.exec:\bbtrt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nllfft.exec:\nllfft.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhbtlf.exec:\hhhbtlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lftltn.exec:\lftltn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\phbtxlh.exec:\phbtxlh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xtbrnvt.exec:\xtbrnvt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hxhhtx.exec:\hxhhtx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bjjdjff.exec:\bjjdjff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hfxhb.exec:\hfxhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vrnfxvd.exec:\vrnfxvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fjddlb.exec:\fjddlb.exe17⤵
- Executes dropped EXE
-
\??\c:\jtrxjv.exec:\jtrxjv.exe18⤵
- Executes dropped EXE
-
\??\c:\phdfl.exec:\phdfl.exe19⤵
- Executes dropped EXE
-
\??\c:\thrlhxj.exec:\thrlhxj.exe20⤵
- Executes dropped EXE
-
\??\c:\thfxb.exec:\thfxb.exe21⤵
- Executes dropped EXE
-
\??\c:\xtnlv.exec:\xtnlv.exe22⤵
- Executes dropped EXE
-
\??\c:\dpnfpd.exec:\dpnfpd.exe23⤵
- Executes dropped EXE
-
\??\c:\nfvnh.exec:\nfvnh.exe24⤵
- Executes dropped EXE
-
\??\c:\nnfblbf.exec:\nnfblbf.exe25⤵
- Executes dropped EXE
-
\??\c:\dfjfr.exec:\dfjfr.exe26⤵
- Executes dropped EXE
-
\??\c:\nfphvd.exec:\nfphvd.exe27⤵
- Executes dropped EXE
-
\??\c:\frvjt.exec:\frvjt.exe28⤵
- Executes dropped EXE
-
\??\c:\vnvtrh.exec:\vnvtrh.exe29⤵
- Executes dropped EXE
-
\??\c:\xbnfvx.exec:\xbnfvx.exe30⤵
- Executes dropped EXE
-
\??\c:\xnpjbl.exec:\xnpjbl.exe31⤵
- Executes dropped EXE
-
\??\c:\brrjv.exec:\brrjv.exe32⤵
- Executes dropped EXE
-
\??\c:\rxpjh.exec:\rxpjh.exe33⤵
- Executes dropped EXE
-
\??\c:\rptrdnb.exec:\rptrdnb.exe34⤵
- Executes dropped EXE
-
\??\c:\tpbvxlp.exec:\tpbvxlp.exe35⤵
- Executes dropped EXE
-
\??\c:\bpdpvfl.exec:\bpdpvfl.exe36⤵
- Executes dropped EXE
-
\??\c:\xrpjdb.exec:\xrpjdb.exe37⤵
- Executes dropped EXE
-
\??\c:\dprltdb.exec:\dprltdb.exe38⤵
- Executes dropped EXE
-
\??\c:\rxlnbt.exec:\rxlnbt.exe39⤵
- Executes dropped EXE
-
\??\c:\lpfnh.exec:\lpfnh.exe40⤵
- Executes dropped EXE
-
\??\c:\nnbhh.exec:\nnbhh.exe41⤵
- Executes dropped EXE
-
\??\c:\nphlph.exec:\nphlph.exe42⤵
- Executes dropped EXE
-
\??\c:\vnvrn.exec:\vnvrn.exe43⤵
- Executes dropped EXE
-
\??\c:\jrhjjxh.exec:\jrhjjxh.exe44⤵
- Executes dropped EXE
-
\??\c:\nfhbhh.exec:\nfhbhh.exe45⤵
- Executes dropped EXE
-
\??\c:\jxftpjr.exec:\jxftpjr.exe46⤵
- Executes dropped EXE
-
\??\c:\lrndhl.exec:\lrndhl.exe47⤵
- Executes dropped EXE
-
\??\c:\prfxl.exec:\prfxl.exe48⤵
- Executes dropped EXE
-
\??\c:\tlbvjrr.exec:\tlbvjrr.exe49⤵
- Executes dropped EXE
-
\??\c:\vvfhvr.exec:\vvfhvr.exe50⤵
- Executes dropped EXE
-
\??\c:\rxtvxj.exec:\rxtvxj.exe51⤵
- Executes dropped EXE
-
\??\c:\ldrbdh.exec:\ldrbdh.exe52⤵
- Executes dropped EXE
-
\??\c:\vxpvbfl.exec:\vxpvbfl.exe53⤵
- Executes dropped EXE
-
\??\c:\fhxlrl.exec:\fhxlrl.exe54⤵
- Executes dropped EXE
-
\??\c:\ndrff.exec:\ndrff.exe55⤵
- Executes dropped EXE
-
\??\c:\nlpxxlr.exec:\nlpxxlr.exe56⤵
- Executes dropped EXE
-
\??\c:\vlprp.exec:\vlprp.exe57⤵
- Executes dropped EXE
-
\??\c:\frvrtb.exec:\frvrtb.exe58⤵
- Executes dropped EXE
-
\??\c:\pdnlhfp.exec:\pdnlhfp.exe59⤵
- Executes dropped EXE
-
\??\c:\vnfvtx.exec:\vnfvtx.exe60⤵
- Executes dropped EXE
-
\??\c:\tlvxnlj.exec:\tlvxnlj.exe61⤵
- Executes dropped EXE
-
\??\c:\dbhpvlv.exec:\dbhpvlv.exe62⤵
- Executes dropped EXE
-
\??\c:\bpvjj.exec:\bpvjj.exe63⤵
- Executes dropped EXE
-
\??\c:\vrxtxj.exec:\vrxtxj.exe64⤵
- Executes dropped EXE
-
\??\c:\xjvbhxh.exec:\xjvbhxh.exe65⤵
- Executes dropped EXE
-
\??\c:\hddvb.exec:\hddvb.exe66⤵
-
\??\c:\rxddxhd.exec:\rxddxhd.exe67⤵
-
\??\c:\nllbhld.exec:\nllbhld.exe68⤵
-
\??\c:\hxrvnhr.exec:\hxrvnhr.exe69⤵
-
\??\c:\dvhnld.exec:\dvhnld.exe70⤵
-
\??\c:\lfjhxx.exec:\lfjhxx.exe71⤵
-
\??\c:\vtrfx.exec:\vtrfx.exe72⤵
-
\??\c:\trxjbtv.exec:\trxjbtv.exe73⤵
-
\??\c:\hptvvtj.exec:\hptvvtj.exe74⤵
-
\??\c:\tdnbxtj.exec:\tdnbxtj.exe75⤵
-
\??\c:\ppjfvd.exec:\ppjfvd.exe76⤵
-
\??\c:\tvxbt.exec:\tvxbt.exe77⤵
-
\??\c:\ttpnpv.exec:\ttpnpv.exe78⤵
-
\??\c:\bpdxfx.exec:\bpdxfx.exe79⤵
-
\??\c:\bfdjnjt.exec:\bfdjnjt.exe80⤵
-
\??\c:\ptplbdh.exec:\ptplbdh.exe81⤵
-
\??\c:\rhfvl.exec:\rhfvl.exe82⤵
-
\??\c:\ndjdl.exec:\ndjdl.exe83⤵
-
\??\c:\dvftp.exec:\dvftp.exe84⤵
-
\??\c:\nhlrlt.exec:\nhlrlt.exe85⤵
-
\??\c:\lxdfdpp.exec:\lxdfdpp.exe86⤵
-
\??\c:\nrrttdv.exec:\nrrttdv.exe87⤵
-
\??\c:\nbnnbfn.exec:\nbnnbfn.exe88⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ntpjtdh.exec:\ntpjtdh.exe89⤵
-
\??\c:\nvvrnb.exec:\nvvrnb.exe90⤵
-
\??\c:\tvljh.exec:\tvljh.exe91⤵
-
\??\c:\plllvhb.exec:\plllvhb.exe92⤵
-
\??\c:\xnhfph.exec:\xnhfph.exe93⤵
-
\??\c:\vvjfb.exec:\vvjfb.exe94⤵
-
\??\c:\lvrnf.exec:\lvrnf.exe95⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vhrfrfp.exec:\vhrfrfp.exe96⤵
-
\??\c:\pdvtx.exec:\pdvtx.exe97⤵
-
\??\c:\hjjbdpb.exec:\hjjbdpb.exe98⤵
-
\??\c:\lptdv.exec:\lptdv.exe99⤵
-
\??\c:\xlvvdj.exec:\xlvvdj.exe100⤵
-
\??\c:\vdptrbb.exec:\vdptrbb.exe101⤵
-
\??\c:\rbnvrn.exec:\rbnvrn.exe102⤵
-
\??\c:\lhbjpn.exec:\lhbjpn.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jvlnlh.exec:\jvlnlh.exe104⤵
-
\??\c:\bddnprl.exec:\bddnprl.exe105⤵
-
\??\c:\nptdhln.exec:\nptdhln.exe106⤵
-
\??\c:\pxdbvnb.exec:\pxdbvnb.exe107⤵
-
\??\c:\brpnl.exec:\brpnl.exe108⤵
-
\??\c:\bpdlt.exec:\bpdlt.exe109⤵
-
\??\c:\rnbxpb.exec:\rnbxpb.exe110⤵
-
\??\c:\hfjdt.exec:\hfjdt.exe111⤵
-
\??\c:\flptdl.exec:\flptdl.exe112⤵
-
\??\c:\ndxvd.exec:\ndxvd.exe113⤵
-
\??\c:\bhlrht.exec:\bhlrht.exe114⤵
-
\??\c:\hxnbd.exec:\hxnbd.exe115⤵
-
\??\c:\vbjrhf.exec:\vbjrhf.exe116⤵
-
\??\c:\dxbtjh.exec:\dxbtjh.exe117⤵
-
\??\c:\tblfjj.exec:\tblfjj.exe118⤵
-
\??\c:\fjhvv.exec:\fjhvv.exe119⤵
-
\??\c:\dtfbvd.exec:\dtfbvd.exe120⤵
-
\??\c:\xtrrtl.exec:\xtrrtl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-