Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
27/12/2024, 23:12
General
-
Target
771e1385d3e9502ccc994521dedf78ed420673ca4a17bdf2941e0e8ffa61900b.exe
-
Size
453KB
-
MD5
609243d0265cb44a1f60cd626c2e9a2a
-
SHA1
83540096107387538742e106c70cedfd56628020
-
SHA256
771e1385d3e9502ccc994521dedf78ed420673ca4a17bdf2941e0e8ffa61900b
-
SHA512
aad8916dff5c098dc8dbaf6fcf3941289356e98bee407e77656091b3ec9c0230d78def59e049acd912d6564529bf6f812c4f196425345a3e7ff94d7b64d20671
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeGM3:q7Tc2NYHUrAwfMp3CDGM3
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 38 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 46 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\771e1385d3e9502ccc994521dedf78ed420673ca4a17bdf2941e0e8ffa61900b.exe"C:\Users\Admin\AppData\Local\Temp\771e1385d3e9502ccc994521dedf78ed420673ca4a17bdf2941e0e8ffa61900b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lvvxbdh.exec:\lvvxbdh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\djldf.exec:\djldf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ldxtpl.exec:\ldxtpl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\njrtdd.exec:\njrtdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bjvhxnn.exec:\bjvhxnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rvlvh.exec:\rvlvh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jhrfpr.exec:\jhrfpr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rtjph.exec:\rtjph.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppldt.exec:\ppldt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pxhbpjx.exec:\pxhbpjx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhdhbjx.exec:\bhdhbjx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvbtnbb.exec:\vvbtnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxvxh.exec:\lxvxh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\njbjpl.exec:\njbjpl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hxvhd.exec:\hxvhd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htlpfph.exec:\htlpfph.exe17⤵
- Executes dropped EXE
-
\??\c:\bbvlxbx.exec:\bbvlxbx.exe18⤵
- Executes dropped EXE
-
\??\c:\rrpbt.exec:\rrpbt.exe19⤵
- Executes dropped EXE
-
\??\c:\htbxn.exec:\htbxn.exe20⤵
- Executes dropped EXE
-
\??\c:\bhlrnrt.exec:\bhlrnrt.exe21⤵
- Executes dropped EXE
-
\??\c:\fjftl.exec:\fjftl.exe22⤵
- Executes dropped EXE
-
\??\c:\hnvvpf.exec:\hnvvpf.exe23⤵
- Executes dropped EXE
-
\??\c:\dpbpd.exec:\dpbpd.exe24⤵
- Executes dropped EXE
-
\??\c:\htxrp.exec:\htxrp.exe25⤵
- Executes dropped EXE
-
\??\c:\fbvjv.exec:\fbvjv.exe26⤵
- Executes dropped EXE
-
\??\c:\hflrvv.exec:\hflrvv.exe27⤵
- Executes dropped EXE
-
\??\c:\bhffp.exec:\bhffp.exe28⤵
- Executes dropped EXE
-
\??\c:\lplpbj.exec:\lplpbj.exe29⤵
- Executes dropped EXE
-
\??\c:\jvdtjbd.exec:\jvdtjbd.exe30⤵
- Executes dropped EXE
-
\??\c:\vtvvdhv.exec:\vtvvdhv.exe31⤵
- Executes dropped EXE
-
\??\c:\jrrttx.exec:\jrrttx.exe32⤵
- Executes dropped EXE
-
\??\c:\ptjvnj.exec:\ptjvnj.exe33⤵
- Executes dropped EXE
-
\??\c:\xddltdr.exec:\xddltdr.exe34⤵
- Executes dropped EXE
-
\??\c:\trpbtf.exec:\trpbtf.exe35⤵
- Executes dropped EXE
-
\??\c:\hpvfl.exec:\hpvfl.exe36⤵
- Executes dropped EXE
-
\??\c:\pvtdjd.exec:\pvtdjd.exe37⤵
- Executes dropped EXE
-
\??\c:\rjjxhbn.exec:\rjjxhbn.exe38⤵
- Executes dropped EXE
-
\??\c:\xtldtp.exec:\xtldtp.exe39⤵
- Executes dropped EXE
-
\??\c:\rbjrhv.exec:\rbjrhv.exe40⤵
- Executes dropped EXE
-
\??\c:\vpbjntx.exec:\vpbjntx.exe41⤵
- Executes dropped EXE
-
\??\c:\flhprlp.exec:\flhprlp.exe42⤵
- Executes dropped EXE
-
\??\c:\brlhp.exec:\brlhp.exe43⤵
- Executes dropped EXE
-
\??\c:\ttnnvr.exec:\ttnnvr.exe44⤵
- Executes dropped EXE
-
\??\c:\tdbjn.exec:\tdbjn.exe45⤵
- Executes dropped EXE
-
\??\c:\rnrldx.exec:\rnrldx.exe46⤵
- Executes dropped EXE
-
\??\c:\nlfltp.exec:\nlfltp.exe47⤵
- Executes dropped EXE
-
\??\c:\lbbbvhf.exec:\lbbbvhf.exe48⤵
- Executes dropped EXE
-
\??\c:\drtnhr.exec:\drtnhr.exe49⤵
- Executes dropped EXE
-
\??\c:\hllbxhn.exec:\hllbxhn.exe50⤵
- Executes dropped EXE
-
\??\c:\tpxrbrx.exec:\tpxrbrx.exe51⤵
- Executes dropped EXE
-
\??\c:\hxrhjxj.exec:\hxrhjxj.exe52⤵
- Executes dropped EXE
-
\??\c:\htbjvx.exec:\htbjvx.exe53⤵
- Executes dropped EXE
-
\??\c:\vvtnxh.exec:\vvtnxh.exe54⤵
- Executes dropped EXE
-
\??\c:\tnnpjn.exec:\tnnpjn.exe55⤵
- Executes dropped EXE
-
\??\c:\bvrph.exec:\bvrph.exe56⤵
- Executes dropped EXE
-
\??\c:\hbrpln.exec:\hbrpln.exe57⤵
- Executes dropped EXE
-
\??\c:\rvnrb.exec:\rvnrb.exe58⤵
- Executes dropped EXE
-
\??\c:\vhlttn.exec:\vhlttn.exe59⤵
- Executes dropped EXE
-
\??\c:\xxxdth.exec:\xxxdth.exe60⤵
- Executes dropped EXE
-
\??\c:\fpdjfp.exec:\fpdjfp.exe61⤵
- Executes dropped EXE
-
\??\c:\jvxvj.exec:\jvxvj.exe62⤵
- Executes dropped EXE
-
\??\c:\dnplntb.exec:\dnplntb.exe63⤵
- Executes dropped EXE
-
\??\c:\nfbbvth.exec:\nfbbvth.exe64⤵
- Executes dropped EXE
-
\??\c:\tvfvhx.exec:\tvfvhx.exe65⤵
- Executes dropped EXE
-
\??\c:\dtxvjx.exec:\dtxvjx.exe66⤵
-
\??\c:\jjrbjb.exec:\jjrbjb.exe67⤵
-
\??\c:\fnpfbv.exec:\fnpfbv.exe68⤵
-
\??\c:\nnvlb.exec:\nnvlb.exe69⤵
-
\??\c:\xlnnp.exec:\xlnnp.exe70⤵
-
\??\c:\ptrxr.exec:\ptrxr.exe71⤵
-
\??\c:\dfrrhn.exec:\dfrrhn.exe72⤵
-
\??\c:\rpbvdv.exec:\rpbvdv.exe73⤵
-
\??\c:\plxxhb.exec:\plxxhb.exe74⤵
-
\??\c:\hbbrb.exec:\hbbrb.exe75⤵
-
\??\c:\xrfjvrp.exec:\xrfjvrp.exe76⤵
-
\??\c:\bdtlffb.exec:\bdtlffb.exe77⤵
-
\??\c:\bpvfjp.exec:\bpvfjp.exe78⤵
-
\??\c:\jbhvd.exec:\jbhvd.exe79⤵
-
\??\c:\pnvdjfv.exec:\pnvdjfv.exe80⤵
-
\??\c:\ttbrvd.exec:\ttbrvd.exe81⤵
-
\??\c:\txvjj.exec:\txvjj.exe82⤵
-
\??\c:\ftjjvv.exec:\ftjjvv.exe83⤵
-
\??\c:\nbjddx.exec:\nbjddx.exe84⤵
-
\??\c:\rdxjndv.exec:\rdxjndv.exe85⤵
-
\??\c:\jtjjxxj.exec:\jtjjxxj.exe86⤵
-
\??\c:\vhdrd.exec:\vhdrd.exe87⤵
-
\??\c:\vbhpdv.exec:\vbhpdv.exe88⤵
-
\??\c:\pddnlvp.exec:\pddnlvp.exe89⤵
-
\??\c:\lxbpt.exec:\lxbpt.exe90⤵
-
\??\c:\lthfv.exec:\lthfv.exe91⤵
-
\??\c:\npttrrr.exec:\npttrrr.exe92⤵
-
\??\c:\jhnvrvd.exec:\jhnvrvd.exe93⤵
-
\??\c:\lvpblx.exec:\lvpblx.exe94⤵
-
\??\c:\dhjtbr.exec:\dhjtbr.exe95⤵
-
\??\c:\pdpnxpb.exec:\pdpnxpb.exe96⤵
-
\??\c:\thfdrvh.exec:\thfdrvh.exe97⤵
-
\??\c:\ljtnjrv.exec:\ljtnjrv.exe98⤵
-
\??\c:\rbbtlp.exec:\rbbtlp.exe99⤵
-
\??\c:\btvjv.exec:\btvjv.exe100⤵
-
\??\c:\blrfl.exec:\blrfl.exe101⤵
-
\??\c:\rjjrvp.exec:\rjjrvp.exe102⤵
-
\??\c:\xhdnnvv.exec:\xhdnnvv.exe103⤵
-
\??\c:\btpbhb.exec:\btpbhb.exe104⤵
-
\??\c:\rpxbfdr.exec:\rpxbfdr.exe105⤵
-
\??\c:\pxlthbb.exec:\pxlthbb.exe106⤵
-
\??\c:\vnnntx.exec:\vnnntx.exe107⤵
-
\??\c:\tddhx.exec:\tddhx.exe108⤵
-
\??\c:\dlxlrl.exec:\dlxlrl.exe109⤵
-
\??\c:\tdpntht.exec:\tdpntht.exe110⤵
-
\??\c:\phplxfp.exec:\phplxfp.exe111⤵
-
\??\c:\txddxl.exec:\txddxl.exe112⤵
-
\??\c:\nvdvrt.exec:\nvdvrt.exe113⤵
-
\??\c:\jfxflhr.exec:\jfxflhr.exe114⤵
-
\??\c:\vvlfdj.exec:\vvlfdj.exe115⤵
-
\??\c:\dvvtj.exec:\dvvtj.exe116⤵
-
\??\c:\pxhnvff.exec:\pxhnvff.exe117⤵
-
\??\c:\xxnfddd.exec:\xxnfddd.exe118⤵
-
\??\c:\pdjrrpp.exec:\pdjrrpp.exe119⤵
-
\??\c:\xfrtl.exec:\xfrtl.exe120⤵
-
\??\c:\rdxxpv.exec:\rdxxpv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-