Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
27/12/2024, 22:31
General
-
Target
63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe
-
Size
453KB
-
MD5
5790ef9b1f4c0efd0647dea58b516a69
-
SHA1
10e81b9544b2506fc018a958447b3c67e7ec1d34
-
SHA256
63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43
-
SHA512
af68257b5a99dbf6528390bf8d1caeb98ee1eb3a1b015136288f2e37d70a17f063c5f502931b591848a8c8d13c2a0c23450847a84fe1e25ce1d4d8eb4d80131e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN3:q7Tc2NYHUrAwfMp3CDN3
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 38 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 42 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe"C:\Users\Admin\AppData\Local\Temp\63127448c68f9ab92928fd560e4670cb893bc1b05a922b016abeb14ad6fc9f43.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fvnrvf.exec:\fvnrvf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dxttv.exec:\dxttv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdxf.exec:\jdjdxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhfdv.exec:\nbhfdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lbrtd.exec:\lbrtd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tjjdt.exec:\tjjdt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllhf.exec:\rllhf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rdvrhh.exec:\rdvrhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlllv.exec:\rlllv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbppdn.exec:\hbppdn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvtjbdr.exec:\vvtjbdr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thfvb.exec:\thfvb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxljx.exec:\rrxljx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xvhdf.exec:\xvhdf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\brxvr.exec:\brxvr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tlvvt.exec:\tlvvt.exe17⤵
- Executes dropped EXE
-
\??\c:\xjbrn.exec:\xjbrn.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fxflb.exec:\fxflb.exe19⤵
- Executes dropped EXE
-
\??\c:\vvtrjxf.exec:\vvtrjxf.exe20⤵
- Executes dropped EXE
-
\??\c:\thhdtb.exec:\thhdtb.exe21⤵
- Executes dropped EXE
-
\??\c:\vrnnj.exec:\vrnnj.exe22⤵
- Executes dropped EXE
-
\??\c:\ffxht.exec:\ffxht.exe23⤵
- Executes dropped EXE
-
\??\c:\ftftj.exec:\ftftj.exe24⤵
- Executes dropped EXE
-
\??\c:\btvlhhv.exec:\btvlhhv.exe25⤵
- Executes dropped EXE
-
\??\c:\rldrvd.exec:\rldrvd.exe26⤵
- Executes dropped EXE
-
\??\c:\bfjfxhh.exec:\bfjfxhh.exe27⤵
- Executes dropped EXE
-
\??\c:\tbtbt.exec:\tbtbt.exe28⤵
- Executes dropped EXE
-
\??\c:\dhrjth.exec:\dhrjth.exe29⤵
- Executes dropped EXE
-
\??\c:\vlrvjrl.exec:\vlrvjrl.exe30⤵
- Executes dropped EXE
-
\??\c:\tnjbtf.exec:\tnjbtf.exe31⤵
- Executes dropped EXE
-
\??\c:\xhbhdp.exec:\xhbhdp.exe32⤵
- Executes dropped EXE
-
\??\c:\tfbpt.exec:\tfbpt.exe33⤵
- Executes dropped EXE
-
\??\c:\hbvpp.exec:\hbvpp.exe34⤵
- Executes dropped EXE
-
\??\c:\vtjdlj.exec:\vtjdlj.exe35⤵
- Executes dropped EXE
-
\??\c:\rxnxvln.exec:\rxnxvln.exe36⤵
- Executes dropped EXE
-
\??\c:\xnjhx.exec:\xnjhx.exe37⤵
- Executes dropped EXE
-
\??\c:\dxnlblr.exec:\dxnlblr.exe38⤵
- Executes dropped EXE
-
\??\c:\hllhpl.exec:\hllhpl.exe39⤵
- Executes dropped EXE
-
\??\c:\tnpldt.exec:\tnpldt.exe40⤵
- Executes dropped EXE
-
\??\c:\ljbvtv.exec:\ljbvtv.exe41⤵
- Executes dropped EXE
-
\??\c:\fvxbbh.exec:\fvxbbh.exe42⤵
- Executes dropped EXE
-
\??\c:\pnxtd.exec:\pnxtd.exe43⤵
- Executes dropped EXE
-
\??\c:\nrjjpn.exec:\nrjjpn.exe44⤵
- Executes dropped EXE
-
\??\c:\bdlrd.exec:\bdlrd.exe45⤵
- Executes dropped EXE
-
\??\c:\njnjt.exec:\njnjt.exe46⤵
- Executes dropped EXE
-
\??\c:\txdhlxf.exec:\txdhlxf.exe47⤵
- Executes dropped EXE
-
\??\c:\hljtvr.exec:\hljtvr.exe48⤵
- Executes dropped EXE
-
\??\c:\hvlxhl.exec:\hvlxhl.exe49⤵
- Executes dropped EXE
-
\??\c:\jlbht.exec:\jlbht.exe50⤵
- Executes dropped EXE
-
\??\c:\bdlhn.exec:\bdlhn.exe51⤵
- Executes dropped EXE
-
\??\c:\bbvtjfb.exec:\bbvtjfb.exe52⤵
- Executes dropped EXE
-
\??\c:\pbltb.exec:\pbltb.exe53⤵
- Executes dropped EXE
-
\??\c:\npfld.exec:\npfld.exe54⤵
- Executes dropped EXE
-
\??\c:\rpvrf.exec:\rpvrf.exe55⤵
- Executes dropped EXE
-
\??\c:\vvblb.exec:\vvblb.exe56⤵
- Executes dropped EXE
-
\??\c:\xfxltbh.exec:\xfxltbh.exe57⤵
- Executes dropped EXE
-
\??\c:\ttvljlp.exec:\ttvljlp.exe58⤵
- Executes dropped EXE
-
\??\c:\rrhhvbn.exec:\rrhhvbn.exe59⤵
- Executes dropped EXE
-
\??\c:\dxdxln.exec:\dxdxln.exe60⤵
- Executes dropped EXE
-
\??\c:\xdhdr.exec:\xdhdr.exe61⤵
- Executes dropped EXE
-
\??\c:\vbjlbh.exec:\vbjlbh.exe62⤵
- Executes dropped EXE
-
\??\c:\rfhnln.exec:\rfhnln.exe63⤵
- Executes dropped EXE
-
\??\c:\hvpvhv.exec:\hvpvhv.exe64⤵
- Executes dropped EXE
-
\??\c:\ntxpvth.exec:\ntxpvth.exe65⤵
- Executes dropped EXE
-
\??\c:\jdxjxnd.exec:\jdxjxnd.exe66⤵
-
\??\c:\dtdxvjp.exec:\dtdxvjp.exe67⤵
-
\??\c:\nnvvbhh.exec:\nnvvbhh.exe68⤵
-
\??\c:\pvfdv.exec:\pvfdv.exe69⤵
-
\??\c:\fttdpd.exec:\fttdpd.exe70⤵
-
\??\c:\bplxvfr.exec:\bplxvfr.exe71⤵
-
\??\c:\pxfll.exec:\pxfll.exe72⤵
-
\??\c:\lvdhjff.exec:\lvdhjff.exe73⤵
-
\??\c:\bnfxnnn.exec:\bnfxnnn.exe74⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vtttxb.exec:\vtttxb.exe75⤵
-
\??\c:\tvbpvfv.exec:\tvbpvfv.exe76⤵
-
\??\c:\lrvnbn.exec:\lrvnbn.exe77⤵
-
\??\c:\bdlvjj.exec:\bdlvjj.exe78⤵
-
\??\c:\jrbxhjt.exec:\jrbxhjt.exe79⤵
-
\??\c:\rpljpb.exec:\rpljpb.exe80⤵
-
\??\c:\brlnv.exec:\brlnv.exe81⤵
-
\??\c:\nfljbr.exec:\nfljbr.exe82⤵
-
\??\c:\nddfvp.exec:\nddfvp.exe83⤵
-
\??\c:\ddhhdtj.exec:\ddhhdtj.exe84⤵
-
\??\c:\rhflx.exec:\rhflx.exe85⤵
-
\??\c:\pxdjdf.exec:\pxdjdf.exe86⤵
-
\??\c:\jvltnl.exec:\jvltnl.exe87⤵
-
\??\c:\tlrvr.exec:\tlrvr.exe88⤵
-
\??\c:\dtthblj.exec:\dtthblj.exe89⤵
-
\??\c:\rfvnhv.exec:\rfvnhv.exe90⤵
-
\??\c:\xpxpb.exec:\xpxpb.exe91⤵
-
\??\c:\rtjhn.exec:\rtjhn.exe92⤵
-
\??\c:\njhlxtf.exec:\njhlxtf.exe93⤵
-
\??\c:\jhxfv.exec:\jhxfv.exe94⤵
-
\??\c:\nbbjd.exec:\nbbjd.exe95⤵
-
\??\c:\fpxffnt.exec:\fpxffnt.exe96⤵
-
\??\c:\nvfpn.exec:\nvfpn.exe97⤵
-
\??\c:\hdfdbfj.exec:\hdfdbfj.exe98⤵
-
\??\c:\bbvxdft.exec:\bbvxdft.exe99⤵
-
\??\c:\lldjbl.exec:\lldjbl.exe100⤵
-
\??\c:\ftfrvr.exec:\ftfrvr.exe101⤵
-
\??\c:\pvjjtrf.exec:\pvjjtrf.exe102⤵
-
\??\c:\bxfnl.exec:\bxfnl.exe103⤵
-
\??\c:\jbxvh.exec:\jbxvh.exe104⤵
-
\??\c:\nthpd.exec:\nthpd.exe105⤵
-
\??\c:\fhxhjx.exec:\fhxhjx.exe106⤵
-
\??\c:\fntpnjl.exec:\fntpnjl.exe107⤵
-
\??\c:\ntnhxn.exec:\ntnhxn.exe108⤵
-
\??\c:\nxlnlrh.exec:\nxlnlrh.exe109⤵
-
\??\c:\tppnrfh.exec:\tppnrfh.exe110⤵
-
\??\c:\flltbbb.exec:\flltbbb.exe111⤵
-
\??\c:\nbvbppb.exec:\nbvbppb.exe112⤵
-
\??\c:\tvfnldl.exec:\tvfnldl.exe113⤵
-
\??\c:\tptpx.exec:\tptpx.exe114⤵
-
\??\c:\rjvdhj.exec:\rjvdhj.exe115⤵
-
\??\c:\hrjnlv.exec:\hrjnlv.exe116⤵
-
\??\c:\vndbdpb.exec:\vndbdpb.exe117⤵
-
\??\c:\dbpphh.exec:\dbpphh.exe118⤵
-
\??\c:\jdhrpd.exec:\jdhrpd.exe119⤵
-
\??\c:\ntfhdjh.exec:\ntfhdjh.exe120⤵
-
\??\c:\npndvdf.exec:\npndvdf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-