Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
28/12/2024, 21:27
General
-
Target
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe
-
Size
456KB
-
MD5
54228cbbc3980dffb6e84088304dcb71
-
SHA1
a685aee5b17f9b104ce5ae05e7ce48e919ae7c0e
-
SHA256
324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7
-
SHA512
dc2180444b8f0bbe729439294a544b26845c40727785c8bf32e03b114396fdaacbc737062dc98230c0b531832cfe8236100f8aff1cfc33a0e31a7314248add77
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 39 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe"C:\Users\Admin\AppData\Local\Temp\324697037607e6c701b58fbac53f1cd4bb58b9325a4f0b49e2e7b95d324a9bb7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhnhn.exec:\hbhnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvdp.exec:\vdvdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vppd.exec:\1vppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pjjv.exec:\9pjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhhnn.exec:\nhhhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vjjp.exec:\5vjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbhhh.exec:\9hbhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllllr.exec:\ffllllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ththnh.exec:\ththnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlrrrl.exec:\xxlrrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5thhth.exec:\5thhth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflxflr.exec:\xflxflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bntht.exec:\5bntht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrxflr.exec:\llrxflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhthb.exec:\7nhthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfrxlr.exec:\frfrxlr.exe17⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe18⤵
- Executes dropped EXE
-
\??\c:\jvjdd.exec:\jvjdd.exe19⤵
- Executes dropped EXE
-
\??\c:\hhtbnb.exec:\hhtbnb.exe20⤵
- Executes dropped EXE
-
\??\c:\xlrxllr.exec:\xlrxllr.exe21⤵
- Executes dropped EXE
-
\??\c:\jjjpv.exec:\jjjpv.exe22⤵
- Executes dropped EXE
-
\??\c:\vddpj.exec:\vddpj.exe23⤵
- Executes dropped EXE
-
\??\c:\djvjp.exec:\djvjp.exe24⤵
- Executes dropped EXE
-
\??\c:\ddvdv.exec:\ddvdv.exe25⤵
- Executes dropped EXE
-
\??\c:\pjpdd.exec:\pjpdd.exe26⤵
- Executes dropped EXE
-
\??\c:\flrrxxl.exec:\flrrxxl.exe27⤵
- Executes dropped EXE
-
\??\c:\ppdjj.exec:\ppdjj.exe28⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe29⤵
- Executes dropped EXE
-
\??\c:\3nbbhh.exec:\3nbbhh.exe30⤵
- Executes dropped EXE
-
\??\c:\9vppv.exec:\9vppv.exe31⤵
- Executes dropped EXE
-
\??\c:\bbntbn.exec:\bbntbn.exe32⤵
- Executes dropped EXE
-
\??\c:\3ppvd.exec:\3ppvd.exe33⤵
- Executes dropped EXE
-
\??\c:\tnnttn.exec:\tnnttn.exe34⤵
- Executes dropped EXE
-
\??\c:\vvjpp.exec:\vvjpp.exe35⤵
- Executes dropped EXE
-
\??\c:\jpddj.exec:\jpddj.exe36⤵
- Executes dropped EXE
-
\??\c:\3lxxxrx.exec:\3lxxxrx.exe37⤵
- Executes dropped EXE
-
\??\c:\7httbb.exec:\7httbb.exe38⤵
- Executes dropped EXE
-
\??\c:\pppvd.exec:\pppvd.exe39⤵
- Executes dropped EXE
-
\??\c:\rrxxxfl.exec:\rrxxxfl.exe40⤵
- Executes dropped EXE
-
\??\c:\tnttbt.exec:\tnttbt.exe41⤵
- Executes dropped EXE
-
\??\c:\vppvd.exec:\vppvd.exe42⤵
- Executes dropped EXE
-
\??\c:\rrffrrr.exec:\rrffrrr.exe43⤵
- Executes dropped EXE
-
\??\c:\bhtnbh.exec:\bhtnbh.exe44⤵
- Executes dropped EXE
-
\??\c:\7thhhn.exec:\7thhhn.exe45⤵
- Executes dropped EXE
-
\??\c:\jpvpd.exec:\jpvpd.exe46⤵
- Executes dropped EXE
-
\??\c:\rxflxxf.exec:\rxflxxf.exe47⤵
- Executes dropped EXE
-
\??\c:\ttbtnn.exec:\ttbtnn.exe48⤵
- Executes dropped EXE
-
\??\c:\ddpjp.exec:\ddpjp.exe49⤵
- Executes dropped EXE
-
\??\c:\ddvvd.exec:\ddvvd.exe50⤵
- Executes dropped EXE
-
\??\c:\xlxxffl.exec:\xlxxffl.exe51⤵
- Executes dropped EXE
-
\??\c:\tttnhh.exec:\tttnhh.exe52⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe53⤵
- Executes dropped EXE
-
\??\c:\flflrfr.exec:\flflrfr.exe54⤵
- Executes dropped EXE
-
\??\c:\btttnt.exec:\btttnt.exe55⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe56⤵
- Executes dropped EXE
-
\??\c:\vvvdd.exec:\vvvdd.exe57⤵
- Executes dropped EXE
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe58⤵
- Executes dropped EXE
-
\??\c:\7nbtbb.exec:\7nbtbb.exe59⤵
- Executes dropped EXE
-
\??\c:\1djjp.exec:\1djjp.exe60⤵
- Executes dropped EXE
-
\??\c:\jjvvv.exec:\jjvvv.exe61⤵
- Executes dropped EXE
-
\??\c:\5xfxfll.exec:\5xfxfll.exe62⤵
- Executes dropped EXE
-
\??\c:\1nntbb.exec:\1nntbb.exe63⤵
- Executes dropped EXE
-
\??\c:\jvdvd.exec:\jvdvd.exe64⤵
- Executes dropped EXE
-
\??\c:\fxfxffl.exec:\fxfxffl.exe65⤵
- Executes dropped EXE
-
\??\c:\nnbbbb.exec:\nnbbbb.exe66⤵
-
\??\c:\1dpvj.exec:\1dpvj.exe67⤵
-
\??\c:\rrxxrrx.exec:\rrxxrrx.exe68⤵
-
\??\c:\ffxrxxx.exec:\ffxrxxx.exe69⤵
-
\??\c:\hbhhnn.exec:\hbhhnn.exe70⤵
-
\??\c:\dddjj.exec:\dddjj.exe71⤵
-
\??\c:\flrrrxf.exec:\flrrrxf.exe72⤵
-
\??\c:\hhthnn.exec:\hhthnn.exe73⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe74⤵
-
\??\c:\3djjj.exec:\3djjj.exe75⤵
-
\??\c:\lfffffl.exec:\lfffffl.exe76⤵
-
\??\c:\7nbbnt.exec:\7nbbnt.exe77⤵
-
\??\c:\ppvvj.exec:\ppvvj.exe78⤵
-
\??\c:\7jddp.exec:\7jddp.exe79⤵
-
\??\c:\flxxrxl.exec:\flxxrxl.exe80⤵
-
\??\c:\9tnntt.exec:\9tnntt.exe81⤵
-
\??\c:\pvpjj.exec:\pvpjj.exe82⤵
-
\??\c:\djvdj.exec:\djvdj.exe83⤵
-
\??\c:\xxfrrll.exec:\xxfrrll.exe84⤵
-
\??\c:\tnbttb.exec:\tnbttb.exe85⤵
-
\??\c:\7pjjv.exec:\7pjjv.exe86⤵
-
\??\c:\5jdjv.exec:\5jdjv.exe87⤵
-
\??\c:\1xfrfxf.exec:\1xfrfxf.exe88⤵
-
\??\c:\1htbht.exec:\1htbht.exe89⤵
-
\??\c:\tbhhtn.exec:\tbhhtn.exe90⤵
-
\??\c:\1pjjp.exec:\1pjjp.exe91⤵
-
\??\c:\lrlrlfr.exec:\lrlrlfr.exe92⤵
-
\??\c:\bthhtt.exec:\bthhtt.exe93⤵
-
\??\c:\nnnttt.exec:\nnnttt.exe94⤵
-
\??\c:\ddppv.exec:\ddppv.exe95⤵
-
\??\c:\xfrrxxx.exec:\xfrrxxx.exe96⤵
-
\??\c:\xfffflr.exec:\xfffflr.exe97⤵
-
\??\c:\hntbbb.exec:\hntbbb.exe98⤵
-
\??\c:\djpvd.exec:\djpvd.exe99⤵
-
\??\c:\1dppv.exec:\1dppv.exe100⤵
-
\??\c:\lrxxffl.exec:\lrxxffl.exe101⤵
-
\??\c:\thhhnn.exec:\thhhnn.exe102⤵
-
\??\c:\bbtbnb.exec:\bbtbnb.exe103⤵
-
\??\c:\1ppvd.exec:\1ppvd.exe104⤵
-
\??\c:\xrxflxr.exec:\xrxflxr.exe105⤵
-
\??\c:\tbnntt.exec:\tbnntt.exe106⤵
-
\??\c:\nntbhh.exec:\nntbhh.exe107⤵
-
\??\c:\3vpvd.exec:\3vpvd.exe108⤵
-
\??\c:\rrxflrr.exec:\rrxflrr.exe109⤵
-
\??\c:\bttnnh.exec:\bttnnh.exe110⤵
-
\??\c:\1dpvd.exec:\1dpvd.exe111⤵
-
\??\c:\lrxxffr.exec:\lrxxffr.exe112⤵
-
\??\c:\thnbht.exec:\thnbht.exe113⤵
-
\??\c:\7vddp.exec:\7vddp.exe114⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe115⤵
-
\??\c:\xxllrxl.exec:\xxllrxl.exe116⤵
-
\??\c:\3tnnbb.exec:\3tnnbb.exe117⤵
-
\??\c:\tnbhnt.exec:\tnbhnt.exe118⤵
-
\??\c:\vvvvp.exec:\vvvvp.exe119⤵
-
\??\c:\xxrxlrx.exec:\xxrxlrx.exe120⤵
-
\??\c:\bhbbbb.exec:\bhbbbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-