Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
29/12/2024, 00:00
General
-
Target
668c75a60bbe84e03228c37e98dbba73127c7e40a50df978bed62662a95dcba3.exe
-
Size
455KB
-
MD5
ee251d06651761b1727687534da60ca0
-
SHA1
82424f687d4c5726e6c06fcd05e1c590ff6a0695
-
SHA256
668c75a60bbe84e03228c37e98dbba73127c7e40a50df978bed62662a95dcba3
-
SHA512
9fe4869e01f6dc2d99c6025572636818c46abd228c04c6c088fd35c8472c433c9684ef175abb77999a6d57f3012ffca02842991811b9b5daecb3784d5dacfc22
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 39 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 48 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\668c75a60bbe84e03228c37e98dbba73127c7e40a50df978bed62662a95dcba3.exe"C:\Users\Admin\AppData\Local\Temp\668c75a60bbe84e03228c37e98dbba73127c7e40a50df978bed62662a95dcba3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rjphfhl.exec:\rjphfhl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tflpp.exec:\tflpp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\bljnj.exec:\bljnj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fltnv.exec:\fltnv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rpttp.exec:\rpttp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xpvrr.exec:\xpvrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bxvplj.exec:\bxvplj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfnhrj.exec:\xfnhrj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfjrln.exec:\flfjrln.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vtjrnj.exec:\vtjrnj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vtdpdhj.exec:\vtdpdhj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nrfjxjr.exec:\nrfjxjr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bjltr.exec:\bjltr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\phxvb.exec:\phxvb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rftntdt.exec:\rftntdt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\plvth.exec:\plvth.exe17⤵
- Executes dropped EXE
-
\??\c:\ljprxh.exec:\ljprxh.exe18⤵
- Executes dropped EXE
-
\??\c:\vxhdtd.exec:\vxhdtd.exe19⤵
- Executes dropped EXE
-
\??\c:\thntj.exec:\thntj.exe20⤵
- Executes dropped EXE
-
\??\c:\xbjxf.exec:\xbjxf.exe21⤵
- Executes dropped EXE
-
\??\c:\lvxldnl.exec:\lvxldnl.exe22⤵
- Executes dropped EXE
-
\??\c:\dxphp.exec:\dxphp.exe23⤵
- Executes dropped EXE
-
\??\c:\vtpftr.exec:\vtpftr.exe24⤵
- Executes dropped EXE
-
\??\c:\htxrpft.exec:\htxrpft.exe25⤵
- Executes dropped EXE
-
\??\c:\lvjndlv.exec:\lvjndlv.exe26⤵
- Executes dropped EXE
-
\??\c:\bxtph.exec:\bxtph.exe27⤵
- Executes dropped EXE
-
\??\c:\fjnvb.exec:\fjnvb.exe28⤵
- Executes dropped EXE
-
\??\c:\xhtnj.exec:\xhtnj.exe29⤵
- Executes dropped EXE
-
\??\c:\rlxnt.exec:\rlxnt.exe30⤵
- Executes dropped EXE
-
\??\c:\pfpxvhb.exec:\pfpxvhb.exe31⤵
- Executes dropped EXE
-
\??\c:\prvdtf.exec:\prvdtf.exe32⤵
- Executes dropped EXE
-
\??\c:\bjlnx.exec:\bjlnx.exe33⤵
- Executes dropped EXE
-
\??\c:\bfjrvx.exec:\bfjrvx.exe34⤵
- Executes dropped EXE
-
\??\c:\jnfjth.exec:\jnfjth.exe35⤵
-
\??\c:\bhrff.exec:\bhrff.exe36⤵
- Executes dropped EXE
-
\??\c:\hvxrfpv.exec:\hvxrfpv.exe37⤵
- Executes dropped EXE
-
\??\c:\hrtxj.exec:\hrtxj.exe38⤵
- Executes dropped EXE
-
\??\c:\ppnjfth.exec:\ppnjfth.exe39⤵
- Executes dropped EXE
-
\??\c:\xnpdbb.exec:\xnpdbb.exe40⤵
- Executes dropped EXE
-
\??\c:\fdjbx.exec:\fdjbx.exe41⤵
- Executes dropped EXE
-
\??\c:\ffrhtbt.exec:\ffrhtbt.exe42⤵
- Executes dropped EXE
-
\??\c:\lrjppjf.exec:\lrjppjf.exe43⤵
- Executes dropped EXE
-
\??\c:\hvlttbb.exec:\hvlttbb.exe44⤵
- Executes dropped EXE
-
\??\c:\ndfblv.exec:\ndfblv.exe45⤵
- Executes dropped EXE
-
\??\c:\xvnxptf.exec:\xvnxptf.exe46⤵
- Executes dropped EXE
-
\??\c:\htprxj.exec:\htprxj.exe47⤵
- Executes dropped EXE
-
\??\c:\lbnvtfb.exec:\lbnvtfb.exe48⤵
- Executes dropped EXE
-
\??\c:\jjbnjjx.exec:\jjbnjjx.exe49⤵
- Executes dropped EXE
-
\??\c:\nrxpjl.exec:\nrxpjl.exe50⤵
- Executes dropped EXE
-
\??\c:\dljvnd.exec:\dljvnd.exe51⤵
- Executes dropped EXE
-
\??\c:\bhrnjph.exec:\bhrnjph.exe52⤵
- Executes dropped EXE
-
\??\c:\bnfdl.exec:\bnfdl.exe53⤵
- Executes dropped EXE
-
\??\c:\tddll.exec:\tddll.exe54⤵
- Executes dropped EXE
-
\??\c:\jxvvfnf.exec:\jxvvfnf.exe55⤵
- Executes dropped EXE
-
\??\c:\pvvlj.exec:\pvvlj.exe56⤵
- Executes dropped EXE
-
\??\c:\xxxbj.exec:\xxxbj.exe57⤵
- Executes dropped EXE
-
\??\c:\vvvtvhn.exec:\vvvtvhn.exe58⤵
- Executes dropped EXE
-
\??\c:\hxdlbfr.exec:\hxdlbfr.exe59⤵
- Executes dropped EXE
-
\??\c:\tfltr.exec:\tfltr.exe60⤵
- Executes dropped EXE
-
\??\c:\jvrtnjh.exec:\jvrtnjh.exe61⤵
- Executes dropped EXE
-
\??\c:\jnnft.exec:\jnnft.exe62⤵
- Executes dropped EXE
-
\??\c:\tbhnlf.exec:\tbhnlf.exe63⤵
- Executes dropped EXE
-
\??\c:\jrpxlr.exec:\jrpxlr.exe64⤵
- Executes dropped EXE
-
\??\c:\ddtjnl.exec:\ddtjnl.exe65⤵
- Executes dropped EXE
-
\??\c:\bpldd.exec:\bpldd.exe66⤵
- Executes dropped EXE
-
\??\c:\hllhp.exec:\hllhp.exe67⤵
-
\??\c:\nbhtf.exec:\nbhtf.exe68⤵
-
\??\c:\tbvlf.exec:\tbvlf.exe69⤵
-
\??\c:\xdxprht.exec:\xdxprht.exe70⤵
-
\??\c:\bbrdvll.exec:\bbrdvll.exe71⤵
-
\??\c:\brfjhjj.exec:\brfjhjj.exe72⤵
-
\??\c:\hblbrpf.exec:\hblbrpf.exe73⤵
-
\??\c:\hvrnhjb.exec:\hvrnhjb.exe74⤵
-
\??\c:\jxtxh.exec:\jxtxh.exe75⤵
-
\??\c:\btpflpf.exec:\btpflpf.exe76⤵
-
\??\c:\thvjx.exec:\thvjx.exe77⤵
-
\??\c:\trtnrpj.exec:\trtnrpj.exe78⤵
-
\??\c:\jrfvlh.exec:\jrfvlh.exe79⤵
-
\??\c:\vrpth.exec:\vrpth.exe80⤵
-
\??\c:\bbnrvvn.exec:\bbnrvvn.exe81⤵
-
\??\c:\tdlrjt.exec:\tdlrjt.exe82⤵
-
\??\c:\hxbhx.exec:\hxbhx.exe83⤵
-
\??\c:\lppvth.exec:\lppvth.exe84⤵
-
\??\c:\tjlxb.exec:\tjlxb.exe85⤵
-
\??\c:\rhdjv.exec:\rhdjv.exe86⤵
-
\??\c:\vvpjr.exec:\vvpjr.exe87⤵
-
\??\c:\vjvtbfx.exec:\vjvtbfx.exe88⤵
-
\??\c:\vjxtx.exec:\vjxtx.exe89⤵
-
\??\c:\fbfbjj.exec:\fbfbjj.exe90⤵
- System Location Discovery: System Language Discovery
-
\??\c:\njbnbtn.exec:\njbnbtn.exe91⤵
-
\??\c:\nxjxtrb.exec:\nxjxtrb.exe92⤵
-
\??\c:\rddpnjr.exec:\rddpnjr.exe93⤵
-
\??\c:\dbvlnl.exec:\dbvlnl.exe94⤵
-
\??\c:\hfvtnrv.exec:\hfvtnrv.exe95⤵
-
\??\c:\jblxx.exec:\jblxx.exe96⤵
-
\??\c:\ntrpr.exec:\ntrpr.exe97⤵
-
\??\c:\dhppbnn.exec:\dhppbnn.exe98⤵
-
\??\c:\tbnpv.exec:\tbnpv.exe99⤵
-
\??\c:\pxbpht.exec:\pxbpht.exe100⤵
-
\??\c:\vdjpthn.exec:\vdjpthn.exe101⤵
-
\??\c:\ldbpf.exec:\ldbpf.exe102⤵
-
\??\c:\rfpphn.exec:\rfpphn.exe103⤵
-
\??\c:\vrxbthr.exec:\vrxbthr.exe104⤵
-
\??\c:\hjfpxn.exec:\hjfpxn.exe105⤵
-
\??\c:\jrjln.exec:\jrjln.exe106⤵
-
\??\c:\pfbvt.exec:\pfbvt.exe107⤵
-
\??\c:\vxdhj.exec:\vxdhj.exe108⤵
-
\??\c:\lrbdl.exec:\lrbdl.exe109⤵
-
\??\c:\hvxndpl.exec:\hvxndpl.exe110⤵
-
\??\c:\pflpbf.exec:\pflpbf.exe111⤵
-
\??\c:\vrhjnjf.exec:\vrhjnjf.exe112⤵
-
\??\c:\pbhnjj.exec:\pbhnjj.exe113⤵
-
\??\c:\xlrrvhd.exec:\xlrrvhd.exe114⤵
-
\??\c:\nttdpf.exec:\nttdpf.exe115⤵
-
\??\c:\llvdr.exec:\llvdr.exe116⤵
-
\??\c:\lrjndvj.exec:\lrjndvj.exe117⤵
-
\??\c:\ddrpvl.exec:\ddrpvl.exe118⤵
-
\??\c:\lffdpxt.exec:\lffdpxt.exe119⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hhlldh.exec:\hhlldh.exe120⤵
-
\??\c:\rrndfn.exec:\rrndfn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-