Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29/12/2024, 05:34
General
-
Target
eba0c024a3cdd2cab2d87a3c201d0b999f57a675097ae5079e12aa66ab985f7f.exe
-
Size
455KB
-
MD5
1da44f9fd608b126fb8e183381d827f1
-
SHA1
41ded087fe895c7e9cf559acdc3f18e8e214e32f
-
SHA256
eba0c024a3cdd2cab2d87a3c201d0b999f57a675097ae5079e12aa66ab985f7f
-
SHA512
b7990f0d7a77365fb0cc7926c1accda37f33c1db5626717a6b4cadd96e6ed68df98341d05f6d1d68ae63f4b71a4fa18d8d068f215a514b7b2a3b6d4d633db54a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 41 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eba0c024a3cdd2cab2d87a3c201d0b999f57a675097ae5079e12aa66ab985f7f.exe"C:\Users\Admin\AppData\Local\Temp\eba0c024a3cdd2cab2d87a3c201d0b999f57a675097ae5079e12aa66ab985f7f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrlxlx.exec:\ffrlxlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnbnb.exec:\ttnbnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjvj.exec:\pjjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhbb.exec:\hhbhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rlrfrx.exec:\7rlrfrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdvj.exec:\ppdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxxfr.exec:\rffxxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btntbb.exec:\btntbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvj.exec:\vvpvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bbhnt.exec:\9bbhnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjvp.exec:\pvjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ttbnn.exec:\1ttbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttthhb.exec:\ttthhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfrxl.exec:\xrlfrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbnbh.exec:\5bbnbh.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddp.exec:\pjddp.exe17⤵
- Executes dropped EXE
-
\??\c:\xlxxllr.exec:\xlxxllr.exe18⤵
- Executes dropped EXE
-
\??\c:\pjjpp.exec:\pjjpp.exe19⤵
- Executes dropped EXE
-
\??\c:\1dddp.exec:\1dddp.exe20⤵
- Executes dropped EXE
-
\??\c:\hhbbhn.exec:\hhbbhn.exe21⤵
- Executes dropped EXE
-
\??\c:\3jdvp.exec:\3jdvp.exe22⤵
- Executes dropped EXE
-
\??\c:\nhhtbh.exec:\nhhtbh.exe23⤵
- Executes dropped EXE
-
\??\c:\pdvdd.exec:\pdvdd.exe24⤵
- Executes dropped EXE
-
\??\c:\xfxlxxr.exec:\xfxlxxr.exe25⤵
- Executes dropped EXE
-
\??\c:\tnbbtn.exec:\tnbbtn.exe26⤵
- Executes dropped EXE
-
\??\c:\frxrrfl.exec:\frxrrfl.exe27⤵
- Executes dropped EXE
-
\??\c:\7tthnn.exec:\7tthnn.exe28⤵
- Executes dropped EXE
-
\??\c:\rrffrxr.exec:\rrffrxr.exe29⤵
- Executes dropped EXE
-
\??\c:\tttbbh.exec:\tttbbh.exe30⤵
- Executes dropped EXE
-
\??\c:\lrflfff.exec:\lrflfff.exe31⤵
- Executes dropped EXE
-
\??\c:\rrlrlrf.exec:\rrlrlrf.exe32⤵
- Executes dropped EXE
-
\??\c:\xxlxlrx.exec:\xxlxlrx.exe33⤵
- Executes dropped EXE
-
\??\c:\nnhtnt.exec:\nnhtnt.exe34⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe35⤵
- Executes dropped EXE
-
\??\c:\jjpvp.exec:\jjpvp.exe36⤵
- Executes dropped EXE
-
\??\c:\xxrfxlx.exec:\xxrfxlx.exe37⤵
- Executes dropped EXE
-
\??\c:\9tnbhn.exec:\9tnbhn.exe38⤵
- Executes dropped EXE
-
\??\c:\bhnnbt.exec:\bhnnbt.exe39⤵
- Executes dropped EXE
-
\??\c:\jdvvd.exec:\jdvvd.exe40⤵
- Executes dropped EXE
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe41⤵
- Executes dropped EXE
-
\??\c:\xxlfrxl.exec:\xxlfrxl.exe42⤵
- Executes dropped EXE
-
\??\c:\hntntb.exec:\hntntb.exe43⤵
- Executes dropped EXE
-
\??\c:\vjvpj.exec:\vjvpj.exe44⤵
- Executes dropped EXE
-
\??\c:\jpjvj.exec:\jpjvj.exe45⤵
- Executes dropped EXE
-
\??\c:\xxlflxl.exec:\xxlflxl.exe46⤵
- Executes dropped EXE
-
\??\c:\xrflxfr.exec:\xrflxfr.exe47⤵
- Executes dropped EXE
-
\??\c:\1bntbb.exec:\1bntbb.exe48⤵
- Executes dropped EXE
-
\??\c:\jvppv.exec:\jvppv.exe49⤵
- Executes dropped EXE
-
\??\c:\3vpdp.exec:\3vpdp.exe50⤵
- Executes dropped EXE
-
\??\c:\rlllflx.exec:\rlllflx.exe51⤵
- Executes dropped EXE
-
\??\c:\bbhtbb.exec:\bbhtbb.exe52⤵
- Executes dropped EXE
-
\??\c:\1thntb.exec:\1thntb.exe53⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe54⤵
- Executes dropped EXE
-
\??\c:\5rrrxxf.exec:\5rrrxxf.exe55⤵
- Executes dropped EXE
-
\??\c:\1xffrxf.exec:\1xffrxf.exe56⤵
- Executes dropped EXE
-
\??\c:\nhbhhn.exec:\nhbhhn.exe57⤵
- Executes dropped EXE
-
\??\c:\5nhbnt.exec:\5nhbnt.exe58⤵
- Executes dropped EXE
-
\??\c:\5dvvp.exec:\5dvvp.exe59⤵
- Executes dropped EXE
-
\??\c:\jdvpp.exec:\jdvpp.exe60⤵
- Executes dropped EXE
-
\??\c:\xrrrlrf.exec:\xrrrlrf.exe61⤵
- Executes dropped EXE
-
\??\c:\ttnbtb.exec:\ttnbtb.exe62⤵
- Executes dropped EXE
-
\??\c:\dvdpd.exec:\dvdpd.exe63⤵
- Executes dropped EXE
-
\??\c:\5pdjj.exec:\5pdjj.exe64⤵
- Executes dropped EXE
-
\??\c:\rlxfxfl.exec:\rlxfxfl.exe65⤵
- Executes dropped EXE
-
\??\c:\frrxrxl.exec:\frrxrxl.exe66⤵
-
\??\c:\bbbhtb.exec:\bbbhtb.exe67⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe68⤵
-
\??\c:\jjvjd.exec:\jjvjd.exe69⤵
-
\??\c:\fxrxxrx.exec:\fxrxxrx.exe70⤵
-
\??\c:\hhbtnb.exec:\hhbtnb.exe71⤵
-
\??\c:\hhbhnt.exec:\hhbhnt.exe72⤵
-
\??\c:\ppvjd.exec:\ppvjd.exe73⤵
-
\??\c:\lxlflfl.exec:\lxlflfl.exe74⤵
-
\??\c:\jjjpd.exec:\jjjpd.exe75⤵
-
\??\c:\rlfrffx.exec:\rlfrffx.exe76⤵
-
\??\c:\bthntb.exec:\bthntb.exe77⤵
-
\??\c:\ppjvv.exec:\ppjvv.exe78⤵
-
\??\c:\1rlxffl.exec:\1rlxffl.exe79⤵
-
\??\c:\bhhtht.exec:\bhhtht.exe80⤵
-
\??\c:\pjjpj.exec:\pjjpj.exe81⤵
-
\??\c:\lrlrxlx.exec:\lrlrxlx.exe82⤵
-
\??\c:\9nhbnb.exec:\9nhbnb.exe83⤵
-
\??\c:\7jvvj.exec:\7jvvj.exe84⤵
-
\??\c:\5fxlrxf.exec:\5fxlrxf.exe85⤵
-
\??\c:\bbtbnt.exec:\bbtbnt.exe86⤵
-
\??\c:\jjvdp.exec:\jjvdp.exe87⤵
-
\??\c:\lxfxrlx.exec:\lxfxrlx.exe88⤵
-
\??\c:\1vpjj.exec:\1vpjj.exe89⤵
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe90⤵
-
\??\c:\bnnnbh.exec:\bnnnbh.exe91⤵
-
\??\c:\djvjd.exec:\djvjd.exe92⤵
-
\??\c:\5xxflxl.exec:\5xxflxl.exe93⤵
-
\??\c:\bbntbn.exec:\bbntbn.exe94⤵
-
\??\c:\jjpvd.exec:\jjpvd.exe95⤵
-
\??\c:\lrrxllx.exec:\lrrxllx.exe96⤵
-
\??\c:\tbhttb.exec:\tbhttb.exe97⤵
-
\??\c:\9dppd.exec:\9dppd.exe98⤵
-
\??\c:\lrxfrxr.exec:\lrxfrxr.exe99⤵
-
\??\c:\tbbnhh.exec:\tbbnhh.exe100⤵
-
\??\c:\pvpjp.exec:\pvpjp.exe101⤵
-
\??\c:\lffrlfr.exec:\lffrlfr.exe102⤵
-
\??\c:\bbtbtb.exec:\bbtbtb.exe103⤵
-
\??\c:\9jdjj.exec:\9jdjj.exe104⤵
-
\??\c:\xrflrrl.exec:\xrflrrl.exe105⤵
-
\??\c:\nhbhnt.exec:\nhbhnt.exe106⤵
-
\??\c:\dvppv.exec:\dvppv.exe107⤵
-
\??\c:\rxlxfxl.exec:\rxlxfxl.exe108⤵
-
\??\c:\ntnttb.exec:\ntnttb.exe109⤵
-
\??\c:\nnbhnt.exec:\nnbhnt.exe110⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe111⤵
-
\??\c:\lfxfrxr.exec:\lfxfrxr.exe112⤵
-
\??\c:\hnthth.exec:\hnthth.exe113⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe114⤵
-
\??\c:\rrllfrr.exec:\rrllfrr.exe115⤵
-
\??\c:\1btbtb.exec:\1btbtb.exe116⤵
-
\??\c:\jjvjd.exec:\jjvjd.exe117⤵
-
\??\c:\bbbhtb.exec:\bbbhtb.exe118⤵
-
\??\c:\5bhntt.exec:\5bhntt.exe119⤵
-
\??\c:\9pjjd.exec:\9pjjd.exe120⤵
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-