Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
11-01-2025 06:51
General
-
Target
d7445ede4110fbbf9e2d56f5ada2a5e3160431462481f33f48a8a728ca1e6a16N.exe
-
Size
455KB
-
MD5
53a6cdd492f8ead98218e2b6e3ab91e0
-
SHA1
32ea91ce0116c682913522d6ab5e56a7a7379c9b
-
SHA256
d7445ede4110fbbf9e2d56f5ada2a5e3160431462481f33f48a8a728ca1e6a16
-
SHA512
cd531a810203efd5b366fa6aaf0267060894efc70c2715a015923bd2cc2908dc9d813b66ab313bc10077fd0cba835ee018af4717c93e319efac46f4c7c32b0a1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 32 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 48 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7445ede4110fbbf9e2d56f5ada2a5e3160431462481f33f48a8a728ca1e6a16N.exe"C:\Users\Admin\AppData\Local\Temp\d7445ede4110fbbf9e2d56f5ada2a5e3160431462481f33f48a8a728ca1e6a16N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\5fxlxlr.exec:\5fxlxlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhtt.exec:\tnbhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42284.exec:\42284.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48002.exec:\48002.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dppv.exec:\3dppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m0608.exec:\m0608.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c860262.exec:\c860262.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i640662.exec:\i640662.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvd.exec:\pdvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20880.exec:\20880.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c242488.exec:\c242488.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jpvj.exec:\7jpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64426.exec:\64426.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42006.exec:\42006.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpvp.exec:\pdpvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlrrfx.exec:\xrlrrfx.exe17⤵
- Executes dropped EXE
-
\??\c:\08488.exec:\08488.exe18⤵
- Executes dropped EXE
-
\??\c:\k86688.exec:\k86688.exe19⤵
- Executes dropped EXE
-
\??\c:\424022.exec:\424022.exe20⤵
- Executes dropped EXE
-
\??\c:\jdpvp.exec:\jdpvp.exe21⤵
- Executes dropped EXE
-
\??\c:\82640.exec:\82640.exe22⤵
- Executes dropped EXE
-
\??\c:\86406.exec:\86406.exe23⤵
- Executes dropped EXE
-
\??\c:\e84426.exec:\e84426.exe24⤵
- Executes dropped EXE
-
\??\c:\824866.exec:\824866.exe25⤵
- Executes dropped EXE
-
\??\c:\i264864.exec:\i264864.exe26⤵
- Executes dropped EXE
-
\??\c:\04608.exec:\04608.exe27⤵
- Executes dropped EXE
-
\??\c:\hthnnn.exec:\hthnnn.exe28⤵
- Executes dropped EXE
-
\??\c:\pjdjp.exec:\pjdjp.exe29⤵
- Executes dropped EXE
-
\??\c:\8640602.exec:\8640602.exe30⤵
- Executes dropped EXE
-
\??\c:\3htttt.exec:\3htttt.exe31⤵
- Executes dropped EXE
-
\??\c:\88280.exec:\88280.exe32⤵
- Executes dropped EXE
-
\??\c:\frxxllr.exec:\frxxllr.exe33⤵
- Executes dropped EXE
-
\??\c:\7rflrrx.exec:\7rflrrx.exe34⤵
- Executes dropped EXE
-
\??\c:\rrlrxfl.exec:\rrlrxfl.exe35⤵
- Executes dropped EXE
-
\??\c:\a4280.exec:\a4280.exe36⤵
- Executes dropped EXE
-
\??\c:\080002.exec:\080002.exe37⤵
- Executes dropped EXE
-
\??\c:\448446.exec:\448446.exe38⤵
- Executes dropped EXE
-
\??\c:\7hbnbn.exec:\7hbnbn.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jdvjd.exec:\jdvjd.exe40⤵
- Executes dropped EXE
-
\??\c:\4622822.exec:\4622822.exe41⤵
- Executes dropped EXE
-
\??\c:\bthhbh.exec:\bthhbh.exe42⤵
- Executes dropped EXE
-
\??\c:\nbnnbt.exec:\nbnnbt.exe43⤵
- Executes dropped EXE
-
\??\c:\m0402.exec:\m0402.exe44⤵
- Executes dropped EXE
-
\??\c:\08042.exec:\08042.exe45⤵
- Executes dropped EXE
-
\??\c:\264400.exec:\264400.exe46⤵
- Executes dropped EXE
-
\??\c:\rrlxfff.exec:\rrlxfff.exe47⤵
- Executes dropped EXE
-
\??\c:\040688.exec:\040688.exe48⤵
- Executes dropped EXE
-
\??\c:\u028840.exec:\u028840.exe49⤵
- Executes dropped EXE
-
\??\c:\m8624.exec:\m8624.exe50⤵
- Executes dropped EXE
-
\??\c:\4244284.exec:\4244284.exe51⤵
- Executes dropped EXE
-
\??\c:\frffrrf.exec:\frffrrf.exe52⤵
- Executes dropped EXE
-
\??\c:\4288606.exec:\4288606.exe53⤵
- Executes dropped EXE
-
\??\c:\86486.exec:\86486.exe54⤵
- Executes dropped EXE
-
\??\c:\8640008.exec:\8640008.exe55⤵
- Executes dropped EXE
-
\??\c:\7nthtt.exec:\7nthtt.exe56⤵
- Executes dropped EXE
-
\??\c:\2640620.exec:\2640620.exe57⤵
- Executes dropped EXE
-
\??\c:\ttnhth.exec:\ttnhth.exe58⤵
- Executes dropped EXE
-
\??\c:\86468.exec:\86468.exe59⤵
- Executes dropped EXE
-
\??\c:\o662042.exec:\o662042.exe60⤵
- Executes dropped EXE
-
\??\c:\080044.exec:\080044.exe61⤵
- Executes dropped EXE
-
\??\c:\e82806.exec:\e82806.exe62⤵
- Executes dropped EXE
-
\??\c:\062282.exec:\062282.exe63⤵
- Executes dropped EXE
-
\??\c:\xxlxxfl.exec:\xxlxxfl.exe64⤵
- Executes dropped EXE
-
\??\c:\jjjpd.exec:\jjjpd.exe65⤵
- Executes dropped EXE
-
\??\c:\ffxfrxr.exec:\ffxfrxr.exe66⤵
-
\??\c:\66846.exec:\66846.exe67⤵
-
\??\c:\2028624.exec:\2028624.exe68⤵
-
\??\c:\20228.exec:\20228.exe69⤵
-
\??\c:\9ffrxxl.exec:\9ffrxxl.exe70⤵
-
\??\c:\26068.exec:\26068.exe71⤵
-
\??\c:\q60002.exec:\q60002.exe72⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe73⤵
-
\??\c:\1dpvd.exec:\1dpvd.exe74⤵
-
\??\c:\k04084.exec:\k04084.exe75⤵
-
\??\c:\6828440.exec:\6828440.exe76⤵
-
\??\c:\lfrxxxf.exec:\lfrxxxf.exe77⤵
-
\??\c:\5bhhtn.exec:\5bhhtn.exe78⤵
-
\??\c:\1xlllll.exec:\1xlllll.exe79⤵
-
\??\c:\42440.exec:\42440.exe80⤵
-
\??\c:\8022222.exec:\8022222.exe81⤵
-
\??\c:\86862.exec:\86862.exe82⤵
-
\??\c:\486244.exec:\486244.exe83⤵
-
\??\c:\820284.exec:\820284.exe84⤵
-
\??\c:\5hhhhh.exec:\5hhhhh.exe85⤵
-
\??\c:\tnhhnt.exec:\tnhhnt.exe86⤵
-
\??\c:\082824.exec:\082824.exe87⤵
-
\??\c:\jjdpv.exec:\jjdpv.exe88⤵
-
\??\c:\tnbbbh.exec:\tnbbbh.exe89⤵
-
\??\c:\8622262.exec:\8622262.exe90⤵
-
\??\c:\64246.exec:\64246.exe91⤵
-
\??\c:\ddvjp.exec:\ddvjp.exe92⤵
-
\??\c:\nhbhnt.exec:\nhbhnt.exe93⤵
-
\??\c:\1tttnn.exec:\1tttnn.exe94⤵
-
\??\c:\rrfrflx.exec:\rrfrflx.exe95⤵
-
\??\c:\rlfrxfr.exec:\rlfrxfr.exe96⤵
-
\??\c:\662608.exec:\662608.exe97⤵
-
\??\c:\dpvvd.exec:\dpvvd.exe98⤵
-
\??\c:\828404.exec:\828404.exe99⤵
-
\??\c:\48644.exec:\48644.exe100⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe101⤵
-
\??\c:\tnnnnn.exec:\tnnnnn.exe102⤵
-
\??\c:\rfxfllf.exec:\rfxfllf.exe103⤵
-
\??\c:\0424002.exec:\0424002.exe104⤵
-
\??\c:\26062.exec:\26062.exe105⤵
-
\??\c:\42084.exec:\42084.exe106⤵
-
\??\c:\lxxxxxx.exec:\lxxxxxx.exe107⤵
-
\??\c:\s0808.exec:\s0808.exe108⤵
-
\??\c:\024444.exec:\024444.exe109⤵
-
\??\c:\60440.exec:\60440.exe110⤵
-
\??\c:\tntbnn.exec:\tntbnn.exe111⤵
-
\??\c:\20828.exec:\20828.exe112⤵
-
\??\c:\608848.exec:\608848.exe113⤵
-
\??\c:\666842.exec:\666842.exe114⤵
-
\??\c:\0866228.exec:\0866228.exe115⤵
-
\??\c:\xfxlxlx.exec:\xfxlxlx.exe116⤵
-
\??\c:\66686.exec:\66686.exe117⤵
-
\??\c:\66646.exec:\66646.exe118⤵
-
\??\c:\m4246.exec:\m4246.exe119⤵
-
\??\c:\vdvdj.exec:\vdvdj.exe120⤵
-
\??\c:\26680.exec:\26680.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-