Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
20/01/2025, 09:13
General
-
Target
0b31919303b782dc458069a8d2d608240acae7f90ee71c7a2fe689e54373197b.exe
-
Size
455KB
-
MD5
7679a5cf47913efaa5eab51923ff3e76
-
SHA1
c267ba816f445206e5b25ddbc46cf0c6b8634831
-
SHA256
0b31919303b782dc458069a8d2d608240acae7f90ee71c7a2fe689e54373197b
-
SHA512
ce02e25c3aa6c2371e0a0dd424699ade0d677ed2792b1f8cdd22bd194684b55632715a375646d2b26e12a7e471b6f0a9664a21926aec21a24ec2571e453e7ee1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeu:q7Tc2NYHUrAwfMp3CDu
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 39 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b31919303b782dc458069a8d2d608240acae7f90ee71c7a2fe689e54373197b.exe"C:\Users\Admin\AppData\Local\Temp\0b31919303b782dc458069a8d2d608240acae7f90ee71c7a2fe689e54373197b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3dpjp.exec:\3dpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rfxlxx.exec:\3rfxlxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhbb.exec:\hbhhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhhnt.exec:\nbhhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llrffr.exec:\3llrffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jvdj.exec:\1jvdj.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffflr.exec:\fxffflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjdj.exec:\ppjdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbthh.exec:\ttbthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdj.exec:\pdjdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxfff.exec:\rlrxfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpdd.exec:\pjpdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnttt.exec:\bhnttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbhnt.exec:\ttbhnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlffrl.exec:\frlffrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpdd.exec:\vdpdd.exe17⤵
- Executes dropped EXE
-
\??\c:\1nnthn.exec:\1nnthn.exe18⤵
- Executes dropped EXE
-
\??\c:\bhnnbb.exec:\bhnnbb.exe19⤵
- Executes dropped EXE
-
\??\c:\fflllll.exec:\fflllll.exe20⤵
- Executes dropped EXE
-
\??\c:\ttbtbb.exec:\ttbtbb.exe21⤵
- Executes dropped EXE
-
\??\c:\xxlrffr.exec:\xxlrffr.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ttbhhh.exec:\ttbhhh.exe23⤵
- Executes dropped EXE
-
\??\c:\vdvvj.exec:\vdvvj.exe24⤵
- Executes dropped EXE
-
\??\c:\nhttbb.exec:\nhttbb.exe25⤵
- Executes dropped EXE
-
\??\c:\lfflflr.exec:\lfflflr.exe26⤵
- Executes dropped EXE
-
\??\c:\3tnhnh.exec:\3tnhnh.exe27⤵
- Executes dropped EXE
-
\??\c:\jppjp.exec:\jppjp.exe28⤵
- Executes dropped EXE
-
\??\c:\xlxrxxl.exec:\xlxrxxl.exe29⤵
- Executes dropped EXE
-
\??\c:\3bttbh.exec:\3bttbh.exe30⤵
- Executes dropped EXE
-
\??\c:\1vpvd.exec:\1vpvd.exe31⤵
- Executes dropped EXE
-
\??\c:\rrxxxrx.exec:\rrxxxrx.exe32⤵
- Executes dropped EXE
-
\??\c:\djddd.exec:\djddd.exe33⤵
- Executes dropped EXE
-
\??\c:\flrrxxx.exec:\flrrxxx.exe34⤵
- Executes dropped EXE
-
\??\c:\bhnhnt.exec:\bhnhnt.exe35⤵
- Executes dropped EXE
-
\??\c:\1vppd.exec:\1vppd.exe36⤵
- Executes dropped EXE
-
\??\c:\1xxxffr.exec:\1xxxffr.exe37⤵
- Executes dropped EXE
-
\??\c:\bbhhnn.exec:\bbhhnn.exe38⤵
- Executes dropped EXE
-
\??\c:\dpdvj.exec:\dpdvj.exe39⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe40⤵
- Executes dropped EXE
-
\??\c:\xxxxflr.exec:\xxxxflr.exe41⤵
- Executes dropped EXE
-
\??\c:\tbnntt.exec:\tbnntt.exe42⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe43⤵
- Executes dropped EXE
-
\??\c:\pvvjd.exec:\pvvjd.exe44⤵
- Executes dropped EXE
-
\??\c:\rlrlxxf.exec:\rlrlxxf.exe45⤵
- Executes dropped EXE
-
\??\c:\nhtthh.exec:\nhtthh.exe46⤵
- Executes dropped EXE
-
\??\c:\nnttbb.exec:\nnttbb.exe47⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe48⤵
- Executes dropped EXE
-
\??\c:\7rxxxfl.exec:\7rxxxfl.exe49⤵
- Executes dropped EXE
-
\??\c:\ttnnnn.exec:\ttnnnn.exe50⤵
- Executes dropped EXE
-
\??\c:\5dddp.exec:\5dddp.exe51⤵
- Executes dropped EXE
-
\??\c:\3frlllr.exec:\3frlllr.exe52⤵
- Executes dropped EXE
-
\??\c:\lrllxxf.exec:\lrllxxf.exe53⤵
- Executes dropped EXE
-
\??\c:\vpjvd.exec:\vpjvd.exe54⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe55⤵
- Executes dropped EXE
-
\??\c:\rlflxfl.exec:\rlflxfl.exe56⤵
- Executes dropped EXE
-
\??\c:\nnbhnt.exec:\nnbhnt.exe57⤵
- Executes dropped EXE
-
\??\c:\jjjjp.exec:\jjjjp.exe58⤵
- Executes dropped EXE
-
\??\c:\vpvdj.exec:\vpvdj.exe59⤵
- Executes dropped EXE
-
\??\c:\rxllrfx.exec:\rxllrfx.exe60⤵
- Executes dropped EXE
-
\??\c:\nhtbnt.exec:\nhtbnt.exe61⤵
- Executes dropped EXE
-
\??\c:\djddd.exec:\djddd.exe62⤵
- Executes dropped EXE
-
\??\c:\xxrlllx.exec:\xxrlllx.exe63⤵
- Executes dropped EXE
-
\??\c:\nnbhth.exec:\nnbhth.exe64⤵
- Executes dropped EXE
-
\??\c:\hntbbt.exec:\hntbbt.exe65⤵
- Executes dropped EXE
-
\??\c:\vjdvd.exec:\vjdvd.exe66⤵
-
\??\c:\1lxlrrr.exec:\1lxlrrr.exe67⤵
-
\??\c:\bhttbh.exec:\bhttbh.exe68⤵
-
\??\c:\hhbntt.exec:\hhbntt.exe69⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe70⤵
-
\??\c:\lxxlxfx.exec:\lxxlxfx.exe71⤵
-
\??\c:\thnhht.exec:\thnhht.exe72⤵
-
\??\c:\vjddp.exec:\vjddp.exe73⤵
-
\??\c:\rfrxfff.exec:\rfrxfff.exe74⤵
-
\??\c:\xfflxfr.exec:\xfflxfr.exe75⤵
-
\??\c:\tbhhth.exec:\tbhhth.exe76⤵
-
\??\c:\7pdjd.exec:\7pdjd.exe77⤵
-
\??\c:\fffrxxr.exec:\fffrxxr.exe78⤵
-
\??\c:\9ttnhn.exec:\9ttnhn.exe79⤵
-
\??\c:\htnthn.exec:\htnthn.exe80⤵
-
\??\c:\9dvvd.exec:\9dvvd.exe81⤵
-
\??\c:\5xrxlrr.exec:\5xrxlrr.exe82⤵
-
\??\c:\5nhbbb.exec:\5nhbbb.exe83⤵
-
\??\c:\3jdjd.exec:\3jdjd.exe84⤵
-
\??\c:\ppjjp.exec:\ppjjp.exe85⤵
-
\??\c:\xrxxflr.exec:\xrxxflr.exe86⤵
-
\??\c:\nbthbn.exec:\nbthbn.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hbnnnn.exec:\hbnnnn.exe88⤵
-
\??\c:\djdjp.exec:\djdjp.exe89⤵
-
\??\c:\rrxxffx.exec:\rrxxffx.exe90⤵
-
\??\c:\1hnttt.exec:\1hnttt.exe91⤵
-
\??\c:\vvpjd.exec:\vvpjd.exe92⤵
-
\??\c:\ddjjd.exec:\ddjjd.exe93⤵
-
\??\c:\lrxxflr.exec:\lrxxflr.exe94⤵
-
\??\c:\hbtbth.exec:\hbtbth.exe95⤵
-
\??\c:\nnnbtt.exec:\nnnbtt.exe96⤵
-
\??\c:\vdvvd.exec:\vdvvd.exe97⤵
-
\??\c:\7rfllxf.exec:\7rfllxf.exe98⤵
-
\??\c:\5lxxllr.exec:\5lxxllr.exe99⤵
-
\??\c:\hhthth.exec:\hhthth.exe100⤵
-
\??\c:\djppv.exec:\djppv.exe101⤵
-
\??\c:\3frfflf.exec:\3frfflf.exe102⤵
-
\??\c:\rrfffll.exec:\rrfffll.exe103⤵
-
\??\c:\bhttbb.exec:\bhttbb.exe104⤵
-
\??\c:\3pjdj.exec:\3pjdj.exe105⤵
-
\??\c:\vjvvj.exec:\vjvvj.exe106⤵
-
\??\c:\rflrxlx.exec:\rflrxlx.exe107⤵
-
\??\c:\1httbb.exec:\1httbb.exe108⤵
-
\??\c:\jpddd.exec:\jpddd.exe109⤵
-
\??\c:\jpjpp.exec:\jpjpp.exe110⤵
-
\??\c:\xflrrxx.exec:\xflrrxx.exe111⤵
-
\??\c:\nthbhn.exec:\nthbhn.exe112⤵
-
\??\c:\hnbtnh.exec:\hnbtnh.exe113⤵
-
\??\c:\pvjjd.exec:\pvjjd.exe114⤵
-
\??\c:\rrxrrll.exec:\rrxrrll.exe115⤵
-
\??\c:\3ffrxlx.exec:\3ffrxlx.exe116⤵
-
\??\c:\nntttt.exec:\nntttt.exe117⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe118⤵
-
\??\c:\flrrxfr.exec:\flrrxfr.exe119⤵
-
\??\c:\hntntt.exec:\hntntt.exe120⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-