Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20/01/2025, 09:16
General
-
Target
25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe
-
Size
454KB
-
MD5
d58556a689f9cccc9298ff27191f07e5
-
SHA1
1514a627a87a15cadb619fa89f67510646c837cb
-
SHA256
25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4
-
SHA512
1debade0d6063e52bd581915b5768256b5f3263f47cd2727d46111444b14f49fb4adf188f66fbdab45b89cb08a81d7ce38f6ad75b0ea36544ff371cfb4ea95d9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 42 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 43 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe"C:\Users\Admin\AppData\Local\Temp\25dc301dea72954956a5151efbbfffdd6604a270ba184e4f930f6f791ac3c3a4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtbnn.exec:\hbtbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlxrx.exec:\fxrlxrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbthhb.exec:\bbthhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjvv.exec:\ppjvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btthhb.exec:\btthhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjvd.exec:\pjjvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhnh.exec:\nnbhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpd.exec:\dvjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxllxr.exec:\lrxllxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bhnnn.exec:\1bhnnn.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\7dppp.exec:\7dppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnbnn.exec:\nhnbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjpv.exec:\vjjpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtthn.exec:\hbtthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pvdd.exec:\1pvdd.exe17⤵
- Executes dropped EXE
-
\??\c:\nhntbb.exec:\nhntbb.exe18⤵
- Executes dropped EXE
-
\??\c:\pjvdp.exec:\pjvdp.exe19⤵
- Executes dropped EXE
-
\??\c:\frxrrrx.exec:\frxrrrx.exe20⤵
- Executes dropped EXE
-
\??\c:\nhhtbh.exec:\nhhtbh.exe21⤵
- Executes dropped EXE
-
\??\c:\xxrffxl.exec:\xxrffxl.exe22⤵
- Executes dropped EXE
-
\??\c:\htthbb.exec:\htthbb.exe23⤵
- Executes dropped EXE
-
\??\c:\lfxxxlf.exec:\lfxxxlf.exe24⤵
- Executes dropped EXE
-
\??\c:\lxlxffr.exec:\lxlxffr.exe25⤵
- Executes dropped EXE
-
\??\c:\ppvdp.exec:\ppvdp.exe26⤵
- Executes dropped EXE
-
\??\c:\3lfrxfx.exec:\3lfrxfx.exe27⤵
- Executes dropped EXE
-
\??\c:\dvjvj.exec:\dvjvj.exe28⤵
- Executes dropped EXE
-
\??\c:\nthntt.exec:\nthntt.exe29⤵
- Executes dropped EXE
-
\??\c:\5pjvp.exec:\5pjvp.exe30⤵
- Executes dropped EXE
-
\??\c:\xrrxlrf.exec:\xrrxlrf.exe31⤵
- Executes dropped EXE
-
\??\c:\vvpdj.exec:\vvpdj.exe32⤵
- Executes dropped EXE
-
\??\c:\xrllxfx.exec:\xrllxfx.exe33⤵
- Executes dropped EXE
-
\??\c:\ttttbb.exec:\ttttbb.exe34⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe35⤵
-
\??\c:\nnbhnt.exec:\nnbhnt.exe36⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe37⤵
- Executes dropped EXE
-
\??\c:\xrflrrx.exec:\xrflrrx.exe38⤵
- Executes dropped EXE
-
\??\c:\hhbthh.exec:\hhbthh.exe39⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe40⤵
- Executes dropped EXE
-
\??\c:\xrlrrxr.exec:\xrlrrxr.exe41⤵
- Executes dropped EXE
-
\??\c:\ttbbnb.exec:\ttbbnb.exe42⤵
- Executes dropped EXE
-
\??\c:\pjvpv.exec:\pjvpv.exe43⤵
- Executes dropped EXE
-
\??\c:\xxxfrxl.exec:\xxxfrxl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7rffllr.exec:\7rffllr.exe45⤵
- Executes dropped EXE
-
\??\c:\nbnbnt.exec:\nbnbnt.exe46⤵
- Executes dropped EXE
-
\??\c:\5jvdv.exec:\5jvdv.exe47⤵
- Executes dropped EXE
-
\??\c:\rrlxrlx.exec:\rrlxrlx.exe48⤵
- Executes dropped EXE
-
\??\c:\xrfllfl.exec:\xrfllfl.exe49⤵
- Executes dropped EXE
-
\??\c:\hbttbt.exec:\hbttbt.exe50⤵
- Executes dropped EXE
-
\??\c:\9jpjj.exec:\9jpjj.exe51⤵
- Executes dropped EXE
-
\??\c:\5xfllrx.exec:\5xfllrx.exe52⤵
- Executes dropped EXE
-
\??\c:\rrllrrf.exec:\rrllrrf.exe53⤵
- Executes dropped EXE
-
\??\c:\9tbbbh.exec:\9tbbbh.exe54⤵
- Executes dropped EXE
-
\??\c:\jvppp.exec:\jvppp.exe55⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe56⤵
- Executes dropped EXE
-
\??\c:\rlfrrrf.exec:\rlfrrrf.exe57⤵
- Executes dropped EXE
-
\??\c:\tnhnbh.exec:\tnhnbh.exe58⤵
- Executes dropped EXE
-
\??\c:\5nbbbb.exec:\5nbbbb.exe59⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe60⤵
- Executes dropped EXE
-
\??\c:\9xlrxfx.exec:\9xlrxfx.exe61⤵
- Executes dropped EXE
-
\??\c:\1nbhhh.exec:\1nbhhh.exe62⤵
- Executes dropped EXE
-
\??\c:\9hbttt.exec:\9hbttt.exe63⤵
- Executes dropped EXE
-
\??\c:\jddvd.exec:\jddvd.exe64⤵
- Executes dropped EXE
-
\??\c:\ffflrfx.exec:\ffflrfx.exe65⤵
- Executes dropped EXE
-
\??\c:\7tnhnn.exec:\7tnhnn.exe66⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe67⤵
-
\??\c:\rflllrf.exec:\rflllrf.exe68⤵
-
\??\c:\5xllxfl.exec:\5xllxfl.exe69⤵
-
\??\c:\thtbbb.exec:\thtbbb.exe70⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe71⤵
-
\??\c:\rrxfrfr.exec:\rrxfrfr.exe72⤵
-
\??\c:\tnbhhn.exec:\tnbhhn.exe73⤵
-
\??\c:\9bhthb.exec:\9bhthb.exe74⤵
-
\??\c:\5dpjd.exec:\5dpjd.exe75⤵
-
\??\c:\1rxxffl.exec:\1rxxffl.exe76⤵
-
\??\c:\3xfxxrr.exec:\3xfxxrr.exe77⤵
-
\??\c:\nbnttb.exec:\nbnttb.exe78⤵
-
\??\c:\3pdpp.exec:\3pdpp.exe79⤵
-
\??\c:\lfrrllr.exec:\lfrrllr.exe80⤵
-
\??\c:\hbhntn.exec:\hbhntn.exe81⤵
-
\??\c:\bbnbhb.exec:\bbnbhb.exe82⤵
-
\??\c:\dppdj.exec:\dppdj.exe83⤵
-
\??\c:\rrffrrx.exec:\rrffrrx.exe84⤵
-
\??\c:\3rxflrr.exec:\3rxflrr.exe85⤵
-
\??\c:\ntttth.exec:\ntttth.exe86⤵
-
\??\c:\3vddd.exec:\3vddd.exe87⤵
-
\??\c:\djpjj.exec:\djpjj.exe88⤵
-
\??\c:\lxllffl.exec:\lxllffl.exe89⤵
-
\??\c:\1bbnhn.exec:\1bbnhn.exe90⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe91⤵
-
\??\c:\1flflxf.exec:\1flflxf.exe92⤵
-
\??\c:\tnnhhn.exec:\tnnhhn.exe93⤵
-
\??\c:\nnhhhh.exec:\nnhhhh.exe94⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe95⤵
-
\??\c:\lfrxrrx.exec:\lfrxrrx.exe96⤵
-
\??\c:\bhbhtb.exec:\bhbhtb.exe97⤵
-
\??\c:\nbnthn.exec:\nbnthn.exe98⤵
-
\??\c:\dvdpv.exec:\dvdpv.exe99⤵
-
\??\c:\xrlrffr.exec:\xrlrffr.exe100⤵
-
\??\c:\tnhhnt.exec:\tnhhnt.exe101⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe102⤵
-
\??\c:\jjdvj.exec:\jjdvj.exe103⤵
-
\??\c:\rrffrxr.exec:\rrffrxr.exe104⤵
-
\??\c:\tttntb.exec:\tttntb.exe105⤵
-
\??\c:\3nhhnn.exec:\3nhhnn.exe106⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe107⤵
-
\??\c:\lrffffx.exec:\lrffffx.exe108⤵
-
\??\c:\1nhbtb.exec:\1nhbtb.exe109⤵
-
\??\c:\btnbtt.exec:\btnbtt.exe110⤵
-
\??\c:\jppvv.exec:\jppvv.exe111⤵
-
\??\c:\flflrrr.exec:\flflrrr.exe112⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxlrxlr.exec:\fxlrxlr.exe113⤵
-
\??\c:\5nbnnt.exec:\5nbnnt.exe114⤵
-
\??\c:\3jdjv.exec:\3jdjv.exe115⤵
-
\??\c:\ddvjd.exec:\ddvjd.exe116⤵
-
\??\c:\xxlrxxf.exec:\xxlrxxf.exe117⤵
-
\??\c:\tthtbb.exec:\tthtbb.exe118⤵
-
\??\c:\hhbbnt.exec:\hhbbnt.exe119⤵
-
\??\c:\xlrlffx.exec:\xlrlffx.exe120⤵
-
\??\c:\hbttbb.exec:\hbttbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-