Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-02-2025 04:27
General
-
Target
aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b.exe
-
Size
73KB
-
MD5
ea1dd3c97a3acb03c2005a759f429939
-
SHA1
58ed73be3ebe41382fbf29c1971c283b2e73d715
-
SHA256
aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b
-
SHA512
6b54d0e4ea7e29596084929b0229055da99dc93684d83c15093fce36563f3ab2bfba7a6bea7424496a6853840248f489528a1b13ea688821f6812bd22b1f6a91
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+LuvdLH+O:ymb3NkkiQ3mdBjF0yMliCO
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b.exe"C:\Users\Admin\AppData\Local\Temp\aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjj.exec:\pjpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpvv.exec:\pjpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnnb.exec:\bntnnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhtb.exec:\nhbhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvvv.exec:\djvvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxxlfl.exec:\xlxxlfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nbthn.exec:\1nbthn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pddj.exec:\3pddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdp.exec:\dvjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrfxfr.exec:\rfrfxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtbhb.exec:\nbtbhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnbb.exec:\bthnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjp.exec:\pjpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlrflx.exec:\frlrflx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rxxxfx.exec:\5rxxxfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbbh.exec:\htbbbh.exe17⤵
- Executes dropped EXE
-
\??\c:\tnhhtt.exec:\tnhhtt.exe18⤵
- Executes dropped EXE
-
\??\c:\jvjdp.exec:\jvjdp.exe19⤵
- Executes dropped EXE
-
\??\c:\7rxrrff.exec:\7rxrrff.exe20⤵
- Executes dropped EXE
-
\??\c:\rfflxxf.exec:\rfflxxf.exe21⤵
- Executes dropped EXE
-
\??\c:\7hnhhh.exec:\7hnhhh.exe22⤵
- Executes dropped EXE
-
\??\c:\1ttnhn.exec:\1ttnhn.exe23⤵
- Executes dropped EXE
-
\??\c:\7vpvv.exec:\7vpvv.exe24⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe25⤵
- Executes dropped EXE
-
\??\c:\rllrllr.exec:\rllrllr.exe26⤵
- Executes dropped EXE
-
\??\c:\nbhhnt.exec:\nbhhnt.exe27⤵
- Executes dropped EXE
-
\??\c:\dpjvd.exec:\dpjvd.exe28⤵
- Executes dropped EXE
-
\??\c:\pdpjp.exec:\pdpjp.exe29⤵
- Executes dropped EXE
-
\??\c:\lfrxxxf.exec:\lfrxxxf.exe30⤵
- Executes dropped EXE
-
\??\c:\thhbht.exec:\thhbht.exe31⤵
- Executes dropped EXE
-
\??\c:\nbnntt.exec:\nbnntt.exe32⤵
- Executes dropped EXE
-
\??\c:\dpjdd.exec:\dpjdd.exe33⤵
- Executes dropped EXE
-
\??\c:\lxfrxxf.exec:\lxfrxxf.exe34⤵
- Executes dropped EXE
-
\??\c:\lfrxffl.exec:\lfrxffl.exe35⤵
- Executes dropped EXE
-
\??\c:\9bnhnn.exec:\9bnhnn.exe36⤵
- Executes dropped EXE
-
\??\c:\bthhbt.exec:\bthhbt.exe37⤵
- Executes dropped EXE
-
\??\c:\dppvv.exec:\dppvv.exe38⤵
- Executes dropped EXE
-
\??\c:\vpvvj.exec:\vpvvj.exe39⤵
- Executes dropped EXE
-
\??\c:\rfrrfxf.exec:\rfrrfxf.exe40⤵
- Executes dropped EXE
-
\??\c:\1lxfffl.exec:\1lxfffl.exe41⤵
- Executes dropped EXE
-
\??\c:\5nbbhb.exec:\5nbbhb.exe42⤵
- Executes dropped EXE
-
\??\c:\tnhhhh.exec:\tnhhhh.exe43⤵
- Executes dropped EXE
-
\??\c:\bnhhhh.exec:\bnhhhh.exe44⤵
- Executes dropped EXE
-
\??\c:\jvvvv.exec:\jvvvv.exe45⤵
- Executes dropped EXE
-
\??\c:\3pjjj.exec:\3pjjj.exe46⤵
- Executes dropped EXE
-
\??\c:\rrxrxfl.exec:\rrxrxfl.exe47⤵
- Executes dropped EXE
-
\??\c:\lrlxxlr.exec:\lrlxxlr.exe48⤵
- Executes dropped EXE
-
\??\c:\nhnntb.exec:\nhnntb.exe49⤵
- Executes dropped EXE
-
\??\c:\nhhbbb.exec:\nhhbbb.exe50⤵
- Executes dropped EXE
-
\??\c:\vjpvv.exec:\vjpvv.exe51⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe52⤵
- Executes dropped EXE
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe53⤵
- Executes dropped EXE
-
\??\c:\rlrxfll.exec:\rlrxfll.exe54⤵
- Executes dropped EXE
-
\??\c:\hnbtbt.exec:\hnbtbt.exe55⤵
- Executes dropped EXE
-
\??\c:\5nhhnn.exec:\5nhhnn.exe56⤵
- Executes dropped EXE
-
\??\c:\1dvpv.exec:\1dvpv.exe57⤵
- Executes dropped EXE
-
\??\c:\rllffff.exec:\rllffff.exe58⤵
- Executes dropped EXE
-
\??\c:\xllrxrx.exec:\xllrxrx.exe59⤵
- Executes dropped EXE
-
\??\c:\5fxxffr.exec:\5fxxffr.exe60⤵
- Executes dropped EXE
-
\??\c:\thhhtb.exec:\thhhtb.exe61⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe62⤵
- Executes dropped EXE
-
\??\c:\vjjvv.exec:\vjjvv.exe63⤵
- Executes dropped EXE
-
\??\c:\rfrfllr.exec:\rfrfllr.exe64⤵
- Executes dropped EXE
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe65⤵
- Executes dropped EXE
-
\??\c:\nbhhhh.exec:\nbhhhh.exe66⤵
-
\??\c:\nbhbbt.exec:\nbhbbt.exe67⤵
-
\??\c:\hbhntb.exec:\hbhntb.exe68⤵
-
\??\c:\lfrfrlr.exec:\lfrfrlr.exe69⤵
-
\??\c:\fxlfrrr.exec:\fxlfrrr.exe70⤵
-
\??\c:\thtthb.exec:\thtthb.exe71⤵
-
\??\c:\nhhnhh.exec:\nhhnhh.exe72⤵
-
\??\c:\jjvvj.exec:\jjvvj.exe73⤵
-
\??\c:\ddpdd.exec:\ddpdd.exe74⤵
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe75⤵
-
\??\c:\9lllrrf.exec:\9lllrrf.exe76⤵
-
\??\c:\bnbhtb.exec:\bnbhtb.exe77⤵
-
\??\c:\thttnn.exec:\thttnn.exe78⤵
-
\??\c:\jdppj.exec:\jdppj.exe79⤵
-
\??\c:\vjvdj.exec:\vjvdj.exe80⤵
-
\??\c:\pvvpj.exec:\pvvpj.exe81⤵
-
\??\c:\5xrrllr.exec:\5xrrllr.exe82⤵
-
\??\c:\xrffrrf.exec:\xrffrrf.exe83⤵
-
\??\c:\hthnbb.exec:\hthnbb.exe84⤵
-
\??\c:\btttnt.exec:\btttnt.exe85⤵
-
\??\c:\nbhhbb.exec:\nbhhbb.exe86⤵
-
\??\c:\vvvdv.exec:\vvvdv.exe87⤵
-
\??\c:\3pddd.exec:\3pddd.exe88⤵
-
\??\c:\frfflrx.exec:\frfflrx.exe89⤵
-
\??\c:\xlxfrrr.exec:\xlxfrrr.exe90⤵
-
\??\c:\bththh.exec:\bththh.exe91⤵
-
\??\c:\nhnbhh.exec:\nhnbhh.exe92⤵
-
\??\c:\bhhnbt.exec:\bhhnbt.exe93⤵
-
\??\c:\pdjpj.exec:\pdjpj.exe94⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe95⤵
-
\??\c:\fxllffl.exec:\fxllffl.exe96⤵
-
\??\c:\xlrlrrx.exec:\xlrlrrx.exe97⤵
-
\??\c:\1nbhnn.exec:\1nbhnn.exe98⤵
-
\??\c:\thnhhh.exec:\thnhhh.exe99⤵
-
\??\c:\hbthhh.exec:\hbthhh.exe100⤵
-
\??\c:\3vjjj.exec:\3vjjj.exe101⤵
-
\??\c:\pjdvj.exec:\pjdvj.exe102⤵
-
\??\c:\xxffxxl.exec:\xxffxxl.exe103⤵
-
\??\c:\fxflffr.exec:\fxflffr.exe104⤵
-
\??\c:\3rllllr.exec:\3rllllr.exe105⤵
-
\??\c:\nbhhnh.exec:\nbhhnh.exe106⤵
-
\??\c:\nbtttb.exec:\nbtttb.exe107⤵
-
\??\c:\vdjvd.exec:\vdjvd.exe108⤵
-
\??\c:\3jdvd.exec:\3jdvd.exe109⤵
-
\??\c:\xrffrlr.exec:\xrffrlr.exe110⤵
-
\??\c:\9lllxxf.exec:\9lllxxf.exe111⤵
-
\??\c:\fxlxrrf.exec:\fxlxrrf.exe112⤵
-
\??\c:\htbbbb.exec:\htbbbb.exe113⤵
-
\??\c:\9hbntt.exec:\9hbntt.exe114⤵
-
\??\c:\pdpvj.exec:\pdpvj.exe115⤵
-
\??\c:\pjpjp.exec:\pjpjp.exe116⤵
-
\??\c:\1pjjv.exec:\1pjjv.exe117⤵
-
\??\c:\xrfxfll.exec:\xrfxfll.exe118⤵
-
\??\c:\rlrrxxr.exec:\rlrrxxr.exe119⤵
-
\??\c:\bnttbb.exec:\bnttbb.exe120⤵
-
\??\c:\bnbbtb.exec:\bnbbtb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-