Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
18-02-2025 04:12
General
-
Target
aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b.exe
-
Size
73KB
-
MD5
ea1dd3c97a3acb03c2005a759f429939
-
SHA1
58ed73be3ebe41382fbf29c1971c283b2e73d715
-
SHA256
aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b
-
SHA512
6b54d0e4ea7e29596084929b0229055da99dc93684d83c15093fce36563f3ab2bfba7a6bea7424496a6853840248f489528a1b13ea688821f6812bd22b1f6a91
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+LuvdLH+O:ymb3NkkiQ3mdBjF0yMliCO
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b.exe"C:\Users\Admin\AppData\Local\Temp\aef6850c84c6966bd6155700e546df0f346e368dde5017ae6fcb3e570c03a39b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hthtnh.exec:\hthtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2644886.exec:\2644886.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jvpp.exec:\9jvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\806600.exec:\806600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nbnnh.exec:\9nbnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrxxxf.exec:\frrxxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thntbb.exec:\thntbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\046062.exec:\046062.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdjj.exec:\dpdjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnhh.exec:\hhtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnnh.exec:\tntnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrrxrf.exec:\xxrrxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q80020.exec:\q80020.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o684484.exec:\o684484.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflrxrf.exec:\lflrxrf.exe17⤵
- Executes dropped EXE
-
\??\c:\btntnn.exec:\btntnn.exe18⤵
- Executes dropped EXE
-
\??\c:\64068.exec:\64068.exe19⤵
- Executes dropped EXE
-
\??\c:\4006286.exec:\4006286.exe20⤵
- Executes dropped EXE
-
\??\c:\dvjjd.exec:\dvjjd.exe21⤵
- Executes dropped EXE
-
\??\c:\82406.exec:\82406.exe22⤵
- Executes dropped EXE
-
\??\c:\htbbhh.exec:\htbbhh.exe23⤵
- Executes dropped EXE
-
\??\c:\8628440.exec:\8628440.exe24⤵
- Executes dropped EXE
-
\??\c:\flfrfrl.exec:\flfrfrl.exe25⤵
- Executes dropped EXE
-
\??\c:\djvdv.exec:\djvdv.exe26⤵
- Executes dropped EXE
-
\??\c:\4246002.exec:\4246002.exe27⤵
- Executes dropped EXE
-
\??\c:\bntnnn.exec:\bntnnn.exe28⤵
- Executes dropped EXE
-
\??\c:\hthhbt.exec:\hthhbt.exe29⤵
- Executes dropped EXE
-
\??\c:\66426.exec:\66426.exe30⤵
- Executes dropped EXE
-
\??\c:\xrllrrr.exec:\xrllrrr.exe31⤵
- Executes dropped EXE
-
\??\c:\jdpdv.exec:\jdpdv.exe32⤵
- Executes dropped EXE
-
\??\c:\682884.exec:\682884.exe33⤵
- Executes dropped EXE
-
\??\c:\nhbtnn.exec:\nhbtnn.exe34⤵
- Executes dropped EXE
-
\??\c:\xxxrxfr.exec:\xxxrxfr.exe35⤵
- Executes dropped EXE
-
\??\c:\9xffxfr.exec:\9xffxfr.exe36⤵
- Executes dropped EXE
-
\??\c:\428088.exec:\428088.exe37⤵
- Executes dropped EXE
-
\??\c:\dpjvv.exec:\dpjvv.exe38⤵
- Executes dropped EXE
-
\??\c:\26062.exec:\26062.exe39⤵
- Executes dropped EXE
-
\??\c:\ffxxxfl.exec:\ffxxxfl.exe40⤵
- Executes dropped EXE
-
\??\c:\642240.exec:\642240.exe41⤵
- Executes dropped EXE
-
\??\c:\fxrxflr.exec:\fxrxflr.exe42⤵
- Executes dropped EXE
-
\??\c:\044240.exec:\044240.exe43⤵
- Executes dropped EXE
-
\??\c:\60846.exec:\60846.exe44⤵
- Executes dropped EXE
-
\??\c:\2622406.exec:\2622406.exe45⤵
- Executes dropped EXE
-
\??\c:\nhhnbh.exec:\nhhnbh.exe46⤵
- Executes dropped EXE
-
\??\c:\vpdjv.exec:\vpdjv.exe47⤵
- Executes dropped EXE
-
\??\c:\3pvdj.exec:\3pvdj.exe48⤵
- Executes dropped EXE
-
\??\c:\nhttbb.exec:\nhttbb.exe49⤵
- Executes dropped EXE
-
\??\c:\xrrfxfx.exec:\xrrfxfx.exe50⤵
- Executes dropped EXE
-
\??\c:\3dvdd.exec:\3dvdd.exe51⤵
- Executes dropped EXE
-
\??\c:\64684.exec:\64684.exe52⤵
- Executes dropped EXE
-
\??\c:\40660.exec:\40660.exe53⤵
- Executes dropped EXE
-
\??\c:\60286.exec:\60286.exe54⤵
- Executes dropped EXE
-
\??\c:\6046244.exec:\6046244.exe55⤵
- Executes dropped EXE
-
\??\c:\60800.exec:\60800.exe56⤵
- Executes dropped EXE
-
\??\c:\206240.exec:\206240.exe57⤵
- Executes dropped EXE
-
\??\c:\8084426.exec:\8084426.exe58⤵
- Executes dropped EXE
-
\??\c:\m0840.exec:\m0840.exe59⤵
- Executes dropped EXE
-
\??\c:\pjjjp.exec:\pjjjp.exe60⤵
- Executes dropped EXE
-
\??\c:\vvjdv.exec:\vvjdv.exe61⤵
- Executes dropped EXE
-
\??\c:\lllfrfr.exec:\lllfrfr.exe62⤵
- Executes dropped EXE
-
\??\c:\4846462.exec:\4846462.exe63⤵
- Executes dropped EXE
-
\??\c:\646062.exec:\646062.exe64⤵
- Executes dropped EXE
-
\??\c:\g0886.exec:\g0886.exe65⤵
- Executes dropped EXE
-
\??\c:\jvpdd.exec:\jvpdd.exe66⤵
-
\??\c:\802248.exec:\802248.exe67⤵
-
\??\c:\g2406.exec:\g2406.exe68⤵
-
\??\c:\c804666.exec:\c804666.exe69⤵
-
\??\c:\5lrfllr.exec:\5lrfllr.exe70⤵
-
\??\c:\08406.exec:\08406.exe71⤵
-
\??\c:\08228.exec:\08228.exe72⤵
-
\??\c:\64606.exec:\64606.exe73⤵
-
\??\c:\0463nt.exec:\0463nt.exe74⤵
-
\??\c:\xlrfflr.exec:\xlrfflr.exe75⤵
-
\??\c:\q68444.exec:\q68444.exe76⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe77⤵
-
\??\c:\nhbbbh.exec:\nhbbbh.exe78⤵
-
\??\c:\86442.exec:\86442.exe79⤵
-
\??\c:\602462.exec:\602462.exe80⤵
-
\??\c:\8028866.exec:\8028866.exe81⤵
-
\??\c:\20620.exec:\20620.exe82⤵
-
\??\c:\646840.exec:\646840.exe83⤵
-
\??\c:\7nbbbh.exec:\7nbbbh.exe84⤵
-
\??\c:\26242.exec:\26242.exe85⤵
-
\??\c:\llflflf.exec:\llflflf.exe86⤵
-
\??\c:\226868.exec:\226868.exe87⤵
-
\??\c:\hbtbhn.exec:\hbtbhn.exe88⤵
-
\??\c:\e48082.exec:\e48082.exe89⤵
-
\??\c:\vpddp.exec:\vpddp.exe90⤵
-
\??\c:\5fxrrrx.exec:\5fxrrrx.exe91⤵
-
\??\c:\hbbtnt.exec:\hbbtnt.exe92⤵
-
\??\c:\1ffffrf.exec:\1ffffrf.exe93⤵
-
\??\c:\20808.exec:\20808.exe94⤵
-
\??\c:\08688.exec:\08688.exe95⤵
-
\??\c:\rxfrlrx.exec:\rxfrlrx.exe96⤵
-
\??\c:\nnthnn.exec:\nnthnn.exe97⤵
-
\??\c:\pjdpd.exec:\pjdpd.exe98⤵
-
\??\c:\rrxxxfr.exec:\rrxxxfr.exe99⤵
-
\??\c:\00464.exec:\00464.exe100⤵
-
\??\c:\fxffffr.exec:\fxffffr.exe101⤵
-
\??\c:\xllxrxr.exec:\xllxrxr.exe102⤵
-
\??\c:\60064.exec:\60064.exe103⤵
-
\??\c:\3jdpv.exec:\3jdpv.exe104⤵
-
\??\c:\e08844.exec:\e08844.exe105⤵
-
\??\c:\6062802.exec:\6062802.exe106⤵
-
\??\c:\u802406.exec:\u802406.exe107⤵
-
\??\c:\lfrrxff.exec:\lfrrxff.exe108⤵
-
\??\c:\dvvvv.exec:\dvvvv.exe109⤵
-
\??\c:\442062.exec:\442062.exe110⤵
-
\??\c:\2662080.exec:\2662080.exe111⤵
-
\??\c:\482802.exec:\482802.exe112⤵
-
\??\c:\22408.exec:\22408.exe113⤵
-
\??\c:\26842.exec:\26842.exe114⤵
-
\??\c:\1jvjj.exec:\1jvjj.exe115⤵
-
\??\c:\824684.exec:\824684.exe116⤵
-
\??\c:\828866.exec:\828866.exe117⤵
-
\??\c:\3fxxflx.exec:\3fxxflx.exe118⤵
-
\??\c:\7rrfrfl.exec:\7rrfrfl.exe119⤵
-
\??\c:\268026.exec:\268026.exe120⤵
-
\??\c:\xxxrxxl.exec:\xxxrxxl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-