Analysis
-
max time kernel
152s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
18-02-2025 04:13
General
-
Target
af61d6c11c9e340c5b10b07e16920228d519777f0b76688d0962fa1e4a64f61f.exe
-
Size
85KB
-
MD5
eb493809b3bf5ae3d7d79a22679bf935
-
SHA1
0297a3f408bdabb495fc782893ae78530e2f522a
-
SHA256
af61d6c11c9e340c5b10b07e16920228d519777f0b76688d0962fa1e4a64f61f
-
SHA512
e7c9f80c2caf227d778876183981bf415a1bde61ff201b7137b60ae4349e77fcd26d870b6cab0fd9b3fb03776bf7eb3919b312dd44c2f5cbd6dd21ed984ebf10
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Q4Shc:ymb3NkkiQ3mdBjFIIp9L9QrrA8LSW
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af61d6c11c9e340c5b10b07e16920228d519777f0b76688d0962fa1e4a64f61f.exe"C:\Users\Admin\AppData\Local\Temp\af61d6c11c9e340c5b10b07e16920228d519777f0b76688d0962fa1e4a64f61f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bvxdp.exec:\bvxdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjnh.exec:\dpjnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjfpp.exec:\djjfpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lnvltt.exec:\lnvltt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btvtl.exec:\btvtl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djhhdrl.exec:\djhhdrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jrxpnrl.exec:\jrxpnrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pbhlbfh.exec:\pbhlbfh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pbxbj.exec:\pbxbj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xdhdnr.exec:\xdhdnr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbdflnb.exec:\tbdflnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pfdjjx.exec:\pfdjjx.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\xjxfhr.exec:\xjxfhr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvptx.exec:\vdvptx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tddbr.exec:\tddbr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrhtnx.exec:\lrrhtnx.exe17⤵
- Executes dropped EXE
-
\??\c:\dxjtx.exec:\dxjtx.exe18⤵
- Executes dropped EXE
-
\??\c:\rfxppr.exec:\rfxppr.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rjffnhr.exec:\rjffnhr.exe20⤵
- Executes dropped EXE
-
\??\c:\fjltd.exec:\fjltd.exe21⤵
- Executes dropped EXE
-
\??\c:\jdvbrjf.exec:\jdvbrjf.exe22⤵
- Executes dropped EXE
-
\??\c:\ffjlfv.exec:\ffjlfv.exe23⤵
- Executes dropped EXE
-
\??\c:\jppnpj.exec:\jppnpj.exe24⤵
- Executes dropped EXE
-
\??\c:\hjdldnr.exec:\hjdldnr.exe25⤵
- Executes dropped EXE
-
\??\c:\ntblrb.exec:\ntblrb.exe26⤵
- Executes dropped EXE
-
\??\c:\fndhp.exec:\fndhp.exe27⤵
- Executes dropped EXE
-
\??\c:\jnjhdxn.exec:\jnjhdxn.exe28⤵
- Executes dropped EXE
-
\??\c:\lrrpj.exec:\lrrpj.exe29⤵
- Executes dropped EXE
-
\??\c:\vppnpd.exec:\vppnpd.exe30⤵
- Executes dropped EXE
-
\??\c:\dvrxb.exec:\dvrxb.exe31⤵
- Executes dropped EXE
-
\??\c:\tdpfph.exec:\tdpfph.exe32⤵
- Executes dropped EXE
-
\??\c:\pvvtv.exec:\pvvtv.exe33⤵
- Executes dropped EXE
-
\??\c:\fnpnb.exec:\fnpnb.exe34⤵
- Executes dropped EXE
-
\??\c:\vnjtdn.exec:\vnjtdn.exe35⤵
- Executes dropped EXE
-
\??\c:\pjtxjv.exec:\pjtxjv.exe36⤵
- Executes dropped EXE
-
\??\c:\rrjpp.exec:\rrjpp.exe37⤵
- Executes dropped EXE
-
\??\c:\jbhdff.exec:\jbhdff.exe38⤵
- Executes dropped EXE
-
\??\c:\pblxtfl.exec:\pblxtfl.exe39⤵
- Executes dropped EXE
-
\??\c:\djlppbx.exec:\djlppbx.exe40⤵
- Executes dropped EXE
-
\??\c:\tbllvbt.exec:\tbllvbt.exe41⤵
- Executes dropped EXE
-
\??\c:\bpdtv.exec:\bpdtv.exe42⤵
- Executes dropped EXE
-
\??\c:\rbdnpj.exec:\rbdnpj.exe43⤵
- Executes dropped EXE
-
\??\c:\rdfvd.exec:\rdfvd.exe44⤵
- Executes dropped EXE
-
\??\c:\tnltlxj.exec:\tnltlxj.exe45⤵
- Executes dropped EXE
-
\??\c:\hlvvbjh.exec:\hlvvbjh.exe46⤵
- Executes dropped EXE
-
\??\c:\tfjtprd.exec:\tfjtprd.exe47⤵
- Executes dropped EXE
-
\??\c:\vvrfdfj.exec:\vvrfdfj.exe48⤵
- Executes dropped EXE
-
\??\c:\fphvllt.exec:\fphvllt.exe49⤵
- Executes dropped EXE
-
\??\c:\tblxblv.exec:\tblxblv.exe50⤵
- Executes dropped EXE
-
\??\c:\plddph.exec:\plddph.exe51⤵
- Executes dropped EXE
-
\??\c:\hvpxrdv.exec:\hvpxrdv.exe52⤵
- Executes dropped EXE
-
\??\c:\dxfnrp.exec:\dxfnrp.exe53⤵
- Executes dropped EXE
-
\??\c:\txvnf.exec:\txvnf.exe54⤵
- Executes dropped EXE
-
\??\c:\nhrvhln.exec:\nhrvhln.exe55⤵
- Executes dropped EXE
-
\??\c:\xlrfph.exec:\xlrfph.exe56⤵
- Executes dropped EXE
-
\??\c:\pthjljv.exec:\pthjljv.exe57⤵
- Executes dropped EXE
-
\??\c:\tjrfphr.exec:\tjrfphr.exe58⤵
- Executes dropped EXE
-
\??\c:\fjldrtj.exec:\fjldrtj.exe59⤵
- Executes dropped EXE
-
\??\c:\vdnpdp.exec:\vdnpdp.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xprrd.exec:\xprrd.exe61⤵
- Executes dropped EXE
-
\??\c:\ljrhl.exec:\ljrhl.exe62⤵
- Executes dropped EXE
-
\??\c:\rhvhh.exec:\rhvhh.exe63⤵
- Executes dropped EXE
-
\??\c:\pxlrb.exec:\pxlrb.exe64⤵
- Executes dropped EXE
-
\??\c:\ddrln.exec:\ddrln.exe65⤵
- Executes dropped EXE
-
\??\c:\xpthx.exec:\xpthx.exe66⤵
-
\??\c:\bnfrjnv.exec:\bnfrjnv.exe67⤵
-
\??\c:\jtxnhf.exec:\jtxnhf.exe68⤵
-
\??\c:\brntn.exec:\brntn.exe69⤵
-
\??\c:\vvbxn.exec:\vvbxn.exe70⤵
-
\??\c:\ffrhnt.exec:\ffrhnt.exe71⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nlvjf.exec:\nlvjf.exe72⤵
-
\??\c:\lrjjj.exec:\lrjjj.exe73⤵
-
\??\c:\jhjvlvv.exec:\jhjvlvv.exe74⤵
-
\??\c:\hldbbj.exec:\hldbbj.exe75⤵
-
\??\c:\thxfnbb.exec:\thxfnbb.exe76⤵
-
\??\c:\fjbrfr.exec:\fjbrfr.exe77⤵
-
\??\c:\ljxbhhd.exec:\ljxbhhd.exe78⤵
-
\??\c:\hxptl.exec:\hxptl.exe79⤵
-
\??\c:\fbfjv.exec:\fbfjv.exe80⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tpfpl.exec:\tpfpl.exe81⤵
-
\??\c:\xhllln.exec:\xhllln.exe82⤵
-
\??\c:\jvltjt.exec:\jvltjt.exe83⤵
-
\??\c:\hpnnfd.exec:\hpnnfd.exe84⤵
-
\??\c:\nptrvlh.exec:\nptrvlh.exe85⤵
-
\??\c:\rffhhb.exec:\rffhhb.exe86⤵
-
\??\c:\rlftx.exec:\rlftx.exe87⤵
-
\??\c:\phnrvrj.exec:\phnrvrj.exe88⤵
-
\??\c:\bjvbj.exec:\bjvbj.exe89⤵
-
\??\c:\bvfhj.exec:\bvfhj.exe90⤵
- System Location Discovery: System Language Discovery
-
\??\c:\npdfrx.exec:\npdfrx.exe91⤵
-
\??\c:\bpdjhpj.exec:\bpdjhpj.exe92⤵
-
\??\c:\hfpdl.exec:\hfpdl.exe93⤵
-
\??\c:\dxddj.exec:\dxddj.exe94⤵
-
\??\c:\rpldp.exec:\rpldp.exe95⤵
-
\??\c:\lnhrn.exec:\lnhrn.exe96⤵
-
\??\c:\fhbrrlt.exec:\fhbrrlt.exe97⤵
-
\??\c:\ljdfn.exec:\ljdfn.exe98⤵
-
\??\c:\fxlxrjh.exec:\fxlxrjh.exe99⤵
-
\??\c:\fnbdxb.exec:\fnbdxb.exe100⤵
-
\??\c:\rlvfl.exec:\rlvfl.exe101⤵
-
\??\c:\bvrxpf.exec:\bvrxpf.exe102⤵
-
\??\c:\hjdtrf.exec:\hjdtrf.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\htrvh.exec:\htrvh.exe104⤵
-
\??\c:\nftpbnj.exec:\nftpbnj.exe105⤵
-
\??\c:\pvprrxn.exec:\pvprrxn.exe106⤵
-
\??\c:\lhlxr.exec:\lhlxr.exe107⤵
-
\??\c:\tthjvnn.exec:\tthjvnn.exe108⤵
-
\??\c:\lvtrnpb.exec:\lvtrnpb.exe109⤵
- System Location Discovery: System Language Discovery
-
\??\c:\plpdbfb.exec:\plpdbfb.exe110⤵
-
\??\c:\bvbfrr.exec:\bvbfrr.exe111⤵
-
\??\c:\rrftpdb.exec:\rrftpdb.exe112⤵
-
\??\c:\xxjjhnf.exec:\xxjjhnf.exe113⤵
-
\??\c:\rvlpjl.exec:\rvlpjl.exe114⤵
-
\??\c:\djbtfb.exec:\djbtfb.exe115⤵
-
\??\c:\hbbfjx.exec:\hbbfjx.exe116⤵
-
\??\c:\brnnvbt.exec:\brnnvbt.exe117⤵
-
\??\c:\jhdbrdn.exec:\jhdbrdn.exe118⤵
-
\??\c:\hlfjph.exec:\hlfjph.exe119⤵
-
\??\c:\rxxxn.exec:\rxxxn.exe120⤵
-
\??\c:\hdlpjfb.exec:\hdlpjfb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-