Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-02-2025 05:01
General
-
Target
c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf.exe
-
Size
80KB
-
MD5
5c5fde1216ab23c239931ce764ce2f26
-
SHA1
1caaad56944bdb6d603c6664b02a0fbdde78b2ee
-
SHA256
c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf
-
SHA512
162062dfb7d3f11942f8aec171c3be9088c9002841a8366dca2ebe93c2e153f79bbe5935949877ec25d0557bf21613a93ba47790962a6ed3ac2b5396f2ed16e5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLuePjDYlSVeAD:ymb3NkkiQ3mdBjFoLucjDNVD
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf.exe"C:\Users\Admin\AppData\Local\Temp\c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7ttnhh.exec:\7ttnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvvp.exec:\jvvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdppj.exec:\vdppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrlrff.exec:\rfrlrff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxrll.exec:\frxxrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddd.exec:\pvddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdv.exec:\pvjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrrl.exec:\frxrrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thttnb.exec:\thttnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvd.exec:\vpdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dpvd.exec:\9dpvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlxrlr.exec:\lxlxrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrrll.exec:\flrrrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtbb.exec:\nbbtbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5thhnn.exec:\5thhnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vjdd.exec:\7vjdd.exe17⤵
- Executes dropped EXE
-
\??\c:\1xrfxrr.exec:\1xrfxrr.exe18⤵
- Executes dropped EXE
-
\??\c:\rlxfrlr.exec:\rlxfrlr.exe19⤵
- Executes dropped EXE
-
\??\c:\5rfrlfx.exec:\5rfrlfx.exe20⤵
- Executes dropped EXE
-
\??\c:\hthhnt.exec:\hthhnt.exe21⤵
- Executes dropped EXE
-
\??\c:\bnbntn.exec:\bnbntn.exe22⤵
- Executes dropped EXE
-
\??\c:\7vvvj.exec:\7vvvj.exe23⤵
- Executes dropped EXE
-
\??\c:\vjpjj.exec:\vjpjj.exe24⤵
- Executes dropped EXE
-
\??\c:\rxfxfxx.exec:\rxfxfxx.exe25⤵
- Executes dropped EXE
-
\??\c:\rfxxxrr.exec:\rfxxxrr.exe26⤵
- Executes dropped EXE
-
\??\c:\9tthht.exec:\9tthht.exe27⤵
- Executes dropped EXE
-
\??\c:\bnnhht.exec:\bnnhht.exe28⤵
- Executes dropped EXE
-
\??\c:\9pdpp.exec:\9pdpp.exe29⤵
- Executes dropped EXE
-
\??\c:\9vppj.exec:\9vppj.exe30⤵
- Executes dropped EXE
-
\??\c:\xrlllfl.exec:\xrlllfl.exe31⤵
- Executes dropped EXE
-
\??\c:\3lffxrx.exec:\3lffxrx.exe32⤵
- Executes dropped EXE
-
\??\c:\hnnnhb.exec:\hnnnhb.exe33⤵
- Executes dropped EXE
-
\??\c:\jjvvv.exec:\jjvvv.exe34⤵
- Executes dropped EXE
-
\??\c:\dppjp.exec:\dppjp.exe35⤵
- Executes dropped EXE
-
\??\c:\pvvvv.exec:\pvvvv.exe36⤵
- Executes dropped EXE
-
\??\c:\lrfxxrr.exec:\lrfxxrr.exe37⤵
- Executes dropped EXE
-
\??\c:\5lrlxrx.exec:\5lrlxrx.exe38⤵
- Executes dropped EXE
-
\??\c:\frxxfrx.exec:\frxxfrx.exe39⤵
- Executes dropped EXE
-
\??\c:\htnntn.exec:\htnntn.exe40⤵
- Executes dropped EXE
-
\??\c:\bhtnnh.exec:\bhtnnh.exe41⤵
- Executes dropped EXE
-
\??\c:\bthhnt.exec:\bthhnt.exe42⤵
- Executes dropped EXE
-
\??\c:\3jjjd.exec:\3jjjd.exe43⤵
- Executes dropped EXE
-
\??\c:\3djpp.exec:\3djpp.exe44⤵
- Executes dropped EXE
-
\??\c:\frrlllf.exec:\frrlllf.exe45⤵
- Executes dropped EXE
-
\??\c:\rflfxxx.exec:\rflfxxx.exe46⤵
- Executes dropped EXE
-
\??\c:\1lxxrlx.exec:\1lxxrlx.exe47⤵
- Executes dropped EXE
-
\??\c:\nbbbhh.exec:\nbbbhh.exe48⤵
- Executes dropped EXE
-
\??\c:\bnthnh.exec:\bnthnh.exe49⤵
- Executes dropped EXE
-
\??\c:\jvdjj.exec:\jvdjj.exe50⤵
- Executes dropped EXE
-
\??\c:\pdpjj.exec:\pdpjj.exe51⤵
- Executes dropped EXE
-
\??\c:\9fllffl.exec:\9fllffl.exe52⤵
- Executes dropped EXE
-
\??\c:\xrxrrll.exec:\xrxrrll.exe53⤵
- Executes dropped EXE
-
\??\c:\htbbhh.exec:\htbbhh.exe54⤵
- Executes dropped EXE
-
\??\c:\htbtbh.exec:\htbtbh.exe55⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe56⤵
- Executes dropped EXE
-
\??\c:\dpppp.exec:\dpppp.exe57⤵
- Executes dropped EXE
-
\??\c:\lrxllff.exec:\lrxllff.exe58⤵
- Executes dropped EXE
-
\??\c:\lfxfllx.exec:\lfxfllx.exe59⤵
- Executes dropped EXE
-
\??\c:\3xrxfxr.exec:\3xrxfxr.exe60⤵
- Executes dropped EXE
-
\??\c:\htbhhh.exec:\htbhhh.exe61⤵
- Executes dropped EXE
-
\??\c:\pjvdv.exec:\pjvdv.exe62⤵
- Executes dropped EXE
-
\??\c:\frfxlff.exec:\frfxlff.exe63⤵
- Executes dropped EXE
-
\??\c:\xllxxlf.exec:\xllxxlf.exe64⤵
- Executes dropped EXE
-
\??\c:\thbhnn.exec:\thbhnn.exe65⤵
- Executes dropped EXE
-
\??\c:\bhhhbn.exec:\bhhhbn.exe66⤵
-
\??\c:\pjpdd.exec:\pjpdd.exe67⤵
-
\??\c:\1pvvd.exec:\1pvvd.exe68⤵
-
\??\c:\rffxxfl.exec:\rffxxfl.exe69⤵
-
\??\c:\fllflll.exec:\fllflll.exe70⤵
-
\??\c:\1xrxlfr.exec:\1xrxlfr.exe71⤵
-
\??\c:\bhthbt.exec:\bhthbt.exe72⤵
-
\??\c:\nbnbnb.exec:\nbnbnb.exe73⤵
-
\??\c:\dpjdd.exec:\dpjdd.exe74⤵
-
\??\c:\jdppv.exec:\jdppv.exe75⤵
-
\??\c:\3rxrxxx.exec:\3rxrxxx.exe76⤵
-
\??\c:\xlrxflr.exec:\xlrxflr.exe77⤵
-
\??\c:\nbnttt.exec:\nbnttt.exe78⤵
-
\??\c:\1thnnb.exec:\1thnnb.exe79⤵
-
\??\c:\1dddv.exec:\1dddv.exe80⤵
-
\??\c:\jvdpp.exec:\jvdpp.exe81⤵
-
\??\c:\lxfffff.exec:\lxfffff.exe82⤵
-
\??\c:\rlrrxfr.exec:\rlrrxfr.exe83⤵
-
\??\c:\rlrxxxf.exec:\rlrxxxf.exe84⤵
-
\??\c:\nttntn.exec:\nttntn.exe85⤵
-
\??\c:\bttbhh.exec:\bttbhh.exe86⤵
-
\??\c:\vjddv.exec:\vjddv.exe87⤵
-
\??\c:\5pddv.exec:\5pddv.exe88⤵
-
\??\c:\rxffxrr.exec:\rxffxrr.exe89⤵
-
\??\c:\frxrxxx.exec:\frxrxxx.exe90⤵
-
\??\c:\bhhhbt.exec:\bhhhbt.exe91⤵
-
\??\c:\bntnnb.exec:\bntnnb.exe92⤵
-
\??\c:\vjpjv.exec:\vjpjv.exe93⤵
-
\??\c:\3pddd.exec:\3pddd.exe94⤵
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe95⤵
-
\??\c:\lrrrrlr.exec:\lrrrrlr.exe96⤵
-
\??\c:\bnnhhb.exec:\bnnhhb.exe97⤵
-
\??\c:\nbnnbt.exec:\nbnnbt.exe98⤵
-
\??\c:\thhbhh.exec:\thhbhh.exe99⤵
-
\??\c:\9pdvj.exec:\9pdvj.exe100⤵
-
\??\c:\5jpjd.exec:\5jpjd.exe101⤵
-
\??\c:\3lrfxlr.exec:\3lrfxlr.exe102⤵
-
\??\c:\xlffxxx.exec:\xlffxxx.exe103⤵
-
\??\c:\lxfllll.exec:\lxfllll.exe104⤵
-
\??\c:\9hbbhb.exec:\9hbbhb.exe105⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe106⤵
-
\??\c:\3jvvd.exec:\3jvvd.exe107⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe108⤵
-
\??\c:\lfllllf.exec:\lfllllf.exe109⤵
-
\??\c:\rxffxxx.exec:\rxffxxx.exe110⤵
-
\??\c:\nbtnnh.exec:\nbtnnh.exe111⤵
-
\??\c:\9bnttt.exec:\9bnttt.exe112⤵
-
\??\c:\nbbnhb.exec:\nbbnhb.exe113⤵
-
\??\c:\9vvvp.exec:\9vvvp.exe114⤵
-
\??\c:\jvdvv.exec:\jvdvv.exe115⤵
-
\??\c:\7lfllfl.exec:\7lfllfl.exe116⤵
-
\??\c:\1rxrrlf.exec:\1rxrrlf.exe117⤵
-
\??\c:\9rxxfrx.exec:\9rxxfrx.exe118⤵
-
\??\c:\btbbtt.exec:\btbbtt.exe119⤵
-
\??\c:\3tbbbn.exec:\3tbbbn.exe120⤵
-
\??\c:\7hhttt.exec:\7hhttt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-