Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
28/03/2025, 21:43
General
-
Target
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe
-
Size
457KB
-
MD5
b0968197740f76cede5c6516cfc99850
-
SHA1
f3b18d0f66cea268bf4322f4b64db1ff5f219723
-
SHA256
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e
-
SHA512
aa1882d7a9caf7c4e257e491dfe86c928748b43cbc3ede271273a212ddd318ef26db728d59e8b72987f343c19ff82c6f43e583e2178e16ea69760523ebf1f976
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 37 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 49 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvdj.exec:\jjvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjjd.exec:\dpjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g8006.exec:\g8006.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vjjd.exec:\9vjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjvd.exec:\ppjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpj.exec:\vjvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpjp.exec:\vdpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvp.exec:\vvvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xffffx.exec:\3xffffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\608400.exec:\608400.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\024044.exec:\024044.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60846.exec:\60846.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0440808.exec:\0440808.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\426688.exec:\426688.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thbhh.exec:\7thbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6482222.exec:\6482222.exe17⤵
- Executes dropped EXE
-
\??\c:\64066.exec:\64066.exe18⤵
- Executes dropped EXE
-
\??\c:\nttttb.exec:\nttttb.exe19⤵
- Executes dropped EXE
-
\??\c:\dpvdj.exec:\dpvdj.exe20⤵
- Executes dropped EXE
-
\??\c:\1nbtbb.exec:\1nbtbb.exe21⤵
- Executes dropped EXE
-
\??\c:\w80004.exec:\w80004.exe22⤵
- Executes dropped EXE
-
\??\c:\826422.exec:\826422.exe23⤵
- Executes dropped EXE
-
\??\c:\m8000.exec:\m8000.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xfxxffr.exec:\xfxxffr.exe25⤵
- Executes dropped EXE
-
\??\c:\680462.exec:\680462.exe26⤵
- Executes dropped EXE
-
\??\c:\btnnhh.exec:\btnnhh.exe27⤵
- Executes dropped EXE
-
\??\c:\jpjdd.exec:\jpjdd.exe28⤵
- Executes dropped EXE
-
\??\c:\82006.exec:\82006.exe29⤵
- Executes dropped EXE
-
\??\c:\7vddj.exec:\7vddj.exe30⤵
- Executes dropped EXE
-
\??\c:\xlxxffl.exec:\xlxxffl.exe31⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe32⤵
- Executes dropped EXE
-
\??\c:\fxxxllx.exec:\fxxxllx.exe33⤵
- Executes dropped EXE
-
\??\c:\04628.exec:\04628.exe34⤵
- Executes dropped EXE
-
\??\c:\864466.exec:\864466.exe35⤵
- Executes dropped EXE
-
\??\c:\820044.exec:\820044.exe36⤵
- Executes dropped EXE
-
\??\c:\rlfflrr.exec:\rlfflrr.exe37⤵
- Executes dropped EXE
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe38⤵
- Executes dropped EXE
-
\??\c:\826240.exec:\826240.exe39⤵
- Executes dropped EXE
-
\??\c:\0428620.exec:\0428620.exe40⤵
- Executes dropped EXE
-
\??\c:\vpjpd.exec:\vpjpd.exe41⤵
- Executes dropped EXE
-
\??\c:\lrlfllx.exec:\lrlfllx.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xxxlrrx.exec:\xxxlrrx.exe43⤵
- Executes dropped EXE
-
\??\c:\lrfrxfl.exec:\lrfrxfl.exe44⤵
- Executes dropped EXE
-
\??\c:\5hbhnn.exec:\5hbhnn.exe45⤵
- Executes dropped EXE
-
\??\c:\04848.exec:\04848.exe46⤵
- Executes dropped EXE
-
\??\c:\fxxxxfr.exec:\fxxxxfr.exe47⤵
- Executes dropped EXE
-
\??\c:\hhttbb.exec:\hhttbb.exe48⤵
- Executes dropped EXE
-
\??\c:\nnttbb.exec:\nnttbb.exe49⤵
- Executes dropped EXE
-
\??\c:\dddpp.exec:\dddpp.exe50⤵
- Executes dropped EXE
-
\??\c:\9lrxxfl.exec:\9lrxxfl.exe51⤵
- Executes dropped EXE
-
\??\c:\0468406.exec:\0468406.exe52⤵
- Executes dropped EXE
-
\??\c:\6080620.exec:\6080620.exe53⤵
- Executes dropped EXE
-
\??\c:\htnnhb.exec:\htnnhb.exe54⤵
- Executes dropped EXE
-
\??\c:\9tbtbb.exec:\9tbtbb.exe55⤵
- Executes dropped EXE
-
\??\c:\664288.exec:\664288.exe56⤵
- Executes dropped EXE
-
\??\c:\04846.exec:\04846.exe57⤵
- Executes dropped EXE
-
\??\c:\486622.exec:\486622.exe58⤵
- Executes dropped EXE
-
\??\c:\26402.exec:\26402.exe59⤵
- Executes dropped EXE
-
\??\c:\bbtbhh.exec:\bbtbhh.exe60⤵
- Executes dropped EXE
-
\??\c:\w20444.exec:\w20444.exe61⤵
- Executes dropped EXE
-
\??\c:\hbtbnt.exec:\hbtbnt.exe62⤵
- Executes dropped EXE
-
\??\c:\g8662.exec:\g8662.exe63⤵
- Executes dropped EXE
-
\??\c:\jdpjv.exec:\jdpjv.exe64⤵
- Executes dropped EXE
-
\??\c:\242806.exec:\242806.exe65⤵
- Executes dropped EXE
-
\??\c:\dvppp.exec:\dvppp.exe66⤵
-
\??\c:\9dvpv.exec:\9dvpv.exe67⤵
-
\??\c:\648840.exec:\648840.exe68⤵
-
\??\c:\082848.exec:\082848.exe69⤵
-
\??\c:\thtbhb.exec:\thtbhb.exe70⤵
-
\??\c:\5htnnt.exec:\5htnnt.exe71⤵
-
\??\c:\q48088.exec:\q48088.exe72⤵
-
\??\c:\3bnnnn.exec:\3bnnnn.exe73⤵
-
\??\c:\s4628.exec:\s4628.exe74⤵
-
\??\c:\lxrrxfr.exec:\lxrrxfr.exe75⤵
-
\??\c:\nhbbbh.exec:\nhbbbh.exe76⤵
-
\??\c:\9jdjj.exec:\9jdjj.exe77⤵
-
\??\c:\62260.exec:\62260.exe78⤵
-
\??\c:\64662.exec:\64662.exe79⤵
-
\??\c:\rffffxx.exec:\rffffxx.exe80⤵
-
\??\c:\tbhthn.exec:\tbhthn.exe81⤵
-
\??\c:\0804284.exec:\0804284.exe82⤵
-
\??\c:\ttnbhh.exec:\ttnbhh.exe83⤵
-
\??\c:\vvvdj.exec:\vvvdj.exe84⤵
-
\??\c:\3vjdj.exec:\3vjdj.exe85⤵
-
\??\c:\bbbthh.exec:\bbbthh.exe86⤵
-
\??\c:\nbnnhh.exec:\nbnnhh.exe87⤵
-
\??\c:\66806.exec:\66806.exe88⤵
-
\??\c:\22020.exec:\22020.exe89⤵
-
\??\c:\jvvvv.exec:\jvvvv.exe90⤵
-
\??\c:\ddpjp.exec:\ddpjp.exe91⤵
-
\??\c:\frlflxf.exec:\frlflxf.exe92⤵
-
\??\c:\i648040.exec:\i648040.exe93⤵
-
\??\c:\m8284.exec:\m8284.exe94⤵
-
\??\c:\486406.exec:\486406.exe95⤵
-
\??\c:\fxrxfrl.exec:\fxrxfrl.exe96⤵
-
\??\c:\26842.exec:\26842.exe97⤵
-
\??\c:\nhtthh.exec:\nhtthh.exe98⤵
-
\??\c:\ppddp.exec:\ppddp.exe99⤵
-
\??\c:\dvddp.exec:\dvddp.exe100⤵
-
\??\c:\xlfxflr.exec:\xlfxflr.exe101⤵
-
\??\c:\6084008.exec:\6084008.exe102⤵
-
\??\c:\7rlllll.exec:\7rlllll.exe103⤵
-
\??\c:\thnnbb.exec:\thnnbb.exe104⤵
-
\??\c:\w64406.exec:\w64406.exe105⤵
-
\??\c:\jdppd.exec:\jdppd.exe106⤵
-
\??\c:\xfrrlfl.exec:\xfrrlfl.exe107⤵
-
\??\c:\q46644.exec:\q46644.exe108⤵
-
\??\c:\bnbthb.exec:\bnbthb.exe109⤵
-
\??\c:\64288.exec:\64288.exe110⤵
-
\??\c:\w28822.exec:\w28822.exe111⤵
-
\??\c:\e64888.exec:\e64888.exe112⤵
-
\??\c:\nbbbtt.exec:\nbbbtt.exe113⤵
-
\??\c:\thtbtn.exec:\thtbtn.exe114⤵
-
\??\c:\4240002.exec:\4240002.exe115⤵
-
\??\c:\g4662.exec:\g4662.exe116⤵
-
\??\c:\7xrflrx.exec:\7xrflrx.exe117⤵
-
\??\c:\2404440.exec:\2404440.exe118⤵
-
\??\c:\bnbbbb.exec:\bnbbbb.exe119⤵
-
\??\c:\k86048.exec:\k86048.exe120⤵
-
\??\c:\lrxxfxf.exec:\lrxxfxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-