Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
28/03/2025, 19:29
General
-
Target
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe
-
Size
459KB
-
MD5
d64b05071ab0080438a78c78456565fd
-
SHA1
c017f81d2cb3e9ecb2db8faece9a1fcd7bd7cc9e
-
SHA256
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc
-
SHA512
6191500fe8f025850fa0bddd969e29b04c6aee3ef9431dafb71abd32c8ad6a7537c1dbd28445397142c2e8633312a986214b674fb1b78132b9260da19a715cdb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 40 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 43 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe"C:\Users\Admin\AppData\Local\Temp\483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\frnrp.exec:\frnrp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\xxhpt.exec:\xxhpt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dplbpj.exec:\dplbpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xndrh.exec:\xndrh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jrrvpvh.exec:\jrrvpvh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jlfxxpv.exec:\jlfxxpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bfbhb.exec:\bfbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnfjtlt.exec:\nnfjtlt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrvjrjb.exec:\lrvjrjb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvbfrvj.exec:\pvbfrvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxll.exec:\xrxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jrpnvjv.exec:\jrpnvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hvhbxht.exec:\hvhbxht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\njxdjf.exec:\njxdjf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrjvjf.exec:\rrjvjf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjdj.exec:\jvjdj.exe17⤵
- Executes dropped EXE
-
\??\c:\trvfb.exec:\trvfb.exe18⤵
- Executes dropped EXE
-
\??\c:\bjttvp.exec:\bjttvp.exe19⤵
- Executes dropped EXE
-
\??\c:\vhjln.exec:\vhjln.exe20⤵
- Executes dropped EXE
-
\??\c:\pndtxf.exec:\pndtxf.exe21⤵
- Executes dropped EXE
-
\??\c:\jthxrn.exec:\jthxrn.exe22⤵
- Executes dropped EXE
-
\??\c:\jfvpl.exec:\jfvpl.exe23⤵
- Executes dropped EXE
-
\??\c:\ppvnff.exec:\ppvnff.exe24⤵
- Executes dropped EXE
-
\??\c:\tpnpd.exec:\tpnpd.exe25⤵
- Executes dropped EXE
-
\??\c:\txrlhp.exec:\txrlhp.exe26⤵
- Executes dropped EXE
-
\??\c:\pdrlhd.exec:\pdrlhd.exe27⤵
- Executes dropped EXE
-
\??\c:\ljtdrnd.exec:\ljtdrnd.exe28⤵
- Executes dropped EXE
-
\??\c:\trnrrv.exec:\trnrrv.exe29⤵
- Executes dropped EXE
-
\??\c:\nttvbhf.exec:\nttvbhf.exe30⤵
- Executes dropped EXE
-
\??\c:\dfpvjdl.exec:\dfpvjdl.exe31⤵
- Executes dropped EXE
-
\??\c:\pvfrnbx.exec:\pvfrnbx.exe32⤵
- Executes dropped EXE
-
\??\c:\dtjfjbb.exec:\dtjfjbb.exe33⤵
- Executes dropped EXE
-
\??\c:\vrfnpf.exec:\vrfnpf.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jpjxjlb.exec:\jpjxjlb.exe35⤵
- Executes dropped EXE
-
\??\c:\jfvvdr.exec:\jfvvdr.exe36⤵
- Executes dropped EXE
-
\??\c:\lvpptp.exec:\lvpptp.exe37⤵
- Executes dropped EXE
-
\??\c:\hthtrrr.exec:\hthtrrr.exe38⤵
- Executes dropped EXE
-
\??\c:\lpvjbv.exec:\lpvjbv.exe39⤵
- Executes dropped EXE
-
\??\c:\vprbxbn.exec:\vprbxbn.exe40⤵
- Executes dropped EXE
-
\??\c:\djjnxl.exec:\djjnxl.exe41⤵
- Executes dropped EXE
-
\??\c:\lvblvph.exec:\lvblvph.exe42⤵
- Executes dropped EXE
-
\??\c:\rjppv.exec:\rjppv.exe43⤵
- Executes dropped EXE
-
\??\c:\hnldb.exec:\hnldb.exe44⤵
- Executes dropped EXE
-
\??\c:\tbhftnt.exec:\tbhftnt.exe45⤵
- Executes dropped EXE
-
\??\c:\vjljxx.exec:\vjljxx.exe46⤵
- Executes dropped EXE
-
\??\c:\dxvhnn.exec:\dxvhnn.exe47⤵
- Executes dropped EXE
-
\??\c:\xjxtlf.exec:\xjxtlf.exe48⤵
- Executes dropped EXE
-
\??\c:\bvtrl.exec:\bvtrl.exe49⤵
- Executes dropped EXE
-
\??\c:\nrtffrj.exec:\nrtffrj.exe50⤵
- Executes dropped EXE
-
\??\c:\pjdfxt.exec:\pjdfxt.exe51⤵
- Executes dropped EXE
-
\??\c:\jdjdttp.exec:\jdjdttp.exe52⤵
- Executes dropped EXE
-
\??\c:\frxjrrd.exec:\frxjrrd.exe53⤵
- Executes dropped EXE
-
\??\c:\fvvbr.exec:\fvvbr.exe54⤵
- Executes dropped EXE
-
\??\c:\xfvhpbj.exec:\xfvhpbj.exe55⤵
- Executes dropped EXE
-
\??\c:\rbhxr.exec:\rbhxr.exe56⤵
- Executes dropped EXE
-
\??\c:\fhfjfp.exec:\fhfjfp.exe57⤵
- Executes dropped EXE
-
\??\c:\fvffh.exec:\fvffh.exe58⤵
- Executes dropped EXE
-
\??\c:\lvlxv.exec:\lvlxv.exe59⤵
- Executes dropped EXE
-
\??\c:\bjdffj.exec:\bjdffj.exe60⤵
- Executes dropped EXE
-
\??\c:\ftfvrpl.exec:\ftfvrpl.exe61⤵
- Executes dropped EXE
-
\??\c:\xdhjtf.exec:\xdhjtf.exe62⤵
- Executes dropped EXE
-
\??\c:\htblt.exec:\htblt.exe63⤵
- Executes dropped EXE
-
\??\c:\dbdxflt.exec:\dbdxflt.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vttrj.exec:\vttrj.exe65⤵
- Executes dropped EXE
-
\??\c:\fjpnfpp.exec:\fjpnfpp.exe66⤵
-
\??\c:\fbtpt.exec:\fbtpt.exe67⤵
-
\??\c:\tjhvlt.exec:\tjhvlt.exe68⤵
- System Location Discovery: System Language Discovery
-
\??\c:\txbbtt.exec:\txbbtt.exe69⤵
-
\??\c:\xnvxxx.exec:\xnvxxx.exe70⤵
-
\??\c:\nbrxr.exec:\nbrxr.exe71⤵
-
\??\c:\jdvlflj.exec:\jdvlflj.exe72⤵
-
\??\c:\ttbxn.exec:\ttbxn.exe73⤵
-
\??\c:\vnhrvh.exec:\vnhrvh.exe74⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pndrrph.exec:\pndrrph.exe75⤵
-
\??\c:\vjrnft.exec:\vjrnft.exe76⤵
-
\??\c:\vlxnf.exec:\vlxnf.exe77⤵
-
\??\c:\btdjpr.exec:\btdjpr.exe78⤵
-
\??\c:\ddxdhr.exec:\ddxdhr.exe79⤵
-
\??\c:\ftdrf.exec:\ftdrf.exe80⤵
-
\??\c:\nfrxlx.exec:\nfrxlx.exe81⤵
-
\??\c:\dljldjf.exec:\dljldjf.exe82⤵
-
\??\c:\xfnpb.exec:\xfnpb.exe83⤵
-
\??\c:\jfltht.exec:\jfltht.exe84⤵
-
\??\c:\rvthxh.exec:\rvthxh.exe85⤵
-
\??\c:\ptfdbrr.exec:\ptfdbrr.exe86⤵
-
\??\c:\bbfjfr.exec:\bbfjfr.exe87⤵
-
\??\c:\rjfdbvf.exec:\rjfdbvf.exe88⤵
-
\??\c:\dvjxbvn.exec:\dvjxbvn.exe89⤵
-
\??\c:\lhvdjp.exec:\lhvdjp.exe90⤵
-
\??\c:\rrrbrnx.exec:\rrrbrnx.exe91⤵
-
\??\c:\rvlpvn.exec:\rvlpvn.exe92⤵
-
\??\c:\drflt.exec:\drflt.exe93⤵
-
\??\c:\ddpxvv.exec:\ddpxvv.exe94⤵
-
\??\c:\xdfrfvr.exec:\xdfrfvr.exe95⤵
-
\??\c:\dhtjdb.exec:\dhtjdb.exe96⤵
-
\??\c:\rtvpt.exec:\rtvpt.exe97⤵
-
\??\c:\nldtbjh.exec:\nldtbjh.exe98⤵
-
\??\c:\ptrnf.exec:\ptrnf.exe99⤵
-
\??\c:\vdrnbt.exec:\vdrnbt.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dpxnx.exec:\dpxnx.exe101⤵
-
\??\c:\xprjt.exec:\xprjt.exe102⤵
-
\??\c:\rhfnvt.exec:\rhfnvt.exe103⤵
-
\??\c:\jrbnj.exec:\jrbnj.exe104⤵
-
\??\c:\rdjvbtp.exec:\rdjvbtp.exe105⤵
-
\??\c:\prtllj.exec:\prtllj.exe106⤵
-
\??\c:\hbfvpt.exec:\hbfvpt.exe107⤵
-
\??\c:\phdjx.exec:\phdjx.exe108⤵
-
\??\c:\fxltlt.exec:\fxltlt.exe109⤵
-
\??\c:\frtfjpj.exec:\frtfjpj.exe110⤵
-
\??\c:\pprrvh.exec:\pprrvh.exe111⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xjtlb.exec:\xjtlb.exe112⤵
-
\??\c:\rrhbrdd.exec:\rrhbrdd.exe113⤵
-
\??\c:\lxvjf.exec:\lxvjf.exe114⤵
-
\??\c:\nhpdh.exec:\nhpdh.exe115⤵
-
\??\c:\nvtdj.exec:\nvtdj.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nbxfld.exec:\nbxfld.exe117⤵
-
\??\c:\fpddxjp.exec:\fpddxjp.exe118⤵
-
\??\c:\lpjjvr.exec:\lpjjvr.exe119⤵
-
\??\c:\lpbll.exec:\lpbll.exe120⤵
-
\??\c:\fnjdjhb.exec:\fnjdjhb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-