Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28/03/2025, 21:09
General
-
Target
5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe
-
Size
457KB
-
MD5
66900a973f941e9a8af51fe715e4a112
-
SHA1
3903ee28689e8fad2d6bbc1a7b9363992929fafa
-
SHA256
5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f
-
SHA512
a7b11736757d757570efe5cf50bdbe96ff13e314bf6e5203dcf6b9c300b3daf75916c85b8e3f9d5ea8e51a8f71f62da8ec05637056abb8a241b6288e586e7b95
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSc:q7Tc2NYHUrAwfMp3CDF
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 40 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 46 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe"C:\Users\Admin\AppData\Local\Temp\5698484ea82c3111193fad5882f57b08ef7de12a7d6e42c1506f46a7ea2c6b4f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3fxxlrr.exec:\3fxxlrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hthth.exec:\7hthth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjp.exec:\dvdjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxlxfl.exec:\lfxlxfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ttbhh.exec:\5ttbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjp.exec:\vpjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjp.exec:\pjjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxxfr.exec:\fffxxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdjp.exec:\jjdjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhtt.exec:\nhbhtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvj.exec:\vpvvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnthn.exec:\bbnthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvd.exec:\dvdvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnntt.exec:\nbnntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdj.exec:\dvpdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbnbb.exec:\tnbnbb.exe17⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe18⤵
- Executes dropped EXE
-
\??\c:\1thbnn.exec:\1thbnn.exe19⤵
- Executes dropped EXE
-
\??\c:\9jdjv.exec:\9jdjv.exe20⤵
- Executes dropped EXE
-
\??\c:\nhbhtn.exec:\nhbhtn.exe21⤵
- Executes dropped EXE
-
\??\c:\vvpvj.exec:\vvpvj.exe22⤵
- Executes dropped EXE
-
\??\c:\lfrxllx.exec:\lfrxllx.exe23⤵
- Executes dropped EXE
-
\??\c:\9vppj.exec:\9vppj.exe24⤵
- Executes dropped EXE
-
\??\c:\tttttb.exec:\tttttb.exe25⤵
- Executes dropped EXE
-
\??\c:\nhhnbh.exec:\nhhnbh.exe26⤵
- Executes dropped EXE
-
\??\c:\hbnntt.exec:\hbnntt.exe27⤵
- Executes dropped EXE
-
\??\c:\vddpv.exec:\vddpv.exe28⤵
- Executes dropped EXE
-
\??\c:\nhbhnn.exec:\nhbhnn.exe29⤵
- Executes dropped EXE
-
\??\c:\7fxfrlf.exec:\7fxfrlf.exe30⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe31⤵
- Executes dropped EXE
-
\??\c:\3vppp.exec:\3vppp.exe32⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe33⤵
- Executes dropped EXE
-
\??\c:\jppvj.exec:\jppvj.exe34⤵
- Executes dropped EXE
-
\??\c:\3thtbb.exec:\3thtbb.exe35⤵
- Executes dropped EXE
-
\??\c:\tnbhhn.exec:\tnbhhn.exe36⤵
- Executes dropped EXE
-
\??\c:\jjvvd.exec:\jjvvd.exe37⤵
- Executes dropped EXE
-
\??\c:\rxrxflx.exec:\rxrxflx.exe38⤵
- Executes dropped EXE
-
\??\c:\bthbbb.exec:\bthbbb.exe39⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe40⤵
- Executes dropped EXE
-
\??\c:\pdvpd.exec:\pdvpd.exe41⤵
- Executes dropped EXE
-
\??\c:\1xllflr.exec:\1xllflr.exe42⤵
- Executes dropped EXE
-
\??\c:\3bbnbh.exec:\3bbnbh.exe43⤵
- Executes dropped EXE
-
\??\c:\3btbbh.exec:\3btbbh.exe44⤵
- Executes dropped EXE
-
\??\c:\jjjvd.exec:\jjjvd.exe45⤵
- Executes dropped EXE
-
\??\c:\1lfllxl.exec:\1lfllxl.exe46⤵
- Executes dropped EXE
-
\??\c:\btbbnn.exec:\btbbnn.exe47⤵
- Executes dropped EXE
-
\??\c:\thnntt.exec:\thnntt.exe48⤵
- Executes dropped EXE
-
\??\c:\jdpdj.exec:\jdpdj.exe49⤵
- Executes dropped EXE
-
\??\c:\3rlxxfr.exec:\3rlxxfr.exe50⤵
- Executes dropped EXE
-
\??\c:\ttnbhh.exec:\ttnbhh.exe51⤵
- Executes dropped EXE
-
\??\c:\pjjpv.exec:\pjjpv.exe52⤵
- Executes dropped EXE
-
\??\c:\lflffll.exec:\lflffll.exe53⤵
- Executes dropped EXE
-
\??\c:\lfrrffr.exec:\lfrrffr.exe54⤵
- Executes dropped EXE
-
\??\c:\htbhnn.exec:\htbhnn.exe55⤵
- Executes dropped EXE
-
\??\c:\pppvd.exec:\pppvd.exe56⤵
- Executes dropped EXE
-
\??\c:\7dpjj.exec:\7dpjj.exe57⤵
- Executes dropped EXE
-
\??\c:\xrxxlrf.exec:\xrxxlrf.exe58⤵
- Executes dropped EXE
-
\??\c:\tntbhb.exec:\tntbhb.exe59⤵
- Executes dropped EXE
-
\??\c:\nhbbhn.exec:\nhbbhn.exe60⤵
- Executes dropped EXE
-
\??\c:\vpjpv.exec:\vpjpv.exe61⤵
- Executes dropped EXE
-
\??\c:\rlflrrf.exec:\rlflrrf.exe62⤵
- Executes dropped EXE
-
\??\c:\9lffrrx.exec:\9lffrrx.exe63⤵
- Executes dropped EXE
-
\??\c:\hnhtnt.exec:\hnhtnt.exe64⤵
- Executes dropped EXE
-
\??\c:\pjdvd.exec:\pjdvd.exe65⤵
- Executes dropped EXE
-
\??\c:\lfxxflx.exec:\lfxxflx.exe66⤵
-
\??\c:\1lrllll.exec:\1lrllll.exe67⤵
-
\??\c:\hbttht.exec:\hbttht.exe68⤵
-
\??\c:\vvvjv.exec:\vvvjv.exe69⤵
-
\??\c:\ppvpv.exec:\ppvpv.exe70⤵
-
\??\c:\9ffxffr.exec:\9ffxffr.exe71⤵
-
\??\c:\httthb.exec:\httthb.exe72⤵
-
\??\c:\jdppv.exec:\jdppv.exe73⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe74⤵
-
\??\c:\rrflrxl.exec:\rrflrxl.exe75⤵
-
\??\c:\btnnhn.exec:\btnnhn.exe76⤵
-
\??\c:\tnbttt.exec:\tnbttt.exe77⤵
-
\??\c:\3vppv.exec:\3vppv.exe78⤵
-
\??\c:\9rlxffl.exec:\9rlxffl.exe79⤵
-
\??\c:\bbbnhh.exec:\bbbnhh.exe80⤵
-
\??\c:\nhnbnb.exec:\nhnbnb.exe81⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe82⤵
-
\??\c:\lfxflrf.exec:\lfxflrf.exe83⤵
-
\??\c:\rlrflrx.exec:\rlrflrx.exe84⤵
-
\??\c:\9hbbbb.exec:\9hbbbb.exe85⤵
-
\??\c:\jdvjv.exec:\jdvjv.exe86⤵
-
\??\c:\frlrxxf.exec:\frlrxxf.exe87⤵
-
\??\c:\xrxxffl.exec:\xrxxffl.exe88⤵
-
\??\c:\nnnhbn.exec:\nnnhbn.exe89⤵
-
\??\c:\vvvvj.exec:\vvvvj.exe90⤵
-
\??\c:\lxlrlfr.exec:\lxlrlfr.exe91⤵
-
\??\c:\llffrrx.exec:\llffrrx.exe92⤵
-
\??\c:\nnhtnh.exec:\nnhtnh.exe93⤵
-
\??\c:\jdddd.exec:\jdddd.exe94⤵
-
\??\c:\fxxrflx.exec:\fxxrflx.exe95⤵
-
\??\c:\xrrxlrf.exec:\xrrxlrf.exe96⤵
-
\??\c:\ntntbb.exec:\ntntbb.exe97⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe98⤵
-
\??\c:\3jpjj.exec:\3jpjj.exe99⤵
-
\??\c:\3fxxxfr.exec:\3fxxxfr.exe100⤵
-
\??\c:\9nbbbn.exec:\9nbbbn.exe101⤵
-
\??\c:\vpjdp.exec:\vpjdp.exe102⤵
-
\??\c:\1jvpp.exec:\1jvpp.exe103⤵
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe104⤵
-
\??\c:\tnnnhh.exec:\tnnnhh.exe105⤵
-
\??\c:\5tntnt.exec:\5tntnt.exe106⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe107⤵
-
\??\c:\llxfxfr.exec:\llxfxfr.exe108⤵
-
\??\c:\rlflllr.exec:\rlflllr.exe109⤵
-
\??\c:\bbnntb.exec:\bbnntb.exe110⤵
-
\??\c:\pdpjp.exec:\pdpjp.exe111⤵
-
\??\c:\5dpjv.exec:\5dpjv.exe112⤵
-
\??\c:\rxrxflx.exec:\rxrxflx.exe113⤵
-
\??\c:\9lffxfr.exec:\9lffxfr.exe114⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7tnthn.exec:\7tnthn.exe115⤵
-
\??\c:\bbtnhn.exec:\bbtnhn.exe116⤵
-
\??\c:\jpddj.exec:\jpddj.exe117⤵
-
\??\c:\xxrrfxr.exec:\xxrrfxr.exe118⤵
-
\??\c:\ttthtb.exec:\ttthtb.exe119⤵
-
\??\c:\9pvpv.exec:\9pvpv.exe120⤵
-
\??\c:\ffxlrrx.exec:\ffxlrrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-