Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-08-2024 03:33
General
-
Target
d53072307e680283f8539b05b929f38526abb8b8ad2115fee59a007f7cc48ac7.exe
-
Size
590KB
-
MD5
f2a764bb54e03f4a6388d1a7c7aa78e0
-
SHA1
aa9573570e345434caf6b289da4f84c09a16d806
-
SHA256
d53072307e680283f8539b05b929f38526abb8b8ad2115fee59a007f7cc48ac7
-
SHA512
d96acdff66c97c1adb96477318d61601713aa7e6090c1c6d4bb0e7b843210551a011ad9811705ae263294ae8a7530325a5c575bc92874c727360363a6b9a16a1
-
SSDEEP
6144:n3C9BRIj+ebjcSbcY+CaQdaFOY4iGFYtRdzzoyYxJAyfgayB:n3C9Lebz+xt4vFeFmgayB
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d53072307e680283f8539b05b929f38526abb8b8ad2115fee59a007f7cc48ac7.exe"C:\Users\Admin\AppData\Local\Temp\d53072307e680283f8539b05b929f38526abb8b8ad2115fee59a007f7cc48ac7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxlrlx.exec:\xlxlrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbth.exec:\thhbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttntn.exec:\tttntn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbtbb.exec:\hbbtbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvpj.exec:\pvvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnhtn.exec:\bnnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppdv.exec:\vppdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxlxlx.exec:\ffxlxlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnhnh.exec:\nbnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpdj.exec:\vdpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttnnh.exec:\tttnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlxrl.exec:\frrlxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhtnh.exec:\nhhtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjvv.exec:\vpjvv.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\htbnbb.exec:\htbnbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjvp.exec:\pjjvp.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\7hnnnn.exec:\7hnnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dvpp.exec:\9dvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdv.exec:\vpjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflllll.exec:\lflllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbtt.exec:\btbbtt.exe23⤵
- Executes dropped EXE
-
\??\c:\1pvdd.exec:\1pvdd.exe24⤵
- Executes dropped EXE
-
\??\c:\nntnhh.exec:\nntnhh.exe25⤵
- Executes dropped EXE
-
\??\c:\7bbttn.exec:\7bbttn.exe26⤵
- Executes dropped EXE
-
\??\c:\flxfrrr.exec:\flxfrrr.exe27⤵
- Executes dropped EXE
-
\??\c:\xxxrllf.exec:\xxxrllf.exe28⤵
- Executes dropped EXE
-
\??\c:\htbtnb.exec:\htbtnb.exe29⤵
- Executes dropped EXE
-
\??\c:\rxlrrxf.exec:\rxlrrxf.exe30⤵
- Executes dropped EXE
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe31⤵
- Executes dropped EXE
-
\??\c:\9xxfxfr.exec:\9xxfxfr.exe32⤵
- Executes dropped EXE
-
\??\c:\thntnt.exec:\thntnt.exe33⤵
- Executes dropped EXE
-
\??\c:\rfxrffx.exec:\rfxrffx.exe34⤵
- Executes dropped EXE
-
\??\c:\hbhhbb.exec:\hbhhbb.exe35⤵
- Executes dropped EXE
-
\??\c:\5xlfxfx.exec:\5xlfxfx.exe36⤵
- Executes dropped EXE
-
\??\c:\ntnhth.exec:\ntnhth.exe37⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe38⤵
- Executes dropped EXE
-
\??\c:\9jpvd.exec:\9jpvd.exe39⤵
- Executes dropped EXE
-
\??\c:\xxrrlll.exec:\xxrrlll.exe40⤵
- Executes dropped EXE
-
\??\c:\btbhnb.exec:\btbhnb.exe41⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe42⤵
- Executes dropped EXE
-
\??\c:\djvvp.exec:\djvvp.exe43⤵
- Executes dropped EXE
-
\??\c:\lllxrrl.exec:\lllxrrl.exe44⤵
- Executes dropped EXE
-
\??\c:\tbhhtt.exec:\tbhhtt.exe45⤵
- Executes dropped EXE
-
\??\c:\jdvpp.exec:\jdvpp.exe46⤵
- Executes dropped EXE
-
\??\c:\pjjvj.exec:\pjjvj.exe47⤵
- Executes dropped EXE
-
\??\c:\rrxxlfr.exec:\rrxxlfr.exe48⤵
- Executes dropped EXE
-
\??\c:\nbhbnh.exec:\nbhbnh.exe49⤵
- Executes dropped EXE
-
\??\c:\bhnhhb.exec:\bhnhhb.exe50⤵
- Executes dropped EXE
-
\??\c:\9jpjp.exec:\9jpjp.exe51⤵
- Executes dropped EXE
-
\??\c:\flllfxr.exec:\flllfxr.exe52⤵
- Executes dropped EXE
-
\??\c:\rlrlflf.exec:\rlrlflf.exe53⤵
- Executes dropped EXE
-
\??\c:\3nhtnt.exec:\3nhtnt.exe54⤵
- Executes dropped EXE
-
\??\c:\pvpdp.exec:\pvpdp.exe55⤵
- Executes dropped EXE
-
\??\c:\djjpv.exec:\djjpv.exe56⤵
- Executes dropped EXE
-
\??\c:\5xfxxxr.exec:\5xfxxxr.exe57⤵
- Executes dropped EXE
-
\??\c:\nbtbtn.exec:\nbtbtn.exe58⤵
- Executes dropped EXE
-
\??\c:\tbhtnh.exec:\tbhtnh.exe59⤵
- Executes dropped EXE
-
\??\c:\1pvpj.exec:\1pvpj.exe60⤵
- Executes dropped EXE
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rxlfxll.exec:\rxlfxll.exe62⤵
- Executes dropped EXE
-
\??\c:\hbbnhb.exec:\hbbnhb.exe63⤵
- Executes dropped EXE
-
\??\c:\7jppd.exec:\7jppd.exe64⤵
- Executes dropped EXE
-
\??\c:\vjpjj.exec:\vjpjj.exe65⤵
- Executes dropped EXE
-
\??\c:\ffxrfxr.exec:\ffxrfxr.exe66⤵
-
\??\c:\hhtntn.exec:\hhtntn.exe67⤵
-
\??\c:\tbbnbb.exec:\tbbnbb.exe68⤵
-
\??\c:\jpjvd.exec:\jpjvd.exe69⤵
-
\??\c:\7djvd.exec:\7djvd.exe70⤵
-
\??\c:\3llxxxx.exec:\3llxxxx.exe71⤵
-
\??\c:\9thbnb.exec:\9thbnb.exe72⤵
-
\??\c:\3thbtt.exec:\3thbtt.exe73⤵
-
\??\c:\7jvpp.exec:\7jvpp.exe74⤵
-
\??\c:\frrfxxf.exec:\frrfxxf.exe75⤵
-
\??\c:\nbnhht.exec:\nbnhht.exe76⤵
-
\??\c:\hbbbtt.exec:\hbbbtt.exe77⤵
-
\??\c:\lllffxr.exec:\lllffxr.exe78⤵
-
\??\c:\9nhhbb.exec:\9nhhbb.exe79⤵
-
\??\c:\jpjdv.exec:\jpjdv.exe80⤵
-
\??\c:\vppjd.exec:\vppjd.exe81⤵
-
\??\c:\lllrlrl.exec:\lllrlrl.exe82⤵
-
\??\c:\7bhbnn.exec:\7bhbnn.exe83⤵
-
\??\c:\hhnnbh.exec:\hhnnbh.exe84⤵
-
\??\c:\3vdvj.exec:\3vdvj.exe85⤵
-
\??\c:\xxfxfxf.exec:\xxfxfxf.exe86⤵
-
\??\c:\fxxxrlr.exec:\fxxxrlr.exe87⤵
-
\??\c:\btbtbt.exec:\btbtbt.exe88⤵
-
\??\c:\djpjj.exec:\djpjj.exe89⤵
-
\??\c:\ppvdd.exec:\ppvdd.exe90⤵
-
\??\c:\lrlxlfl.exec:\lrlxlfl.exe91⤵
-
\??\c:\bntnbt.exec:\bntnbt.exe92⤵
-
\??\c:\hnthbt.exec:\hnthbt.exe93⤵
-
\??\c:\dppdv.exec:\dppdv.exe94⤵
-
\??\c:\fxrlxxl.exec:\fxrlxxl.exe95⤵
-
\??\c:\lflfxrl.exec:\lflfxrl.exe96⤵
-
\??\c:\hhhbtn.exec:\hhhbtn.exe97⤵
-
\??\c:\9hbhtn.exec:\9hbhtn.exe98⤵
-
\??\c:\jdvdv.exec:\jdvdv.exe99⤵
-
\??\c:\fflxlfx.exec:\fflxlfx.exe100⤵
-
\??\c:\rfrrlfl.exec:\rfrrlfl.exe101⤵
-
\??\c:\nbnhbb.exec:\nbnhbb.exe102⤵
-
\??\c:\jdpdp.exec:\jdpdp.exe103⤵
-
\??\c:\jpvpd.exec:\jpvpd.exe104⤵
-
\??\c:\lffxlfx.exec:\lffxlfx.exe105⤵
-
\??\c:\bttnhh.exec:\bttnhh.exe106⤵
-
\??\c:\bnnthh.exec:\bnnthh.exe107⤵
-
\??\c:\jvvdp.exec:\jvvdp.exe108⤵
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe109⤵
-
\??\c:\xrlffxr.exec:\xrlffxr.exe110⤵
-
\??\c:\nntnnh.exec:\nntnnh.exe111⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe112⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe113⤵
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe114⤵
-
\??\c:\9hnhbn.exec:\9hnhbn.exe115⤵
-
\??\c:\9nbhnh.exec:\9nbhnh.exe116⤵
-
\??\c:\llfrlfx.exec:\llfrlfx.exe117⤵
-
\??\c:\xffxrlf.exec:\xffxrlf.exe118⤵
-
\??\c:\nbnhtn.exec:\nbnhtn.exe119⤵
-
\??\c:\vvppp.exec:\vvppp.exe120⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-