Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11-08-2024 22:09
General
-
Target
69ce4bf2edda73e81efe50cb14d6e559fd234588157bcc3937f9072298a7a41e.exe
-
Size
95KB
-
MD5
3380cb5005b0b076fc984b1729655cca
-
SHA1
40ff49d92054eb71167d4c90d38a525b82a51fd4
-
SHA256
69ce4bf2edda73e81efe50cb14d6e559fd234588157bcc3937f9072298a7a41e
-
SHA512
5db406f61e1cce6f2ed4609dc88fbe5059f4bb15dd9b1ff5b048cb6b15257c523c2790845e1bf51ce3e0a775e68a3c24699fe5c5c42f0a8cef266cd0a097e909
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLuePjDYlR3hnjKXIQSe9oEY+n:ymb3NkkiQ3mdBjFoLucjDilOZhoy
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\69ce4bf2edda73e81efe50cb14d6e559fd234588157bcc3937f9072298a7a41e.exe"C:\Users\Admin\AppData\Local\Temp\69ce4bf2edda73e81efe50cb14d6e559fd234588157bcc3937f9072298a7a41e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjd.exec:\jjjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnhb.exec:\hbtnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbbb.exec:\bhhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflfflr.exec:\xflfflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thntth.exec:\thntth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppjd.exec:\jppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnthbn.exec:\tnthbn.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtnn.exec:\nhbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvj.exec:\pdvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdd.exec:\jdjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtnh.exec:\nhbtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnbtn.exec:\hnnbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdp.exec:\pdjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfxrl.exec:\rllfxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxxfxf.exec:\flxxfxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbbn.exec:\btnbbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjvd.exec:\pdjvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvd.exec:\pjdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflxrlf.exec:\rflxrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nthbt.exec:\5nthbt.exe23⤵
- Executes dropped EXE
-
\??\c:\pjpvp.exec:\pjpvp.exe24⤵
- Executes dropped EXE
-
\??\c:\djddv.exec:\djddv.exe25⤵
- Executes dropped EXE
-
\??\c:\xrrfrrl.exec:\xrrfrrl.exe26⤵
- Executes dropped EXE
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe27⤵
- Executes dropped EXE
-
\??\c:\1nnhbt.exec:\1nnhbt.exe28⤵
- Executes dropped EXE
-
\??\c:\7jjdv.exec:\7jjdv.exe29⤵
- Executes dropped EXE
-
\??\c:\lffxffl.exec:\lffxffl.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xlrlffx.exec:\xlrlffx.exe31⤵
- Executes dropped EXE
-
\??\c:\hbbbbn.exec:\hbbbbn.exe32⤵
- Executes dropped EXE
-
\??\c:\vjpjv.exec:\vjpjv.exe33⤵
- Executes dropped EXE
-
\??\c:\jpjpv.exec:\jpjpv.exe34⤵
- Executes dropped EXE
-
\??\c:\rlxrlrr.exec:\rlxrlrr.exe35⤵
- Executes dropped EXE
-
\??\c:\7nhbth.exec:\7nhbth.exe36⤵
- Executes dropped EXE
-
\??\c:\hhhbtn.exec:\hhhbtn.exe37⤵
- Executes dropped EXE
-
\??\c:\dddjv.exec:\dddjv.exe38⤵
- Executes dropped EXE
-
\??\c:\fxxxlxx.exec:\fxxxlxx.exe39⤵
- Executes dropped EXE
-
\??\c:\lffxffx.exec:\lffxffx.exe40⤵
- Executes dropped EXE
-
\??\c:\1nthbb.exec:\1nthbb.exe41⤵
- Executes dropped EXE
-
\??\c:\vpvpd.exec:\vpvpd.exe42⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe43⤵
- Executes dropped EXE
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe44⤵
- Executes dropped EXE
-
\??\c:\3xlffxr.exec:\3xlffxr.exe45⤵
- Executes dropped EXE
-
\??\c:\bnbnnh.exec:\bnbnnh.exe46⤵
- Executes dropped EXE
-
\??\c:\tbtbbh.exec:\tbtbbh.exe47⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe48⤵
- Executes dropped EXE
-
\??\c:\7pjdp.exec:\7pjdp.exe49⤵
- Executes dropped EXE
-
\??\c:\lrrlfff.exec:\lrrlfff.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7tttnn.exec:\7tttnn.exe51⤵
- Executes dropped EXE
-
\??\c:\nnhnbb.exec:\nnhnbb.exe52⤵
- Executes dropped EXE
-
\??\c:\dvdpv.exec:\dvdpv.exe53⤵
- Executes dropped EXE
-
\??\c:\pjjpj.exec:\pjjpj.exe54⤵
- Executes dropped EXE
-
\??\c:\3rlfrrf.exec:\3rlfrrf.exe55⤵
- Executes dropped EXE
-
\??\c:\nbbbbn.exec:\nbbbbn.exe56⤵
- Executes dropped EXE
-
\??\c:\dpjdp.exec:\dpjdp.exe57⤵
- Executes dropped EXE
-
\??\c:\djjpv.exec:\djjpv.exe58⤵
- Executes dropped EXE
-
\??\c:\hhhbbh.exec:\hhhbbh.exe59⤵
- Executes dropped EXE
-
\??\c:\ddjvp.exec:\ddjvp.exe60⤵
- Executes dropped EXE
-
\??\c:\llfllxr.exec:\llfllxr.exe61⤵
- Executes dropped EXE
-
\??\c:\fffflfx.exec:\fffflfx.exe62⤵
- Executes dropped EXE
-
\??\c:\hhhtnb.exec:\hhhtnb.exe63⤵
- Executes dropped EXE
-
\??\c:\nbbtnn.exec:\nbbtnn.exe64⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe65⤵
- Executes dropped EXE
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe66⤵
-
\??\c:\tnhhhh.exec:\tnhhhh.exe67⤵
-
\??\c:\ffxlfrl.exec:\ffxlfrl.exe68⤵
-
\??\c:\nhhtht.exec:\nhhtht.exe69⤵
-
\??\c:\dppjv.exec:\dppjv.exe70⤵
-
\??\c:\rlffrxr.exec:\rlffrxr.exe71⤵
-
\??\c:\bbbthb.exec:\bbbthb.exe72⤵
-
\??\c:\1vjvp.exec:\1vjvp.exe73⤵
-
\??\c:\xxfxffx.exec:\xxfxffx.exe74⤵
-
\??\c:\frxrrrr.exec:\frxrrrr.exe75⤵
-
\??\c:\7nbthh.exec:\7nbthh.exe76⤵
-
\??\c:\tnnhbt.exec:\tnnhbt.exe77⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe78⤵
-
\??\c:\rlfrffx.exec:\rlfrffx.exe79⤵
-
\??\c:\5rrrrxx.exec:\5rrrrxx.exe80⤵
-
\??\c:\nntbnn.exec:\nntbnn.exe81⤵
-
\??\c:\vdjjv.exec:\vdjjv.exe82⤵
-
\??\c:\3jpjv.exec:\3jpjv.exe83⤵
-
\??\c:\frfrrll.exec:\frfrrll.exe84⤵
-
\??\c:\rlffxxl.exec:\rlffxxl.exe85⤵
-
\??\c:\9thbnh.exec:\9thbnh.exe86⤵
-
\??\c:\jdpdd.exec:\jdpdd.exe87⤵
-
\??\c:\vdjdj.exec:\vdjdj.exe88⤵
-
\??\c:\xlrxlxf.exec:\xlrxlxf.exe89⤵
-
\??\c:\3rrlrlf.exec:\3rrlrlf.exe90⤵
-
\??\c:\hhhbtn.exec:\hhhbtn.exe91⤵
-
\??\c:\vvvvp.exec:\vvvvp.exe92⤵
-
\??\c:\vjjvj.exec:\vjjvj.exe93⤵
-
\??\c:\llrlrrf.exec:\llrlrrf.exe94⤵
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe95⤵
-
\??\c:\thhtnh.exec:\thhtnh.exe96⤵
-
\??\c:\vppdp.exec:\vppdp.exe97⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe98⤵
-
\??\c:\lfxlfxl.exec:\lfxlfxl.exe99⤵
-
\??\c:\9lrlxxf.exec:\9lrlxxf.exe100⤵
-
\??\c:\htnhbt.exec:\htnhbt.exe101⤵
-
\??\c:\nthbtn.exec:\nthbtn.exe102⤵
-
\??\c:\9pjvj.exec:\9pjvj.exe103⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe104⤵
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe105⤵
-
\??\c:\7hhbnn.exec:\7hhbnn.exe106⤵
-
\??\c:\btnhhh.exec:\btnhhh.exe107⤵
-
\??\c:\vvvjj.exec:\vvvjj.exe108⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe109⤵
-
\??\c:\xlfxlxl.exec:\xlfxlxl.exe110⤵
-
\??\c:\frrflfx.exec:\frrflfx.exe111⤵
-
\??\c:\1nnhnt.exec:\1nnhnt.exe112⤵
-
\??\c:\3tbbnb.exec:\3tbbnb.exe113⤵
-
\??\c:\jdvpd.exec:\jdvpd.exe114⤵
-
\??\c:\dvjvd.exec:\dvjvd.exe115⤵
-
\??\c:\llffrfx.exec:\llffrfx.exe116⤵
-
\??\c:\3bhbnt.exec:\3bhbnt.exe117⤵
-
\??\c:\3thtnh.exec:\3thtnh.exe118⤵
-
\??\c:\pjdpd.exec:\pjdpd.exe119⤵
-
\??\c:\pdvjv.exec:\pdvjv.exe120⤵
-
\??\c:\lllfxrl.exec:\lllfxrl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-