Analysis
-
max time kernel
120s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
18-08-2024 09:22
General
-
Target
25af8646094136691a9c630f54de1e10N.exe
-
Size
843KB
-
MD5
25af8646094136691a9c630f54de1e10
-
SHA1
55f75783b05c3048ce3d532bb5698a0f34a66e03
-
SHA256
c7c334a34d6be9f3afa8ef6e041b08e3ca488727a942d9f3dda21b0830973540
-
SHA512
92806900dd4cb32b7f33d2fddc2142be3362c06078e0a93a2cc38e3673ed9261c50069d6deb3d48f420fef6fdc27b5c68a651fbf72f2b086a7593cdd6c45e381
-
SSDEEP
24576:Sgdn8whSenedn8whhdn76gdn8whSfgdn8whSzu:TFyVPf5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25af8646094136691a9c630f54de1e10N.exe"C:\Users\Admin\AppData\Local\Temp\25af8646094136691a9c630f54de1e10N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbbt.exec:\thhbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnhtn.exec:\tbnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhtnh.exec:\nnhtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrflff.exec:\llrflff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvvp.exec:\jvvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhbnh.exec:\bnhbnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfrrlx.exec:\rrfrrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtntn.exec:\hhtntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddpd.exec:\pddpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntnbb.exec:\3ntnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1djdd.exec:\1djdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lflfff.exec:\5lflfff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllffxr.exec:\xllffxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhhtt.exec:\tbhhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jppj.exec:\1jppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthtnh.exec:\nthtnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppdv.exec:\jppdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxxlrl.exec:\flxxlrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnttbb.exec:\nnttbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7djdv.exec:\7djdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrlfx.exec:\xrrrlfx.exe23⤵
- Executes dropped EXE
-
\??\c:\hhtttt.exec:\hhtttt.exe24⤵
- Executes dropped EXE
-
\??\c:\dddvv.exec:\dddvv.exe25⤵
- Executes dropped EXE
-
\??\c:\jvvpj.exec:\jvvpj.exe26⤵
- Executes dropped EXE
-
\??\c:\rfrlffx.exec:\rfrlffx.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7ttnhh.exec:\7ttnhh.exe28⤵
- Executes dropped EXE
-
\??\c:\jvpdv.exec:\jvpdv.exe29⤵
- Executes dropped EXE
-
\??\c:\fxfrrff.exec:\fxfrrff.exe30⤵
- Executes dropped EXE
-
\??\c:\hhbthh.exec:\hhbthh.exe31⤵
- Executes dropped EXE
-
\??\c:\pppdd.exec:\pppdd.exe32⤵
- Executes dropped EXE
-
\??\c:\xfxlxrl.exec:\xfxlxrl.exe33⤵
- Executes dropped EXE
-
\??\c:\3ntbtn.exec:\3ntbtn.exe34⤵
- Executes dropped EXE
-
\??\c:\jppvj.exec:\jppvj.exe35⤵
- Executes dropped EXE
-
\??\c:\rflfxfr.exec:\rflfxfr.exe36⤵
- Executes dropped EXE
-
\??\c:\lxxxrlx.exec:\lxxxrlx.exe37⤵
- Executes dropped EXE
-
\??\c:\nbnhnh.exec:\nbnhnh.exe38⤵
- Executes dropped EXE
-
\??\c:\jjjvp.exec:\jjjvp.exe39⤵
- Executes dropped EXE
-
\??\c:\lxxxlxl.exec:\lxxxlxl.exe40⤵
- Executes dropped EXE
-
\??\c:\9bthtn.exec:\9bthtn.exe41⤵
- Executes dropped EXE
-
\??\c:\pvpdp.exec:\pvpdp.exe42⤵
- Executes dropped EXE
-
\??\c:\5llxlfr.exec:\5llxlfr.exe43⤵
- Executes dropped EXE
-
\??\c:\btnbtt.exec:\btnbtt.exe44⤵
- Executes dropped EXE
-
\??\c:\thnbbh.exec:\thnbbh.exe45⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe46⤵
- Executes dropped EXE
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe47⤵
- Executes dropped EXE
-
\??\c:\nbhtbt.exec:\nbhtbt.exe48⤵
- Executes dropped EXE
-
\??\c:\ntnnbt.exec:\ntnnbt.exe49⤵
- Executes dropped EXE
-
\??\c:\ddpdd.exec:\ddpdd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\bnnbnh.exec:\bnnbnh.exe51⤵
- Executes dropped EXE
-
\??\c:\htntbn.exec:\htntbn.exe52⤵
- Executes dropped EXE
-
\??\c:\vddpj.exec:\vddpj.exe53⤵
- Executes dropped EXE
-
\??\c:\xllflxf.exec:\xllflxf.exe54⤵
- Executes dropped EXE
-
\??\c:\hhnhbt.exec:\hhnhbt.exe55⤵
- Executes dropped EXE
-
\??\c:\vppjd.exec:\vppjd.exe56⤵
- Executes dropped EXE
-
\??\c:\9rrlxrf.exec:\9rrlxrf.exe57⤵
- Executes dropped EXE
-
\??\c:\hhntnn.exec:\hhntnn.exe58⤵
- Executes dropped EXE
-
\??\c:\pdvpd.exec:\pdvpd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rxfxllf.exec:\rxfxllf.exe60⤵
- Executes dropped EXE
-
\??\c:\hbbnhb.exec:\hbbnhb.exe61⤵
- Executes dropped EXE
-
\??\c:\djvdv.exec:\djvdv.exe62⤵
- Executes dropped EXE
-
\??\c:\xlxrfxr.exec:\xlxrfxr.exe63⤵
- Executes dropped EXE
-
\??\c:\bnhtht.exec:\bnhtht.exe64⤵
- Executes dropped EXE
-
\??\c:\jjvpp.exec:\jjvpp.exe65⤵
- Executes dropped EXE
-
\??\c:\ffxfrrf.exec:\ffxfrrf.exe66⤵
-
\??\c:\vvvpv.exec:\vvvpv.exe67⤵
-
\??\c:\rffxrlr.exec:\rffxrlr.exe68⤵
-
\??\c:\ntthbt.exec:\ntthbt.exe69⤵
-
\??\c:\ttbnbt.exec:\ttbnbt.exe70⤵
-
\??\c:\vpppj.exec:\vpppj.exe71⤵
-
\??\c:\1fxlxrf.exec:\1fxlxrf.exe72⤵
-
\??\c:\1tthbt.exec:\1tthbt.exe73⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe74⤵
-
\??\c:\lxxfxxx.exec:\lxxfxxx.exe75⤵
-
\??\c:\nhhbnh.exec:\nhhbnh.exe76⤵
-
\??\c:\ddjdj.exec:\ddjdj.exe77⤵
-
\??\c:\llrflrl.exec:\llrflrl.exe78⤵
-
\??\c:\rxlxlxl.exec:\rxlxlxl.exe79⤵
-
\??\c:\dpjvp.exec:\dpjvp.exe80⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe81⤵
-
\??\c:\7fxlfxl.exec:\7fxlfxl.exe82⤵
-
\??\c:\tbtntn.exec:\tbtntn.exe83⤵
-
\??\c:\pvvjd.exec:\pvvjd.exe84⤵
-
\??\c:\xffxrlf.exec:\xffxrlf.exe85⤵
-
\??\c:\3bhbht.exec:\3bhbht.exe86⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe87⤵
-
\??\c:\btnbtn.exec:\btnbtn.exe88⤵
-
\??\c:\vjppp.exec:\vjppp.exe89⤵
-
\??\c:\3llfffx.exec:\3llfffx.exe90⤵
-
\??\c:\lffxxrr.exec:\lffxxrr.exe91⤵
-
\??\c:\bnhtnh.exec:\bnhtnh.exe92⤵
-
\??\c:\jppdv.exec:\jppdv.exe93⤵
-
\??\c:\ffxllff.exec:\ffxllff.exe94⤵
-
\??\c:\9vvpp.exec:\9vvpp.exe95⤵
-
\??\c:\rxxrffr.exec:\rxxrffr.exe96⤵
-
\??\c:\fxflfrf.exec:\fxflfrf.exe97⤵
-
\??\c:\bbtnbh.exec:\bbtnbh.exe98⤵
-
\??\c:\7vvvp.exec:\7vvvp.exe99⤵
-
\??\c:\flllxrf.exec:\flllxrf.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hnttth.exec:\hnttth.exe101⤵
-
\??\c:\jvdpd.exec:\jvdpd.exe102⤵
-
\??\c:\xllxlxr.exec:\xllxlxr.exe103⤵
-
\??\c:\htntbn.exec:\htntbn.exe104⤵
-
\??\c:\djdvp.exec:\djdvp.exe105⤵
-
\??\c:\fffxfxl.exec:\fffxfxl.exe106⤵
-
\??\c:\nhtnhb.exec:\nhtnhb.exe107⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe108⤵
-
\??\c:\xrrfrrf.exec:\xrrfrrf.exe109⤵
-
\??\c:\bbbhtn.exec:\bbbhtn.exe110⤵
-
\??\c:\jpjvj.exec:\jpjvj.exe111⤵
-
\??\c:\rrxlfrr.exec:\rrxlfrr.exe112⤵
-
\??\c:\thbtnh.exec:\thbtnh.exe113⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe114⤵
-
\??\c:\lxrffxr.exec:\lxrffxr.exe115⤵
-
\??\c:\nnnbnh.exec:\nnnbnh.exe116⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe117⤵
-
\??\c:\xllfrxl.exec:\xllfrxl.exe118⤵
-
\??\c:\thtnhh.exec:\thtnhh.exe119⤵
-
\??\c:\bhhtnh.exec:\bhhtnh.exe120⤵
-
\??\c:\vjdpj.exec:\vjdpj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-