Analysis
-
max time kernel
120s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
23/08/2024, 12:00
General
-
Target
a181273cbab61f0b2b491cd220320920N.exe
-
Size
50KB
-
MD5
a181273cbab61f0b2b491cd220320920
-
SHA1
be97c90acfe719a8605d7221c69b15e30bb4e96e
-
SHA256
5133c6ed9b7fdf2c4a52648f61e44e19e3c32aad5e33fd9b5eee3279ec0a536f
-
SHA512
0212ca5c41b32f1ba4d76782606d955296fff0ad5c41f3b18c77745e6d6f845ed1254bae12a09b2c64b7dc9dfc90b292c2b33d8bc5d6e0dbcf2f5abc4fdbb472
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvWwH:0cdpeeBSHHMHLf9RyIq
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a181273cbab61f0b2b491cd220320920N.exe"C:\Users\Admin\AppData\Local\Temp\a181273cbab61f0b2b491cd220320920N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbnh.exec:\hbnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddjd.exec:\vddjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lrfxrr.exec:\3lrfxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xfxlfx.exec:\7xfxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbtnh.exec:\nnbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pdvp.exec:\7pdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxxr.exec:\lfffxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbthbt.exec:\bbthbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppd.exec:\pjppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrfrrl.exec:\flrfrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bbhbh.exec:\1bbhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpp.exec:\pjvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdvj.exec:\ppdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrffx.exec:\fxxrffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hhhtb.exec:\7hhhtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpj.exec:\dpvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xfxlff.exec:\5xfxlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlxrrl.exec:\9rlxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbnn.exec:\nhhbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djdjd.exec:\djdjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3djvp.exec:\3djvp.exe23⤵
- Executes dropped EXE
-
\??\c:\rllrrxl.exec:\rllrrxl.exe24⤵
- Executes dropped EXE
-
\??\c:\lrllxll.exec:\lrllxll.exe25⤵
- Executes dropped EXE
-
\??\c:\bbbnhh.exec:\bbbnhh.exe26⤵
- Executes dropped EXE
-
\??\c:\ffrlfxr.exec:\ffrlfxr.exe27⤵
- Executes dropped EXE
-
\??\c:\llrflll.exec:\llrflll.exe28⤵
- Executes dropped EXE
-
\??\c:\nntnhb.exec:\nntnhb.exe29⤵
- Executes dropped EXE
-
\??\c:\djjvp.exec:\djjvp.exe30⤵
- Executes dropped EXE
-
\??\c:\rlfxfxr.exec:\rlfxfxr.exe31⤵
- Executes dropped EXE
-
\??\c:\nnhbnh.exec:\nnhbnh.exe32⤵
- Executes dropped EXE
-
\??\c:\ntttnb.exec:\ntttnb.exe33⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe34⤵
- Executes dropped EXE
-
\??\c:\pvdvd.exec:\pvdvd.exe35⤵
- Executes dropped EXE
-
\??\c:\1flffff.exec:\1flffff.exe36⤵
- Executes dropped EXE
-
\??\c:\llxrxrf.exec:\llxrxrf.exe37⤵
- Executes dropped EXE
-
\??\c:\5tbhhh.exec:\5tbhhh.exe38⤵
- Executes dropped EXE
-
\??\c:\jjjvp.exec:\jjjvp.exe39⤵
- Executes dropped EXE
-
\??\c:\1dvjv.exec:\1dvjv.exe40⤵
- Executes dropped EXE
-
\??\c:\xrlxrlx.exec:\xrlxrlx.exe41⤵
- Executes dropped EXE
-
\??\c:\nhnhbb.exec:\nhnhbb.exe42⤵
- Executes dropped EXE
-
\??\c:\1btnhb.exec:\1btnhb.exe43⤵
- Executes dropped EXE
-
\??\c:\vddpd.exec:\vddpd.exe44⤵
- Executes dropped EXE
-
\??\c:\3ppjv.exec:\3ppjv.exe45⤵
- Executes dropped EXE
-
\??\c:\rlffxxr.exec:\rlffxxr.exe46⤵
- Executes dropped EXE
-
\??\c:\5flxlfr.exec:\5flxlfr.exe47⤵
- Executes dropped EXE
-
\??\c:\9bhbhb.exec:\9bhbhb.exe48⤵
- Executes dropped EXE
-
\??\c:\dvvvj.exec:\dvvvj.exe49⤵
- Executes dropped EXE
-
\??\c:\3jpdj.exec:\3jpdj.exe50⤵
- Executes dropped EXE
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe51⤵
- Executes dropped EXE
-
\??\c:\frlxllx.exec:\frlxllx.exe52⤵
- Executes dropped EXE
-
\??\c:\tbhbth.exec:\tbhbth.exe53⤵
- Executes dropped EXE
-
\??\c:\5pppd.exec:\5pppd.exe54⤵
- Executes dropped EXE
-
\??\c:\9vpjv.exec:\9vpjv.exe55⤵
- Executes dropped EXE
-
\??\c:\rfllrlr.exec:\rfllrlr.exe56⤵
- Executes dropped EXE
-
\??\c:\7ttbbb.exec:\7ttbbb.exe57⤵
- Executes dropped EXE
-
\??\c:\nnhhnn.exec:\nnhhnn.exe58⤵
- Executes dropped EXE
-
\??\c:\vpjjj.exec:\vpjjj.exe59⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe60⤵
- Executes dropped EXE
-
\??\c:\fxffrxr.exec:\fxffrxr.exe61⤵
- Executes dropped EXE
-
\??\c:\9tttnn.exec:\9tttnn.exe62⤵
- Executes dropped EXE
-
\??\c:\tnhbhh.exec:\tnhbhh.exe63⤵
- Executes dropped EXE
-
\??\c:\pvdjp.exec:\pvdjp.exe64⤵
- Executes dropped EXE
-
\??\c:\3jppv.exec:\3jppv.exe65⤵
- Executes dropped EXE
-
\??\c:\flffxxl.exec:\flffxxl.exe66⤵
-
\??\c:\xxfxxrl.exec:\xxfxxrl.exe67⤵
-
\??\c:\ntbttb.exec:\ntbttb.exe68⤵
-
\??\c:\nttntt.exec:\nttntt.exe69⤵
-
\??\c:\jjvjv.exec:\jjvjv.exe70⤵
-
\??\c:\vpjjv.exec:\vpjjv.exe71⤵
-
\??\c:\1xffxlf.exec:\1xffxlf.exe72⤵
-
\??\c:\1xfrlrr.exec:\1xfrlrr.exe73⤵
-
\??\c:\3ttttn.exec:\3ttttn.exe74⤵
-
\??\c:\hnhtnn.exec:\hnhtnn.exe75⤵
-
\??\c:\1vvvv.exec:\1vvvv.exe76⤵
-
\??\c:\5vppv.exec:\5vppv.exe77⤵
-
\??\c:\fflfffr.exec:\fflfffr.exe78⤵
-
\??\c:\bththb.exec:\bththb.exe79⤵
-
\??\c:\tthhbb.exec:\tthhbb.exe80⤵
-
\??\c:\vdppp.exec:\vdppp.exe81⤵
-
\??\c:\hbtttn.exec:\hbtttn.exe82⤵
-
\??\c:\tnthtt.exec:\tnthtt.exe83⤵
-
\??\c:\pvdvd.exec:\pvdvd.exe84⤵
-
\??\c:\vpddv.exec:\vpddv.exe85⤵
-
\??\c:\rfrrxll.exec:\rfrrxll.exe86⤵
-
\??\c:\rxllxxl.exec:\rxllxxl.exe87⤵
-
\??\c:\hnnthb.exec:\hnnthb.exe88⤵
-
\??\c:\hnttnt.exec:\hnttnt.exe89⤵
-
\??\c:\jjvpp.exec:\jjvpp.exe90⤵
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe91⤵
-
\??\c:\rrlrlxr.exec:\rrlrlxr.exe92⤵
-
\??\c:\htnnhh.exec:\htnnhh.exe93⤵
-
\??\c:\bhhbtt.exec:\bhhbtt.exe94⤵
-
\??\c:\jdpdp.exec:\jdpdp.exe95⤵
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe96⤵
-
\??\c:\1rrrlfr.exec:\1rrrlfr.exe97⤵
-
\??\c:\bnnhnt.exec:\bnnhnt.exe98⤵
-
\??\c:\9jdvj.exec:\9jdvj.exe99⤵
-
\??\c:\vdjdd.exec:\vdjdd.exe100⤵
-
\??\c:\xffxrrl.exec:\xffxrrl.exe101⤵
-
\??\c:\rxlfrrl.exec:\rxlfrrl.exe102⤵
-
\??\c:\7ntnhb.exec:\7ntnhb.exe103⤵
-
\??\c:\jdddv.exec:\jdddv.exe104⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe105⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xflfrlx.exec:\xflfrlx.exe106⤵
-
\??\c:\5flfrlf.exec:\5flfrlf.exe107⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe108⤵
-
\??\c:\tbnhtn.exec:\tbnhtn.exe109⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe110⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe111⤵
-
\??\c:\lffxllf.exec:\lffxllf.exe112⤵
-
\??\c:\lxxffxr.exec:\lxxffxr.exe113⤵
-
\??\c:\bhnhtn.exec:\bhnhtn.exe114⤵
-
\??\c:\9tthtn.exec:\9tthtn.exe115⤵
-
\??\c:\ppdvj.exec:\ppdvj.exe116⤵
-
\??\c:\vvpvd.exec:\vvpvd.exe117⤵
-
\??\c:\llfrrff.exec:\llfrrff.exe118⤵
-
\??\c:\hthntt.exec:\hthntt.exe119⤵
-
\??\c:\ttbntb.exec:\ttbntb.exe120⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-