Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
24-08-2024 22:46
General
-
Target
eb28ecf427da115085b7cad20763b5e0N.exe
-
Size
721KB
-
MD5
eb28ecf427da115085b7cad20763b5e0
-
SHA1
5384ff16eb1103b83352583807c5e909b31c2c40
-
SHA256
32c9b385f3ab08273229135f14fe5c7f153ea8c6e03e97b4a8c8874605708f18
-
SHA512
ac7845b121f481f67589b71e5e201bccfccbbe421d574adbe827d5020c48a44f6e750b68090e464cec38a40d378d67fc3ac01b1dacc25c4e35f1b4f880131e7a
-
SSDEEP
12288:n3C9yMCxqYL5oeEF5rna9sUxg7udOxPJVSjYg8lcmJ1MZxEkTsxPJp6aasUdlH7t:Sg5qYLS7w4O
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb28ecf427da115085b7cad20763b5e0N.exe"C:\Users\Admin\AppData\Local\Temp\eb28ecf427da115085b7cad20763b5e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhbb.exec:\btnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrrxx.exec:\rlxrrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfxrlr.exec:\rrfxrlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvdd.exec:\vjvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjj.exec:\vppjj.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffxxr.exec:\xrffxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvjj.exec:\pdvjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflxrrr.exec:\lflxrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ntbth.exec:\7ntbth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxrlff.exec:\rxxrlff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvp.exec:\dpvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxrlll.exec:\ffxrlll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthbtn.exec:\hthbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrllx.exec:\rffrllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbnnb.exec:\nhbnnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rllfff.exec:\9rllfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtnb.exec:\nbbtnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbtb.exec:\bbbbtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnttb.exec:\hnnttb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpp.exec:\vjvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbtnh.exec:\htbtnh.exe23⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe24⤵
- Executes dropped EXE
-
\??\c:\tbbtnh.exec:\tbbtnh.exe25⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe26⤵
- Executes dropped EXE
-
\??\c:\fxxrlff.exec:\fxxrlff.exe27⤵
- Executes dropped EXE
-
\??\c:\1hbthh.exec:\1hbthh.exe28⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe29⤵
- Executes dropped EXE
-
\??\c:\3fxrlll.exec:\3fxrlll.exe30⤵
- Executes dropped EXE
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe31⤵
- Executes dropped EXE
-
\??\c:\pdjjd.exec:\pdjjd.exe32⤵
- Executes dropped EXE
-
\??\c:\lllxrlf.exec:\lllxrlf.exe33⤵
- Executes dropped EXE
-
\??\c:\ntnhtt.exec:\ntnhtt.exe34⤵
- Executes dropped EXE
-
\??\c:\3rlfxxx.exec:\3rlfxxx.exe35⤵
- Executes dropped EXE
-
\??\c:\hbnhhh.exec:\hbnhhh.exe36⤵
- Executes dropped EXE
-
\??\c:\jvvdd.exec:\jvvdd.exe37⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe38⤵
- Executes dropped EXE
-
\??\c:\bntnhb.exec:\bntnhb.exe39⤵
- Executes dropped EXE
-
\??\c:\7bbtnn.exec:\7bbtnn.exe40⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe41⤵
- Executes dropped EXE
-
\??\c:\hhtnbh.exec:\hhtnbh.exe42⤵
- Executes dropped EXE
-
\??\c:\nbhtnn.exec:\nbhtnn.exe43⤵
- Executes dropped EXE
-
\??\c:\djdpv.exec:\djdpv.exe44⤵
- Executes dropped EXE
-
\??\c:\rxffxrf.exec:\rxffxrf.exe45⤵
- Executes dropped EXE
-
\??\c:\5bbtth.exec:\5bbtth.exe46⤵
- Executes dropped EXE
-
\??\c:\dvdpj.exec:\dvdpj.exe47⤵
- Executes dropped EXE
-
\??\c:\flllfff.exec:\flllfff.exe48⤵
- Executes dropped EXE
-
\??\c:\tntnhn.exec:\tntnhn.exe49⤵
- Executes dropped EXE
-
\??\c:\dvdpv.exec:\dvdpv.exe50⤵
- Executes dropped EXE
-
\??\c:\9lxrllf.exec:\9lxrllf.exe51⤵
- Executes dropped EXE
-
\??\c:\btbbbb.exec:\btbbbb.exe52⤵
- Executes dropped EXE
-
\??\c:\dvdvv.exec:\dvdvv.exe53⤵
- Executes dropped EXE
-
\??\c:\5dvpd.exec:\5dvpd.exe54⤵
- Executes dropped EXE
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe55⤵
- Executes dropped EXE
-
\??\c:\1bbnnh.exec:\1bbnnh.exe56⤵
- Executes dropped EXE
-
\??\c:\dvdvd.exec:\dvdvd.exe57⤵
- Executes dropped EXE
-
\??\c:\1llfxxx.exec:\1llfxxx.exe58⤵
- Executes dropped EXE
-
\??\c:\lfxrllf.exec:\lfxrllf.exe59⤵
- Executes dropped EXE
-
\??\c:\nhhbhb.exec:\nhhbhb.exe60⤵
- Executes dropped EXE
-
\??\c:\pjdvp.exec:\pjdvp.exe61⤵
- Executes dropped EXE
-
\??\c:\rffxxxx.exec:\rffxxxx.exe62⤵
- Executes dropped EXE
-
\??\c:\nnhhbt.exec:\nnhhbt.exe63⤵
- Executes dropped EXE
-
\??\c:\djjdd.exec:\djjdd.exe64⤵
- Executes dropped EXE
-
\??\c:\vpvvj.exec:\vpvvj.exe65⤵
- Executes dropped EXE
-
\??\c:\hbhtbt.exec:\hbhtbt.exe66⤵
-
\??\c:\dppjd.exec:\dppjd.exe67⤵
-
\??\c:\fllllrx.exec:\fllllrx.exe68⤵
-
\??\c:\nhbtbh.exec:\nhbtbh.exe69⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe70⤵
-
\??\c:\lffxfxx.exec:\lffxfxx.exe71⤵
-
\??\c:\tbbtnh.exec:\tbbtnh.exe72⤵
-
\??\c:\djdvd.exec:\djdvd.exe73⤵
-
\??\c:\frrfxrl.exec:\frrfxrl.exe74⤵
-
\??\c:\tnbhth.exec:\tnbhth.exe75⤵
-
\??\c:\7vvpj.exec:\7vvpj.exe76⤵
-
\??\c:\rrfxrlf.exec:\rrfxrlf.exe77⤵
-
\??\c:\httnhh.exec:\httnhh.exe78⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe79⤵
-
\??\c:\1lffxfx.exec:\1lffxfx.exe80⤵
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe81⤵
-
\??\c:\hhhbtt.exec:\hhhbtt.exe82⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe83⤵
-
\??\c:\lrrllff.exec:\lrrllff.exe84⤵
-
\??\c:\bntbth.exec:\bntbth.exe85⤵
-
\??\c:\vdddv.exec:\vdddv.exe86⤵
-
\??\c:\1xfxxfx.exec:\1xfxxfx.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3fxlffx.exec:\3fxlffx.exe88⤵
-
\??\c:\htbhbb.exec:\htbhbb.exe89⤵
-
\??\c:\9jpjd.exec:\9jpjd.exe90⤵
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe91⤵
-
\??\c:\1bttnn.exec:\1bttnn.exe92⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe93⤵
-
\??\c:\rffflrl.exec:\rffflrl.exe94⤵
-
\??\c:\jdvpv.exec:\jdvpv.exe95⤵
-
\??\c:\pvvpj.exec:\pvvpj.exe96⤵
-
\??\c:\lfxrrll.exec:\lfxrrll.exe97⤵
- System Location Discovery: System Language Discovery
-
\??\c:\btthtt.exec:\btthtt.exe98⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ppjdv.exec:\ppjdv.exe99⤵
-
\??\c:\flxllfx.exec:\flxllfx.exe100⤵
-
\??\c:\thhbnn.exec:\thhbnn.exe101⤵
-
\??\c:\pvdvd.exec:\pvdvd.exe102⤵
-
\??\c:\rxffxfx.exec:\rxffxfx.exe103⤵
-
\??\c:\1btnnh.exec:\1btnnh.exe104⤵
-
\??\c:\ththth.exec:\ththth.exe105⤵
-
\??\c:\3ppjd.exec:\3ppjd.exe106⤵
-
\??\c:\flrflfr.exec:\flrflfr.exe107⤵
-
\??\c:\hbbbtn.exec:\hbbbtn.exe108⤵
-
\??\c:\vdpjj.exec:\vdpjj.exe109⤵
-
\??\c:\rflfxxr.exec:\rflfxxr.exe110⤵
-
\??\c:\bbhnth.exec:\bbhnth.exe111⤵
-
\??\c:\jjdjj.exec:\jjdjj.exe112⤵
-
\??\c:\lxlfllx.exec:\lxlfllx.exe113⤵
-
\??\c:\3ntnhn.exec:\3ntnhn.exe114⤵
-
\??\c:\lrfxfxf.exec:\lrfxfxf.exe115⤵
-
\??\c:\nnhhhh.exec:\nnhhhh.exe116⤵
-
\??\c:\pjdpj.exec:\pjdpj.exe117⤵
-
\??\c:\xxrrlrl.exec:\xxrrlrl.exe118⤵
-
\??\c:\bnhbtt.exec:\bnhbtt.exe119⤵
-
\??\c:\vppjd.exec:\vppjd.exe120⤵
-
\??\c:\rlllffx.exec:\rlllffx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-