Analysis
-
max time kernel
120s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-08-2024 23:51
General
-
Target
e9da72266fb5cd27bf8fccdaec67a2a0N.exe
-
Size
71KB
-
MD5
e9da72266fb5cd27bf8fccdaec67a2a0
-
SHA1
5599b7a2515cb9457bb2d4ac8291f684facd2c8a
-
SHA256
649fb42203103b3ebd2568941454a9fcda319f88453a2aa158774776b044039f
-
SHA512
16c1d4cc23c7575bec8edc899df882d90ddfdb820792a5224f00e7c5a94b0166f89cc851d144887ee3a7e792b9317fa79da020b517aeb81b31686d989bdcc897
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjo:ymb3NkkiQ3mdBjFI4V4
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9da72266fb5cd27bf8fccdaec67a2a0N.exe"C:\Users\Admin\AppData\Local\Temp\e9da72266fb5cd27bf8fccdaec67a2a0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpd.exec:\jdvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlrrf.exec:\lxrlrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbtbb.exec:\htbtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppp.exec:\vvppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rrrrrr.exec:\9rrrrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbtn.exec:\tnbbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdd.exec:\pdjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bbbbb.exec:\7bbbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vdvv.exec:\5vdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrrff.exec:\xlrrrff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfxrrl.exec:\frfxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvvp.exec:\ppvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrfxxx.exec:\rlrfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxffff.exec:\xlxffff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddddp.exec:\ddddp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvpj.exec:\jvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxlrl.exec:\lxxxlrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxlffx.exec:\rrxlffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnhn.exec:\httnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvj.exec:\dvdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlfff.exec:\rlrlfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlfllr.exec:\fxlfllr.exe23⤵
- Executes dropped EXE
-
\??\c:\5tbtth.exec:\5tbtth.exe24⤵
- Executes dropped EXE
-
\??\c:\7djdp.exec:\7djdp.exe25⤵
- Executes dropped EXE
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe26⤵
- Executes dropped EXE
-
\??\c:\ttbbtn.exec:\ttbbtn.exe27⤵
- Executes dropped EXE
-
\??\c:\bnbtnt.exec:\bnbtnt.exe28⤵
- Executes dropped EXE
-
\??\c:\1jdvp.exec:\1jdvp.exe29⤵
- Executes dropped EXE
-
\??\c:\pdpdv.exec:\pdpdv.exe30⤵
- Executes dropped EXE
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe31⤵
- Executes dropped EXE
-
\??\c:\rlxxllf.exec:\rlxxllf.exe32⤵
- Executes dropped EXE
-
\??\c:\5hnnhh.exec:\5hnnhh.exe33⤵
- Executes dropped EXE
-
\??\c:\9vjjd.exec:\9vjjd.exe34⤵
- Executes dropped EXE
-
\??\c:\pddpp.exec:\pddpp.exe35⤵
- Executes dropped EXE
-
\??\c:\frlfxxx.exec:\frlfxxx.exe36⤵
- Executes dropped EXE
-
\??\c:\frrxrrl.exec:\frrxrrl.exe37⤵
- Executes dropped EXE
-
\??\c:\thtnbt.exec:\thtnbt.exe38⤵
- Executes dropped EXE
-
\??\c:\7nnnhn.exec:\7nnnhn.exe39⤵
- Executes dropped EXE
-
\??\c:\jjvpj.exec:\jjvpj.exe40⤵
- Executes dropped EXE
-
\??\c:\dvdvj.exec:\dvdvj.exe41⤵
- Executes dropped EXE
-
\??\c:\lffxllf.exec:\lffxllf.exe42⤵
- Executes dropped EXE
-
\??\c:\bhbbtt.exec:\bhbbtt.exe43⤵
- Executes dropped EXE
-
\??\c:\hnnnhh.exec:\hnnnhh.exe44⤵
- Executes dropped EXE
-
\??\c:\djjjv.exec:\djjjv.exe45⤵
- Executes dropped EXE
-
\??\c:\1djvp.exec:\1djvp.exe46⤵
- Executes dropped EXE
-
\??\c:\5lflfxr.exec:\5lflfxr.exe47⤵
- Executes dropped EXE
-
\??\c:\rffrlll.exec:\rffrlll.exe48⤵
- Executes dropped EXE
-
\??\c:\xffrlfx.exec:\xffrlfx.exe49⤵
- Executes dropped EXE
-
\??\c:\tnnhhb.exec:\tnnhhb.exe50⤵
- Executes dropped EXE
-
\??\c:\pvdvj.exec:\pvdvj.exe51⤵
- Executes dropped EXE
-
\??\c:\9vpjd.exec:\9vpjd.exe52⤵
- Executes dropped EXE
-
\??\c:\rflrxrf.exec:\rflrxrf.exe53⤵
- Executes dropped EXE
-
\??\c:\llxrlxr.exec:\llxrlxr.exe54⤵
- Executes dropped EXE
-
\??\c:\nhttnt.exec:\nhttnt.exe55⤵
- Executes dropped EXE
-
\??\c:\bnbtnh.exec:\bnbtnh.exe56⤵
- Executes dropped EXE
-
\??\c:\ddvpj.exec:\ddvpj.exe57⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe58⤵
- Executes dropped EXE
-
\??\c:\7ffrlrf.exec:\7ffrlrf.exe59⤵
- Executes dropped EXE
-
\??\c:\rxllffx.exec:\rxllffx.exe60⤵
- Executes dropped EXE
-
\??\c:\bnhbnh.exec:\bnhbnh.exe61⤵
- Executes dropped EXE
-
\??\c:\5tnhhh.exec:\5tnhhh.exe62⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe63⤵
- Executes dropped EXE
-
\??\c:\jpvjd.exec:\jpvjd.exe64⤵
- Executes dropped EXE
-
\??\c:\rrllxff.exec:\rrllxff.exe65⤵
- Executes dropped EXE
-
\??\c:\hntttt.exec:\hntttt.exe66⤵
-
\??\c:\nnnnbb.exec:\nnnnbb.exe67⤵
-
\??\c:\5vpjj.exec:\5vpjj.exe68⤵
-
\??\c:\ddjdj.exec:\ddjdj.exe69⤵
-
\??\c:\xxlfllx.exec:\xxlfllx.exe70⤵
-
\??\c:\frxrlff.exec:\frxrlff.exe71⤵
-
\??\c:\tntntb.exec:\tntntb.exe72⤵
-
\??\c:\tnhbtt.exec:\tnhbtt.exe73⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe74⤵
-
\??\c:\vpvpd.exec:\vpvpd.exe75⤵
-
\??\c:\lxflxrx.exec:\lxflxrx.exe76⤵
-
\??\c:\lfrrlff.exec:\lfrrlff.exe77⤵
-
\??\c:\bbhbbb.exec:\bbhbbb.exe78⤵
-
\??\c:\hbbnhb.exec:\hbbnhb.exe79⤵
-
\??\c:\dppvv.exec:\dppvv.exe80⤵
-
\??\c:\ppvjv.exec:\ppvjv.exe81⤵
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe82⤵
-
\??\c:\lrfxllf.exec:\lrfxllf.exe83⤵
-
\??\c:\bnnhbb.exec:\bnnhbb.exe84⤵
-
\??\c:\vdvvv.exec:\vdvvv.exe85⤵
-
\??\c:\7pvpv.exec:\7pvpv.exe86⤵
-
\??\c:\hhbbtt.exec:\hhbbtt.exe87⤵
-
\??\c:\vjjvj.exec:\vjjvj.exe88⤵
-
\??\c:\vdvvv.exec:\vdvvv.exe89⤵
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe90⤵
-
\??\c:\fflllrr.exec:\fflllrr.exe91⤵
-
\??\c:\bbhbtt.exec:\bbhbtt.exe92⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe93⤵
-
\??\c:\dpppv.exec:\dpppv.exe94⤵
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe95⤵
-
\??\c:\fxfxrrf.exec:\fxfxrrf.exe96⤵
-
\??\c:\ntbbtn.exec:\ntbbtn.exe97⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe98⤵
-
\??\c:\vdjjv.exec:\vdjjv.exe99⤵
-
\??\c:\dddvj.exec:\dddvj.exe100⤵
-
\??\c:\xxrlllf.exec:\xxrlllf.exe101⤵
-
\??\c:\7xfrffx.exec:\7xfrffx.exe102⤵
-
\??\c:\1nhbtb.exec:\1nhbtb.exe103⤵
-
\??\c:\thbbtn.exec:\thbbtn.exe104⤵
-
\??\c:\vpppd.exec:\vpppd.exe105⤵
-
\??\c:\vjppp.exec:\vjppp.exe106⤵
-
\??\c:\9rffxxr.exec:\9rffxxr.exe107⤵
-
\??\c:\hhbttn.exec:\hhbttn.exe108⤵
-
\??\c:\nhtnbb.exec:\nhtnbb.exe109⤵
-
\??\c:\djppj.exec:\djppj.exe110⤵
-
\??\c:\ppvdv.exec:\ppvdv.exe111⤵
-
\??\c:\lxxrfff.exec:\lxxrfff.exe112⤵
-
\??\c:\lrxrffx.exec:\lrxrffx.exe113⤵
-
\??\c:\3tttnh.exec:\3tttnh.exe114⤵
-
\??\c:\1ntthn.exec:\1ntthn.exe115⤵
-
\??\c:\5jvpj.exec:\5jvpj.exe116⤵
-
\??\c:\9vjdv.exec:\9vjdv.exe117⤵
-
\??\c:\1xlfrrl.exec:\1xlfrrl.exe118⤵
-
\??\c:\fxrxfrr.exec:\fxrxfrr.exe119⤵
-
\??\c:\tnhbtt.exec:\tnhbtt.exe120⤵
-
\??\c:\nhnnbb.exec:\nhnnbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-