Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-08-2024 05:34
General
-
Target
f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1.exe
-
Size
96KB
-
MD5
2e5025eeefc7192c12d14f6e7234d9c8
-
SHA1
fc38fa5d794aba9d30ae82cb62e3c57aff804477
-
SHA256
f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1
-
SHA512
3b226cae7fd45dadde4d5baf82176a107b4725b6e63d1094f687c028ca6f3c6d666ee4c190c6e1b9fc5a37069a165eb59895e0d353343d38a360487b8b18431a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qP1hvZo66Ox4oq2SQwfTrg:ymb3NkkiQ3mdBjFIj+qNhvZuHQYfw4jS
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1.exe"C:\Users\Admin\AppData\Local\Temp\f9cb1eea530a3dee983a3f328d2458831137bf3ec8259e052f157f5f739109f1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9nttnt.exec:\9nttnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdddv.exec:\pdddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvv.exec:\vvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxlffx.exec:\xrxlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnttnb.exec:\hnttnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddv.exec:\jdddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfllxl.exec:\xlfllxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhnb.exec:\btbhnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnnn.exec:\bttnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvpj.exec:\pvvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbhh.exec:\bbhbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjvv.exec:\ddjvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvv.exec:\dpvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xlfxxr.exec:\1xlfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnn.exec:\thbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbbb.exec:\nnhbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvj.exec:\vpdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppdv.exec:\jppdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfffff.exec:\fxfffff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrrrr.exec:\xlrrrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnttnt.exec:\nnttnt.exe23⤵
- Executes dropped EXE
-
\??\c:\hbnhbb.exec:\hbnhbb.exe24⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe25⤵
- Executes dropped EXE
-
\??\c:\rflfrxr.exec:\rflfrxr.exe26⤵
- Executes dropped EXE
-
\??\c:\rllfllr.exec:\rllfllr.exe27⤵
- Executes dropped EXE
-
\??\c:\tntnhh.exec:\tntnhh.exe28⤵
- Executes dropped EXE
-
\??\c:\pjjdp.exec:\pjjdp.exe29⤵
- Executes dropped EXE
-
\??\c:\xrfxxrr.exec:\xrfxxrr.exe30⤵
- Executes dropped EXE
-
\??\c:\3xxxrrr.exec:\3xxxrrr.exe31⤵
- Executes dropped EXE
-
\??\c:\hnnnnn.exec:\hnnnnn.exe32⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe33⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe34⤵
- Executes dropped EXE
-
\??\c:\rlxlfxx.exec:\rlxlfxx.exe35⤵
- Executes dropped EXE
-
\??\c:\fxxxxxr.exec:\fxxxxxr.exe36⤵
- Executes dropped EXE
-
\??\c:\nhttnn.exec:\nhttnn.exe37⤵
- Executes dropped EXE
-
\??\c:\7htbtt.exec:\7htbtt.exe38⤵
- Executes dropped EXE
-
\??\c:\5jpjp.exec:\5jpjp.exe39⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe40⤵
- Executes dropped EXE
-
\??\c:\9rxfxxx.exec:\9rxfxxx.exe41⤵
- Executes dropped EXE
-
\??\c:\3rlffff.exec:\3rlffff.exe42⤵
- Executes dropped EXE
-
\??\c:\bnbhth.exec:\bnbhth.exe43⤵
- Executes dropped EXE
-
\??\c:\ddpjd.exec:\ddpjd.exe44⤵
- Executes dropped EXE
-
\??\c:\5vdjj.exec:\5vdjj.exe45⤵
- Executes dropped EXE
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe46⤵
- Executes dropped EXE
-
\??\c:\rxllrrl.exec:\rxllrrl.exe47⤵
- Executes dropped EXE
-
\??\c:\bhbnbb.exec:\bhbnbb.exe48⤵
- Executes dropped EXE
-
\??\c:\nbtbtb.exec:\nbtbtb.exe49⤵
- Executes dropped EXE
-
\??\c:\jpjjj.exec:\jpjjj.exe50⤵
- Executes dropped EXE
-
\??\c:\frrrrll.exec:\frrrrll.exe51⤵
- Executes dropped EXE
-
\??\c:\3llfxxr.exec:\3llfxxr.exe52⤵
- Executes dropped EXE
-
\??\c:\ttnnhh.exec:\ttnnhh.exe53⤵
- Executes dropped EXE
-
\??\c:\pjpdd.exec:\pjpdd.exe54⤵
- Executes dropped EXE
-
\??\c:\5vjjp.exec:\5vjjp.exe55⤵
- Executes dropped EXE
-
\??\c:\pppjj.exec:\pppjj.exe56⤵
- Executes dropped EXE
-
\??\c:\3xfxrrl.exec:\3xfxrrl.exe57⤵
- Executes dropped EXE
-
\??\c:\5tnnhn.exec:\5tnnhn.exe58⤵
- Executes dropped EXE
-
\??\c:\thnhbt.exec:\thnhbt.exe59⤵
- Executes dropped EXE
-
\??\c:\djppd.exec:\djppd.exe60⤵
- Executes dropped EXE
-
\??\c:\7ppjj.exec:\7ppjj.exe61⤵
- Executes dropped EXE
-
\??\c:\llrrfff.exec:\llrrfff.exe62⤵
- Executes dropped EXE
-
\??\c:\rxflrrr.exec:\rxflrrr.exe63⤵
- Executes dropped EXE
-
\??\c:\thhbhh.exec:\thhbhh.exe64⤵
- Executes dropped EXE
-
\??\c:\nnnntt.exec:\nnnntt.exe65⤵
- Executes dropped EXE
-
\??\c:\jdvpp.exec:\jdvpp.exe66⤵
-
\??\c:\dvvdv.exec:\dvvdv.exe67⤵
-
\??\c:\jpppj.exec:\jpppj.exe68⤵
-
\??\c:\flfllxf.exec:\flfllxf.exe69⤵
-
\??\c:\rrxfxxx.exec:\rrxfxxx.exe70⤵
-
\??\c:\7tttnh.exec:\7tttnh.exe71⤵
-
\??\c:\tnbtnt.exec:\tnbtnt.exe72⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe73⤵
-
\??\c:\7vdpv.exec:\7vdpv.exe74⤵
-
\??\c:\fxxlflf.exec:\fxxlflf.exe75⤵
-
\??\c:\bhbnbn.exec:\bhbnbn.exe76⤵
-
\??\c:\nhhnnn.exec:\nhhnnn.exe77⤵
-
\??\c:\5dpjj.exec:\5dpjj.exe78⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe79⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe80⤵
-
\??\c:\rlllfff.exec:\rlllfff.exe81⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxffffr.exec:\fxffffr.exe82⤵
-
\??\c:\5nthtn.exec:\5nthtn.exe83⤵
-
\??\c:\ddjjv.exec:\ddjjv.exe84⤵
-
\??\c:\jjpvd.exec:\jjpvd.exe85⤵
-
\??\c:\fxffrfl.exec:\fxffrfl.exe86⤵
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe87⤵
-
\??\c:\hhbthb.exec:\hhbthb.exe88⤵
-
\??\c:\3bbnhb.exec:\3bbnhb.exe89⤵
-
\??\c:\pdjvp.exec:\pdjvp.exe90⤵
-
\??\c:\vpdvp.exec:\vpdvp.exe91⤵
-
\??\c:\xrxxllf.exec:\xrxxllf.exe92⤵
-
\??\c:\3rrlfff.exec:\3rrlfff.exe93⤵
-
\??\c:\bhhhhh.exec:\bhhhhh.exe94⤵
-
\??\c:\5lfxllr.exec:\5lfxllr.exe95⤵
-
\??\c:\rllllff.exec:\rllllff.exe96⤵
-
\??\c:\7hnhhh.exec:\7hnhhh.exe97⤵
-
\??\c:\7nnnnn.exec:\7nnnnn.exe98⤵
-
\??\c:\jvvjd.exec:\jvvjd.exe99⤵
-
\??\c:\7djvv.exec:\7djvv.exe100⤵
-
\??\c:\lxxrllf.exec:\lxxrllf.exe101⤵
-
\??\c:\lfrffxx.exec:\lfrffxx.exe102⤵
-
\??\c:\tttttt.exec:\tttttt.exe103⤵
-
\??\c:\dpdvv.exec:\dpdvv.exe104⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe105⤵
-
\??\c:\frxrfrr.exec:\frxrfrr.exe106⤵
-
\??\c:\1rxxxxx.exec:\1rxxxxx.exe107⤵
-
\??\c:\htnbnh.exec:\htnbnh.exe108⤵
-
\??\c:\3thbbb.exec:\3thbbb.exe109⤵
-
\??\c:\ddppj.exec:\ddppj.exe110⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe111⤵
-
\??\c:\lfffxxr.exec:\lfffxxr.exe112⤵
-
\??\c:\1frlllr.exec:\1frlllr.exe113⤵
-
\??\c:\9htnhh.exec:\9htnhh.exe114⤵
-
\??\c:\bnhtnb.exec:\bnhtnb.exe115⤵
-
\??\c:\5vdvv.exec:\5vdvv.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lrlxrrl.exec:\lrlxrrl.exe117⤵
-
\??\c:\9xxfxfx.exec:\9xxfxfx.exe118⤵
-
\??\c:\7nthbt.exec:\7nthbt.exe119⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe120⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-