Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
01-09-2024 22:08
General
-
Target
0a6b47ad368d3b3c0a6af398ec4b06e0N.exe
-
Size
251KB
-
MD5
0a6b47ad368d3b3c0a6af398ec4b06e0
-
SHA1
fbfbabc1df20daa8650dc0dc6aa11c41f632b3eb
-
SHA256
333468817611142aed8e8cd759a8129ce4f4a57642728f65800655bc6c8538f9
-
SHA512
77e8ea50b9f22c89c2a9bd0e6833d6430f7221ab76c9f2cfaba76bde2bfb1e677073eca42bcd1913a4937ba3f65ee57e92e4e7602fde158b59e2c6c2ddf70ab9
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31oDvYLfJmQ9t:n3C9BRo7MlrWKo+lavWwKt
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6b47ad368d3b3c0a6af398ec4b06e0N.exe"C:\Users\Admin\AppData\Local\Temp\0a6b47ad368d3b3c0a6af398ec4b06e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpvj.exec:\pjpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxffffx.exec:\rxffffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvd.exec:\jpvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhnhh.exec:\tbhnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthhhn.exec:\nthhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdpd.exec:\jpdpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrrflr.exec:\ffrrflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbtb.exec:\hhbbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxxfll.exec:\xfxxfll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbnbh.exec:\bnbnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvpd.exec:\jvvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hhtbb.exec:\9hhtbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdd.exec:\jdjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfflflr.exec:\rfflflr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bbtnh.exec:\3bbtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlfff.exec:\rlrlfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vjpj.exec:\1vjpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfrrl.exec:\rllfrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhtb.exec:\hhbhtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbtnn.exec:\nnbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlrfr.exec:\xrrlrfr.exe23⤵
- Executes dropped EXE
-
\??\c:\pddpd.exec:\pddpd.exe24⤵
- Executes dropped EXE
-
\??\c:\rflllll.exec:\rflllll.exe25⤵
- Executes dropped EXE
-
\??\c:\nbtbhh.exec:\nbtbhh.exe26⤵
- Executes dropped EXE
-
\??\c:\tbbtnh.exec:\tbbtnh.exe27⤵
- Executes dropped EXE
-
\??\c:\nthtth.exec:\nthtth.exe28⤵
- Executes dropped EXE
-
\??\c:\9fxffff.exec:\9fxffff.exe29⤵
- Executes dropped EXE
-
\??\c:\ttbnhh.exec:\ttbnhh.exe30⤵
- Executes dropped EXE
-
\??\c:\xxfxrxx.exec:\xxfxrxx.exe31⤵
- Executes dropped EXE
-
\??\c:\bnbthb.exec:\bnbthb.exe32⤵
- Executes dropped EXE
-
\??\c:\vdvpp.exec:\vdvpp.exe33⤵
- Executes dropped EXE
-
\??\c:\frffflf.exec:\frffflf.exe34⤵
- Executes dropped EXE
-
\??\c:\7tnnnb.exec:\7tnnnb.exe35⤵
- Executes dropped EXE
-
\??\c:\pddvd.exec:\pddvd.exe36⤵
- Executes dropped EXE
-
\??\c:\xrlllll.exec:\xrlllll.exe37⤵
- Executes dropped EXE
-
\??\c:\hbbhhb.exec:\hbbhhb.exe38⤵
- Executes dropped EXE
-
\??\c:\dpvjv.exec:\dpvjv.exe39⤵
- Executes dropped EXE
-
\??\c:\ppjvd.exec:\ppjvd.exe40⤵
- Executes dropped EXE
-
\??\c:\lxrlxxx.exec:\lxrlxxx.exe41⤵
- Executes dropped EXE
-
\??\c:\tnnnnn.exec:\tnnnnn.exe42⤵
- Executes dropped EXE
-
\??\c:\jpdjp.exec:\jpdjp.exe43⤵
- Executes dropped EXE
-
\??\c:\rlxlffr.exec:\rlxlffr.exe44⤵
- Executes dropped EXE
-
\??\c:\lxlxrrf.exec:\lxlxrrf.exe45⤵
- Executes dropped EXE
-
\??\c:\pdvvp.exec:\pdvvp.exe46⤵
- Executes dropped EXE
-
\??\c:\vvvpj.exec:\vvvpj.exe47⤵
- Executes dropped EXE
-
\??\c:\xrxrlrr.exec:\xrxrlrr.exe48⤵
- Executes dropped EXE
-
\??\c:\9tthnn.exec:\9tthnn.exe49⤵
- Executes dropped EXE
-
\??\c:\bhbbhh.exec:\bhbbhh.exe50⤵
- Executes dropped EXE
-
\??\c:\7pvpp.exec:\7pvpp.exe51⤵
- Executes dropped EXE
-
\??\c:\xrfxlrr.exec:\xrfxlrr.exe52⤵
- Executes dropped EXE
-
\??\c:\3xffllf.exec:\3xffllf.exe53⤵
- Executes dropped EXE
-
\??\c:\tnnnnt.exec:\tnnnnt.exe54⤵
- Executes dropped EXE
-
\??\c:\vvdvp.exec:\vvdvp.exe55⤵
- Executes dropped EXE
-
\??\c:\rrfxlxx.exec:\rrfxlxx.exe56⤵
- Executes dropped EXE
-
\??\c:\nbnhbb.exec:\nbnhbb.exe57⤵
- Executes dropped EXE
-
\??\c:\btbbtt.exec:\btbbtt.exe58⤵
- Executes dropped EXE
-
\??\c:\jvpdj.exec:\jvpdj.exe59⤵
- Executes dropped EXE
-
\??\c:\7lxrffl.exec:\7lxrffl.exe60⤵
- Executes dropped EXE
-
\??\c:\nnhhhh.exec:\nnhhhh.exe61⤵
- Executes dropped EXE
-
\??\c:\tthnbb.exec:\tthnbb.exe62⤵
- Executes dropped EXE
-
\??\c:\7ddvd.exec:\7ddvd.exe63⤵
- Executes dropped EXE
-
\??\c:\rxxrllf.exec:\rxxrllf.exe64⤵
- Executes dropped EXE
-
\??\c:\bnnnnn.exec:\bnnnnn.exe65⤵
- Executes dropped EXE
-
\??\c:\dvppj.exec:\dvppj.exe66⤵
-
\??\c:\jvvpd.exec:\jvvpd.exe67⤵
-
\??\c:\xflfxff.exec:\xflfxff.exe68⤵
-
\??\c:\bthbbt.exec:\bthbbt.exe69⤵
-
\??\c:\pjdvd.exec:\pjdvd.exe70⤵
-
\??\c:\fxrlrxx.exec:\fxrlrxx.exe71⤵
-
\??\c:\tthbbb.exec:\tthbbb.exe72⤵
-
\??\c:\vjjjj.exec:\vjjjj.exe73⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe74⤵
-
\??\c:\rrxfxxf.exec:\rrxfxxf.exe75⤵
-
\??\c:\hhbtnn.exec:\hhbtnn.exe76⤵
-
\??\c:\vdvpj.exec:\vdvpj.exe77⤵
-
\??\c:\lxlfxxf.exec:\lxlfxxf.exe78⤵
-
\??\c:\xxxxxlx.exec:\xxxxxlx.exe79⤵
-
\??\c:\7htntt.exec:\7htntt.exe80⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe81⤵
-
\??\c:\vpjvj.exec:\vpjvj.exe82⤵
-
\??\c:\lfrxrxf.exec:\lfrxrxf.exe83⤵
-
\??\c:\7ntnhn.exec:\7ntnhn.exe84⤵
-
\??\c:\ppddp.exec:\ppddp.exe85⤵
-
\??\c:\5xllrxr.exec:\5xllrxr.exe86⤵
-
\??\c:\xlxrrxl.exec:\xlxrrxl.exe87⤵
-
\??\c:\tbhnhn.exec:\tbhnhn.exe88⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe89⤵
-
\??\c:\xrxrxrx.exec:\xrxrxrx.exe90⤵
-
\??\c:\xrfrlxr.exec:\xrfrlxr.exe91⤵
-
\??\c:\tbhbbb.exec:\tbhbbb.exe92⤵
-
\??\c:\vppjd.exec:\vppjd.exe93⤵
-
\??\c:\rfrllfx.exec:\rfrllfx.exe94⤵
-
\??\c:\7lrlffr.exec:\7lrlffr.exe95⤵
-
\??\c:\tbbbtb.exec:\tbbbtb.exe96⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe97⤵
-
\??\c:\jddvd.exec:\jddvd.exe98⤵
-
\??\c:\1ffrllx.exec:\1ffrllx.exe99⤵
-
\??\c:\nbtnnh.exec:\nbtnnh.exe100⤵
-
\??\c:\nhnhnb.exec:\nhnhnb.exe101⤵
-
\??\c:\dpdpp.exec:\dpdpp.exe102⤵
-
\??\c:\9jjvv.exec:\9jjvv.exe103⤵
-
\??\c:\xffxflx.exec:\xffxflx.exe104⤵
-
\??\c:\nhhbnh.exec:\nhhbnh.exe105⤵
-
\??\c:\hnnhbt.exec:\hnnhbt.exe106⤵
-
\??\c:\jpjpj.exec:\jpjpj.exe107⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe108⤵
-
\??\c:\vpdpj.exec:\vpdpj.exe109⤵
-
\??\c:\rxlxfrr.exec:\rxlxfrr.exe110⤵
-
\??\c:\3nhhnt.exec:\3nhhnt.exe111⤵
-
\??\c:\ddjvv.exec:\ddjvv.exe112⤵
-
\??\c:\xrllflf.exec:\xrllflf.exe113⤵
-
\??\c:\hnhtnn.exec:\hnhtnn.exe114⤵
-
\??\c:\hththb.exec:\hththb.exe115⤵
-
\??\c:\3vvpd.exec:\3vvpd.exe116⤵
-
\??\c:\frrfxxl.exec:\frrfxxl.exe117⤵
-
\??\c:\3thhth.exec:\3thhth.exe118⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe119⤵
-
\??\c:\vdddd.exec:\vdddd.exe120⤵
-
\??\c:\fxfrlll.exec:\fxfrlll.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-