Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
01/09/2024, 01:40
General
-
Target
b2486a61bb2827531ceb80a5b42f145b923a13bf809376a9345dd3e88b8af44d.exe
-
Size
489KB
-
MD5
4655b9c81cd3d8a5d98971806f09bf1b
-
SHA1
13788fc3b33bc0189cd4c37285208347506277cf
-
SHA256
b2486a61bb2827531ceb80a5b42f145b923a13bf809376a9345dd3e88b8af44d
-
SHA512
02910f7fe0f34ac510d157338073d7b93004e9f2bb1590c4ac4154fbab4cb68c2f523b75838b3207c329f3e488ba7a498da1059dc98dff39dee75a49521b1eb1
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93svqTbWL5wE+:n3C9yMo+S0L9xRnoq7H9QYcmB
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2486a61bb2827531ceb80a5b42f145b923a13bf809376a9345dd3e88b8af44d.exe"C:\Users\Admin\AppData\Local\Temp\b2486a61bb2827531ceb80a5b42f145b923a13bf809376a9345dd3e88b8af44d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvp.exec:\pvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddd.exec:\dvddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvv.exec:\pdvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vvpp.exec:\1vvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xxrlxr.exec:\3xxrlxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nbtnt.exec:\3nbtnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpj.exec:\vpvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxffxfx.exec:\xxffxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbtt.exec:\bbbbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnn.exec:\thbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlffx.exec:\rlrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhtnn.exec:\thhtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvj.exec:\jddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrrlrr.exec:\rlrrlrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvp.exec:\ddvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfllfxx.exec:\rfllfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nthnb.exec:\9nthnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrllll.exec:\fxrllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhbb.exec:\nnnhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppp.exec:\pdppp.exe23⤵
- Executes dropped EXE
-
\??\c:\lffxrrl.exec:\lffxrrl.exe24⤵
- Executes dropped EXE
-
\??\c:\nhbthh.exec:\nhbthh.exe25⤵
- Executes dropped EXE
-
\??\c:\3vvpv.exec:\3vvpv.exe26⤵
- Executes dropped EXE
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe27⤵
- Executes dropped EXE
-
\??\c:\hnnnnn.exec:\hnnnnn.exe28⤵
- Executes dropped EXE
-
\??\c:\7vjdv.exec:\7vjdv.exe29⤵
- Executes dropped EXE
-
\??\c:\xxrlrrx.exec:\xxrlrrx.exe30⤵
- Executes dropped EXE
-
\??\c:\lffxrrr.exec:\lffxrrr.exe31⤵
- Executes dropped EXE
-
\??\c:\nnbhnn.exec:\nnbhnn.exe32⤵
- Executes dropped EXE
-
\??\c:\5tbttt.exec:\5tbttt.exe33⤵
- Executes dropped EXE
-
\??\c:\xflfrrx.exec:\xflfrrx.exe34⤵
- Executes dropped EXE
-
\??\c:\tbhthh.exec:\tbhthh.exe35⤵
- Executes dropped EXE
-
\??\c:\lffxrrl.exec:\lffxrrl.exe36⤵
- Executes dropped EXE
-
\??\c:\lrrrrxr.exec:\lrrrrxr.exe37⤵
- Executes dropped EXE
-
\??\c:\hbtnhh.exec:\hbtnhh.exe38⤵
- Executes dropped EXE
-
\??\c:\djpjd.exec:\djpjd.exe39⤵
- Executes dropped EXE
-
\??\c:\rlxrrlf.exec:\rlxrrlf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\bntnhb.exec:\bntnhb.exe41⤵
- Executes dropped EXE
-
\??\c:\nhbttn.exec:\nhbttn.exe42⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe43⤵
- Executes dropped EXE
-
\??\c:\lxflllf.exec:\lxflllf.exe44⤵
- Executes dropped EXE
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe45⤵
- Executes dropped EXE
-
\??\c:\btbtnh.exec:\btbtnh.exe46⤵
- Executes dropped EXE
-
\??\c:\vdjdv.exec:\vdjdv.exe47⤵
- Executes dropped EXE
-
\??\c:\lxxrllf.exec:\lxxrllf.exe48⤵
- Executes dropped EXE
-
\??\c:\lrxrlll.exec:\lrxrlll.exe49⤵
- Executes dropped EXE
-
\??\c:\bbbnhn.exec:\bbbnhn.exe50⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe51⤵
- Executes dropped EXE
-
\??\c:\jppdp.exec:\jppdp.exe52⤵
- Executes dropped EXE
-
\??\c:\lrxfrxx.exec:\lrxfrxx.exe53⤵
- Executes dropped EXE
-
\??\c:\hbbbtt.exec:\hbbbtt.exe54⤵
- Executes dropped EXE
-
\??\c:\jppvj.exec:\jppvj.exe55⤵
- Executes dropped EXE
-
\??\c:\3djdp.exec:\3djdp.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\llfrlfx.exec:\llfrlfx.exe57⤵
- Executes dropped EXE
-
\??\c:\hbhbhh.exec:\hbhbhh.exe58⤵
- Executes dropped EXE
-
\??\c:\pppjj.exec:\pppjj.exe59⤵
- Executes dropped EXE
-
\??\c:\vjpjv.exec:\vjpjv.exe60⤵
- Executes dropped EXE
-
\??\c:\xrxxrll.exec:\xrxxrll.exe61⤵
- Executes dropped EXE
-
\??\c:\nnnttt.exec:\nnnttt.exe62⤵
- Executes dropped EXE
-
\??\c:\nntnnh.exec:\nntnnh.exe63⤵
- Executes dropped EXE
-
\??\c:\pjvvp.exec:\pjvvp.exe64⤵
- Executes dropped EXE
-
\??\c:\lrrllff.exec:\lrrllff.exe65⤵
- Executes dropped EXE
-
\??\c:\xrflffx.exec:\xrflffx.exe66⤵
-
\??\c:\htttbh.exec:\htttbh.exe67⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe68⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe69⤵
-
\??\c:\xxlflll.exec:\xxlflll.exe70⤵
-
\??\c:\1hhbbb.exec:\1hhbbb.exe71⤵
-
\??\c:\jdpvp.exec:\jdpvp.exe72⤵
-
\??\c:\1rfxrrf.exec:\1rfxrrf.exe73⤵
-
\??\c:\frxlllr.exec:\frxlllr.exe74⤵
-
\??\c:\hthhtt.exec:\hthhtt.exe75⤵
-
\??\c:\xrffrrf.exec:\xrffrrf.exe76⤵
-
\??\c:\nttbtt.exec:\nttbtt.exe77⤵
-
\??\c:\dppjv.exec:\dppjv.exe78⤵
-
\??\c:\9djdp.exec:\9djdp.exe79⤵
-
\??\c:\xrflrrx.exec:\xrflrrx.exe80⤵
-
\??\c:\bntnnn.exec:\bntnnn.exe81⤵
-
\??\c:\9hhbtt.exec:\9hhbtt.exe82⤵
-
\??\c:\3jdjd.exec:\3jdjd.exe83⤵
-
\??\c:\xllfrrf.exec:\xllfrrf.exe84⤵
-
\??\c:\thnhhn.exec:\thnhhn.exe85⤵
-
\??\c:\hhhhbh.exec:\hhhhbh.exe86⤵
-
\??\c:\pjppp.exec:\pjppp.exe87⤵
-
\??\c:\lxfrllf.exec:\lxfrllf.exe88⤵
-
\??\c:\nhhbtn.exec:\nhhbtn.exe89⤵
-
\??\c:\djjdv.exec:\djjdv.exe90⤵
-
\??\c:\vdppj.exec:\vdppj.exe91⤵
-
\??\c:\xrxlfxf.exec:\xrxlfxf.exe92⤵
-
\??\c:\3ntnhh.exec:\3ntnhh.exe93⤵
-
\??\c:\hnntht.exec:\hnntht.exe94⤵
-
\??\c:\7pvvj.exec:\7pvvj.exe95⤵
-
\??\c:\rllfrxr.exec:\rllfrxr.exe96⤵
-
\??\c:\rrrxllf.exec:\rrrxllf.exe97⤵
-
\??\c:\bhnhbt.exec:\bhnhbt.exe98⤵
-
\??\c:\dvvjd.exec:\dvvjd.exe99⤵
-
\??\c:\1vddv.exec:\1vddv.exe100⤵
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe101⤵
-
\??\c:\rlfxxxx.exec:\rlfxxxx.exe102⤵
-
\??\c:\hbbbhh.exec:\hbbbhh.exe103⤵
-
\??\c:\jjjdd.exec:\jjjdd.exe104⤵
-
\??\c:\pjjpj.exec:\pjjpj.exe105⤵
-
\??\c:\frxxrrr.exec:\frxxrrr.exe106⤵
-
\??\c:\5tbtbb.exec:\5tbtbb.exe107⤵
-
\??\c:\pjjvd.exec:\pjjvd.exe108⤵
-
\??\c:\vppjd.exec:\vppjd.exe109⤵
-
\??\c:\frxrlfx.exec:\frxrlfx.exe110⤵
-
\??\c:\9nhttb.exec:\9nhttb.exe111⤵
-
\??\c:\tbnnnt.exec:\tbnnnt.exe112⤵
-
\??\c:\pjppj.exec:\pjppj.exe113⤵
-
\??\c:\3rxxrfx.exec:\3rxxrfx.exe114⤵
-
\??\c:\9ntthh.exec:\9ntthh.exe115⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bhnbtn.exec:\bhnbtn.exe116⤵
-
\??\c:\djddd.exec:\djddd.exe117⤵
-
\??\c:\ppvdv.exec:\ppvdv.exe118⤵
-
\??\c:\xffffll.exec:\xffffll.exe119⤵
-
\??\c:\thbtnh.exec:\thbtnh.exe120⤵
-
\??\c:\hhtnbb.exec:\hhtnbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-