Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-09-2024 08:15
General
-
Target
937b4b29dd0859d9595228a8f1f42e924264e12766b506f4b43a6df8af6b94a1.exe
-
Size
71KB
-
MD5
97974fbc563d64f86d940a0fee75c901
-
SHA1
0eec5b7a5ce3aac283ac0efd589ea60711550d20
-
SHA256
937b4b29dd0859d9595228a8f1f42e924264e12766b506f4b43a6df8af6b94a1
-
SHA512
f4978c7dd00829db5972c06975c095c18bfdab0d7e31d727524e3a86815ee52e13bd2f096a3ff5eb0fb04956fbd6a31c9288c1d55f433f3cc406313ea4b114ea
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjg:ymb3NkkiQ3mdBjFI4VQ
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\937b4b29dd0859d9595228a8f1f42e924264e12766b506f4b43a6df8af6b94a1.exe"C:\Users\Admin\AppData\Local\Temp\937b4b29dd0859d9595228a8f1f42e924264e12766b506f4b43a6df8af6b94a1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlfxf.exec:\frrlfxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bnhtn.exec:\3bnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vjdv.exec:\7vjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lrlffr.exec:\5lrlffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrrrx.exec:\xlxrrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdpj.exec:\vjdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlfxr.exec:\frrlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lfxrlf.exec:\3lfxrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbtt.exec:\nhbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjd.exec:\jjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxrrl.exec:\lffxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbnn.exec:\nnhbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbtb.exec:\nnhbtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpjv.exec:\vdpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlxxr.exec:\frrlxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtbhn.exec:\thtbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpp.exec:\vpvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxfrr.exec:\rfrxfrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhhh.exec:\nhnhhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhbb.exec:\nhnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjv.exec:\vvpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdj.exec:\dvpdj.exe23⤵
- Executes dropped EXE
-
\??\c:\rffrllx.exec:\rffrllx.exe24⤵
- Executes dropped EXE
-
\??\c:\ntbbnn.exec:\ntbbnn.exe25⤵
- Executes dropped EXE
-
\??\c:\vdjpv.exec:\vdjpv.exe26⤵
- Executes dropped EXE
-
\??\c:\dvpjd.exec:\dvpjd.exe27⤵
- Executes dropped EXE
-
\??\c:\lfrlllr.exec:\lfrlllr.exe28⤵
- Executes dropped EXE
-
\??\c:\ffxxrll.exec:\ffxxrll.exe29⤵
- Executes dropped EXE
-
\??\c:\htntnn.exec:\htntnn.exe30⤵
- Executes dropped EXE
-
\??\c:\pvvpd.exec:\pvvpd.exe31⤵
- Executes dropped EXE
-
\??\c:\5lxlllr.exec:\5lxlllr.exe32⤵
- Executes dropped EXE
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe33⤵
- Executes dropped EXE
-
\??\c:\nhbthb.exec:\nhbthb.exe34⤵
- Executes dropped EXE
-
\??\c:\5nnhtt.exec:\5nnhtt.exe35⤵
- Executes dropped EXE
-
\??\c:\dpvjj.exec:\dpvjj.exe36⤵
- Executes dropped EXE
-
\??\c:\rxxrrrr.exec:\rxxrrrr.exe37⤵
- Executes dropped EXE
-
\??\c:\fflffxf.exec:\fflffxf.exe38⤵
- Executes dropped EXE
-
\??\c:\hbttbb.exec:\hbttbb.exe39⤵
- Executes dropped EXE
-
\??\c:\hthbnn.exec:\hthbnn.exe40⤵
- Executes dropped EXE
-
\??\c:\5vddd.exec:\5vddd.exe41⤵
- Executes dropped EXE
-
\??\c:\3ffxlxr.exec:\3ffxlxr.exe42⤵
- Executes dropped EXE
-
\??\c:\bbhbbb.exec:\bbhbbb.exe43⤵
- Executes dropped EXE
-
\??\c:\hbbnhh.exec:\hbbnhh.exe44⤵
- Executes dropped EXE
-
\??\c:\1dpjj.exec:\1dpjj.exe45⤵
- Executes dropped EXE
-
\??\c:\frfxrrx.exec:\frfxrrx.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\7flfxxr.exec:\7flfxxr.exe47⤵
- Executes dropped EXE
-
\??\c:\nnnhbb.exec:\nnnhbb.exe48⤵
- Executes dropped EXE
-
\??\c:\vjjpj.exec:\vjjpj.exe49⤵
- Executes dropped EXE
-
\??\c:\1vdjv.exec:\1vdjv.exe50⤵
- Executes dropped EXE
-
\??\c:\lxxxrrx.exec:\lxxxrrx.exe51⤵
- Executes dropped EXE
-
\??\c:\xllfffr.exec:\xllfffr.exe52⤵
- Executes dropped EXE
-
\??\c:\hbbthh.exec:\hbbthh.exe53⤵
- Executes dropped EXE
-
\??\c:\bttnhb.exec:\bttnhb.exe54⤵
- Executes dropped EXE
-
\??\c:\jppdv.exec:\jppdv.exe55⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe56⤵
- Executes dropped EXE
-
\??\c:\frlxllf.exec:\frlxllf.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nhntbb.exec:\nhntbb.exe58⤵
- Executes dropped EXE
-
\??\c:\bbhhnn.exec:\bbhhnn.exe59⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe60⤵
- Executes dropped EXE
-
\??\c:\xrrrrfl.exec:\xrrrrfl.exe61⤵
- Executes dropped EXE
-
\??\c:\llxlfll.exec:\llxlfll.exe62⤵
- Executes dropped EXE
-
\??\c:\thhnht.exec:\thhnht.exe63⤵
- Executes dropped EXE
-
\??\c:\ttthtt.exec:\ttthtt.exe64⤵
- Executes dropped EXE
-
\??\c:\9jpdv.exec:\9jpdv.exe65⤵
- Executes dropped EXE
-
\??\c:\jddpj.exec:\jddpj.exe66⤵
-
\??\c:\lllfrrl.exec:\lllfrrl.exe67⤵
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe68⤵
-
\??\c:\hntnnn.exec:\hntnnn.exe69⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe70⤵
-
\??\c:\flfrlff.exec:\flfrlff.exe71⤵
-
\??\c:\frrlffx.exec:\frrlffx.exe72⤵
-
\??\c:\bhbhbt.exec:\bhbhbt.exe73⤵
-
\??\c:\bnnhhb.exec:\bnnhhb.exe74⤵
-
\??\c:\jdvpd.exec:\jdvpd.exe75⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe76⤵
-
\??\c:\rxffxxl.exec:\rxffxxl.exe77⤵
-
\??\c:\flfffxx.exec:\flfffxx.exe78⤵
-
\??\c:\pvvpp.exec:\pvvpp.exe79⤵
-
\??\c:\vddvp.exec:\vddvp.exe80⤵
-
\??\c:\fxrfxxr.exec:\fxrfxxr.exe81⤵
-
\??\c:\lfxrlll.exec:\lfxrlll.exe82⤵
-
\??\c:\hbbthh.exec:\hbbthh.exe83⤵
-
\??\c:\dvvpp.exec:\dvvpp.exe84⤵
-
\??\c:\3vvpd.exec:\3vvpd.exe85⤵
-
\??\c:\ffxrffx.exec:\ffxrffx.exe86⤵
-
\??\c:\3btbtt.exec:\3btbtt.exe87⤵
-
\??\c:\hbthbb.exec:\hbthbb.exe88⤵
-
\??\c:\1ddpv.exec:\1ddpv.exe89⤵
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe90⤵
-
\??\c:\xxlfxlf.exec:\xxlfxlf.exe91⤵
-
\??\c:\5ttttn.exec:\5ttttn.exe92⤵
-
\??\c:\jpvvj.exec:\jpvvj.exe93⤵
-
\??\c:\rxlxlxl.exec:\rxlxlxl.exe94⤵
-
\??\c:\rrffllx.exec:\rrffllx.exe95⤵
-
\??\c:\tbtnhb.exec:\tbtnhb.exe96⤵
-
\??\c:\ddjvp.exec:\ddjvp.exe97⤵
-
\??\c:\xrrfxrx.exec:\xrrfxrx.exe98⤵
-
\??\c:\fxxfrrl.exec:\fxxfrrl.exe99⤵
-
\??\c:\bnhbnn.exec:\bnhbnn.exe100⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe101⤵
-
\??\c:\xxflrlr.exec:\xxflrlr.exe102⤵
-
\??\c:\lxfxxff.exec:\lxfxxff.exe103⤵
-
\??\c:\tnbhbb.exec:\tnbhbb.exe104⤵
-
\??\c:\ppdpj.exec:\ppdpj.exe105⤵
-
\??\c:\5dvvj.exec:\5dvvj.exe106⤵
-
\??\c:\xlrfrlf.exec:\xlrfrlf.exe107⤵
-
\??\c:\bbnhbt.exec:\bbnhbt.exe108⤵
-
\??\c:\nhhbtn.exec:\nhhbtn.exe109⤵
-
\??\c:\jjdvv.exec:\jjdvv.exe110⤵
-
\??\c:\vvppj.exec:\vvppj.exe111⤵
-
\??\c:\xlllxxr.exec:\xlllxxr.exe112⤵
-
\??\c:\nbtnhh.exec:\nbtnhh.exe113⤵
-
\??\c:\btbttt.exec:\btbttt.exe114⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe115⤵
-
\??\c:\ppdvj.exec:\ppdvj.exe116⤵
-
\??\c:\lffrfxr.exec:\lffrfxr.exe117⤵
-
\??\c:\fllxrlf.exec:\fllxrlf.exe118⤵
-
\??\c:\ntttnh.exec:\ntttnh.exe119⤵
-
\??\c:\tnhbnn.exec:\tnhbnn.exe120⤵
-
\??\c:\7vppp.exec:\7vppp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-