Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05-09-2024 02:22
General
-
Target
f39d1361a8c174cca2588bfca30bc1b0N.exe
-
Size
65KB
-
MD5
f39d1361a8c174cca2588bfca30bc1b0
-
SHA1
4ae6ed66173c156c44fe7378b4646fa0411f49da
-
SHA256
12ce31e2bb90d843f9f4a9d4c545238d89b4e1e6ae3eea95573e9230f1c85726
-
SHA512
86ed1725505dd75d3033bdfc0348058e3c74465a431abb93a9a12d8809cba73015af1d5a78a9bd08471d8f4c7f3a9fc3e2ab920563a013529543e108beb2520c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqfj:ymb3NkkiQ3mdBjFI9cqfj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 40 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f39d1361a8c174cca2588bfca30bc1b0N.exe"C:\Users\Admin\AppData\Local\Temp\f39d1361a8c174cca2588bfca30bc1b0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxllfl.exec:\xlxllfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tthnh.exec:\9tthnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jdvj.exec:\3jdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlfrl.exec:\xrrlfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbthtn.exec:\hbthtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddvd.exec:\dddvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrfrrl.exec:\xxrfrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpd.exec:\ddvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdpj.exec:\dvdpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxfrlx.exec:\flxfrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnhbn.exec:\nbnhbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvjj.exec:\dvvjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvd.exec:\pjdvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffrlrx.exec:\lffrlrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnnnh.exec:\hhnnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnnbb.exec:\bhnnbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpv.exec:\pjjpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffrflr.exec:\xffrflr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rxxrrr.exec:\7rxxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nnnnn.exec:\3nnnnn.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnnn.exec:\hhtnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvj.exec:\dpvvj.exe23⤵
- Executes dropped EXE
-
\??\c:\9pvpp.exec:\9pvpp.exe24⤵
- Executes dropped EXE
-
\??\c:\rxrlxfx.exec:\rxrlxfx.exe25⤵
- Executes dropped EXE
-
\??\c:\btttnn.exec:\btttnn.exe26⤵
- Executes dropped EXE
-
\??\c:\nntnhh.exec:\nntnhh.exe27⤵
- Executes dropped EXE
-
\??\c:\jdpvv.exec:\jdpvv.exe28⤵
- Executes dropped EXE
-
\??\c:\fllfxxr.exec:\fllfxxr.exe29⤵
- Executes dropped EXE
-
\??\c:\flrrlll.exec:\flrrlll.exe30⤵
- Executes dropped EXE
-
\??\c:\bnnnnt.exec:\bnnnnt.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nbhttn.exec:\nbhttn.exe32⤵
- Executes dropped EXE
-
\??\c:\dpdpj.exec:\dpdpj.exe33⤵
- Executes dropped EXE
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe34⤵
- Executes dropped EXE
-
\??\c:\9xxffrl.exec:\9xxffrl.exe35⤵
- Executes dropped EXE
-
\??\c:\btnbnb.exec:\btnbnb.exe36⤵
- Executes dropped EXE
-
\??\c:\9tbtbt.exec:\9tbtbt.exe37⤵
- Executes dropped EXE
-
\??\c:\1jddp.exec:\1jddp.exe38⤵
- Executes dropped EXE
-
\??\c:\jddvp.exec:\jddvp.exe39⤵
- Executes dropped EXE
-
\??\c:\fxxrlff.exec:\fxxrlff.exe40⤵
- Executes dropped EXE
-
\??\c:\xxrllxr.exec:\xxrllxr.exe41⤵
- Executes dropped EXE
-
\??\c:\9bbbtt.exec:\9bbbtt.exe42⤵
- Executes dropped EXE
-
\??\c:\tbhhtt.exec:\tbhhtt.exe43⤵
- Executes dropped EXE
-
\??\c:\vjppp.exec:\vjppp.exe44⤵
- Executes dropped EXE
-
\??\c:\pjpvp.exec:\pjpvp.exe45⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe46⤵
- Executes dropped EXE
-
\??\c:\xrlrrlx.exec:\xrlrrlx.exe47⤵
- Executes dropped EXE
-
\??\c:\rxlfxlf.exec:\rxlfxlf.exe48⤵
- Executes dropped EXE
-
\??\c:\hnhbbt.exec:\hnhbbt.exe49⤵
- Executes dropped EXE
-
\??\c:\btnbbb.exec:\btnbbb.exe50⤵
- Executes dropped EXE
-
\??\c:\pjvjv.exec:\pjvjv.exe51⤵
- Executes dropped EXE
-
\??\c:\jvdvj.exec:\jvdvj.exe52⤵
- Executes dropped EXE
-
\??\c:\rrxfxxx.exec:\rrxfxxx.exe53⤵
- Executes dropped EXE
-
\??\c:\lxxxrfx.exec:\lxxxrfx.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\9tnnnn.exec:\9tnnnn.exe55⤵
- Executes dropped EXE
-
\??\c:\thnhnn.exec:\thnhnn.exe56⤵
- Executes dropped EXE
-
\??\c:\vdjjj.exec:\vdjjj.exe57⤵
- Executes dropped EXE
-
\??\c:\dvdvj.exec:\dvdvj.exe58⤵
- Executes dropped EXE
-
\??\c:\3xffxxx.exec:\3xffxxx.exe59⤵
- Executes dropped EXE
-
\??\c:\fxffxxr.exec:\fxffxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\thnhhh.exec:\thnhhh.exe61⤵
- Executes dropped EXE
-
\??\c:\1bhbtt.exec:\1bhbtt.exe62⤵
- Executes dropped EXE
-
\??\c:\jjppj.exec:\jjppj.exe63⤵
- Executes dropped EXE
-
\??\c:\pjjvj.exec:\pjjvj.exe64⤵
- Executes dropped EXE
-
\??\c:\xrxrllf.exec:\xrxrllf.exe65⤵
- Executes dropped EXE
-
\??\c:\rflllll.exec:\rflllll.exe66⤵
-
\??\c:\7ntttt.exec:\7ntttt.exe67⤵
-
\??\c:\bnnhhh.exec:\bnnhhh.exe68⤵
-
\??\c:\9jjpd.exec:\9jjpd.exe69⤵
-
\??\c:\pppdj.exec:\pppdj.exe70⤵
-
\??\c:\flxrlll.exec:\flxrlll.exe71⤵
-
\??\c:\tnttnn.exec:\tnttnn.exe72⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jjdvd.exec:\jjdvd.exe73⤵
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe74⤵
-
\??\c:\rllrlxr.exec:\rllrlxr.exe75⤵
-
\??\c:\7hbbbb.exec:\7hbbbb.exe76⤵
-
\??\c:\hbhbbb.exec:\hbhbbb.exe77⤵
-
\??\c:\jvddv.exec:\jvddv.exe78⤵
-
\??\c:\pdddd.exec:\pdddd.exe79⤵
-
\??\c:\rllfffr.exec:\rllfffr.exe80⤵
-
\??\c:\tntntt.exec:\tntntt.exe81⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ttbbhh.exec:\ttbbhh.exe82⤵
-
\??\c:\3bhnhh.exec:\3bhnhh.exe83⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe84⤵
-
\??\c:\5vjdp.exec:\5vjdp.exe85⤵
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe86⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xlllxxr.exec:\xlllxxr.exe87⤵
-
\??\c:\hbtttb.exec:\hbtttb.exe88⤵
-
\??\c:\jjpjj.exec:\jjpjj.exe89⤵
-
\??\c:\djvpd.exec:\djvpd.exe90⤵
-
\??\c:\bbtbth.exec:\bbtbth.exe91⤵
-
\??\c:\hhnhbt.exec:\hhnhbt.exe92⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe93⤵
-
\??\c:\pjvpj.exec:\pjvpj.exe94⤵
-
\??\c:\7xxrllf.exec:\7xxrllf.exe95⤵
-
\??\c:\frrlffx.exec:\frrlffx.exe96⤵
-
\??\c:\tnnhbt.exec:\tnnhbt.exe97⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe98⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe99⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe100⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe101⤵
-
\??\c:\rrffffx.exec:\rrffffx.exe102⤵
-
\??\c:\xfrlffx.exec:\xfrlffx.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tbhhnn.exec:\tbhhnn.exe104⤵
-
\??\c:\bthbbb.exec:\bthbbb.exe105⤵
-
\??\c:\pjdvj.exec:\pjdvj.exe106⤵
-
\??\c:\vjvvv.exec:\vjvvv.exe107⤵
-
\??\c:\1flxrll.exec:\1flxrll.exe108⤵
-
\??\c:\xrfrfxr.exec:\xrfrfxr.exe109⤵
-
\??\c:\btthth.exec:\btthth.exe110⤵
-
\??\c:\btnhtt.exec:\btnhtt.exe111⤵
-
\??\c:\pvdvp.exec:\pvdvp.exe112⤵
-
\??\c:\5pdvv.exec:\5pdvv.exe113⤵
-
\??\c:\flxxffl.exec:\flxxffl.exe114⤵
-
\??\c:\lxlrxxr.exec:\lxlrxxr.exe115⤵
-
\??\c:\lrxxrll.exec:\lrxxrll.exe116⤵
-
\??\c:\hbbttt.exec:\hbbttt.exe117⤵
-
\??\c:\hnnthn.exec:\hnnthn.exe118⤵
-
\??\c:\9jppp.exec:\9jppp.exe119⤵
-
\??\c:\rrxrllf.exec:\rrxrllf.exe120⤵
-
\??\c:\rfffxxx.exec:\rfffxxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-