Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05-09-2024 12:34
General
-
Target
ee1f72111c0cedfbd9c336326b09a7a0N.exe
-
Size
64KB
-
MD5
ee1f72111c0cedfbd9c336326b09a7a0
-
SHA1
39c552d056486d65884f18b575e80002f4febf55
-
SHA256
b0c0ff30c0e52ec86e184ca94f809557a39ae9837d57d107dc3d9533f98c541f
-
SHA512
17f47863480fadd4afbaacc2065bbba5d52cdb75969eacc6228e6395895d9ebe3f0be73f6cfff9226b955c4fd140e131d2d055b5c8cf769db9f09509c92148e8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qPt31:ymb3NkkiQ3mdBjFIj+qX
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee1f72111c0cedfbd9c336326b09a7a0N.exe"C:\Users\Admin\AppData\Local\Temp\ee1f72111c0cedfbd9c336326b09a7a0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjd.exec:\jjjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpd.exec:\pjvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxrrx.exec:\fffxrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbtnn.exec:\ttbtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdd.exec:\dvvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllfff.exec:\lfllfff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthtbb.exec:\hthtbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvp.exec:\dpvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpv.exec:\pdvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrllf.exec:\llfrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnnhn.exec:\bnnnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dvvp.exec:\9dvvp.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddv.exec:\jdddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rxrlll.exec:\7rxrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnnnn.exec:\hbnnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdv.exec:\dvjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllffff.exec:\rllffff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhbb.exec:\hbhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttbh.exec:\tnttbh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvv.exec:\dvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxxx.exec:\lfffxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbhn.exec:\btnbhn.exe23⤵
- Executes dropped EXE
-
\??\c:\nbnnhb.exec:\nbnnhb.exe24⤵
- Executes dropped EXE
-
\??\c:\5djdv.exec:\5djdv.exe25⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe26⤵
- Executes dropped EXE
-
\??\c:\lfllfff.exec:\lfllfff.exe27⤵
- Executes dropped EXE
-
\??\c:\3nnnnb.exec:\3nnnnb.exe28⤵
- Executes dropped EXE
-
\??\c:\nbbnhb.exec:\nbbnhb.exe29⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe30⤵
- Executes dropped EXE
-
\??\c:\rrfffxr.exec:\rrfffxr.exe31⤵
- Executes dropped EXE
-
\??\c:\rxflrxx.exec:\rxflrxx.exe32⤵
- Executes dropped EXE
-
\??\c:\tnbbnn.exec:\tnbbnn.exe33⤵
- Executes dropped EXE
-
\??\c:\nthbnb.exec:\nthbnb.exe34⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe35⤵
- Executes dropped EXE
-
\??\c:\3djjd.exec:\3djjd.exe36⤵
- Executes dropped EXE
-
\??\c:\lxfxlrl.exec:\lxfxlrl.exe37⤵
- Executes dropped EXE
-
\??\c:\bntnhh.exec:\bntnhh.exe38⤵
- Executes dropped EXE
-
\??\c:\hbhhnt.exec:\hbhhnt.exe39⤵
- Executes dropped EXE
-
\??\c:\dddvp.exec:\dddvp.exe40⤵
- Executes dropped EXE
-
\??\c:\frxrflf.exec:\frxrflf.exe41⤵
- Executes dropped EXE
-
\??\c:\7rrlxff.exec:\7rrlxff.exe42⤵
- Executes dropped EXE
-
\??\c:\bbhhbh.exec:\bbhhbh.exe43⤵
- Executes dropped EXE
-
\??\c:\nhnhnn.exec:\nhnhnn.exe44⤵
- Executes dropped EXE
-
\??\c:\pjjjd.exec:\pjjjd.exe45⤵
- Executes dropped EXE
-
\??\c:\fffxrrr.exec:\fffxrrr.exe46⤵
- Executes dropped EXE
-
\??\c:\ffxrrxx.exec:\ffxrrxx.exe47⤵
- Executes dropped EXE
-
\??\c:\xrlfrxr.exec:\xrlfrxr.exe48⤵
- Executes dropped EXE
-
\??\c:\9btnnn.exec:\9btnnn.exe49⤵
- Executes dropped EXE
-
\??\c:\nhnhhh.exec:\nhnhhh.exe50⤵
- Executes dropped EXE
-
\??\c:\jpppj.exec:\jpppj.exe51⤵
- Executes dropped EXE
-
\??\c:\jvjdd.exec:\jvjdd.exe52⤵
- Executes dropped EXE
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe53⤵
- Executes dropped EXE
-
\??\c:\ffllffx.exec:\ffllffx.exe54⤵
- Executes dropped EXE
-
\??\c:\ttbbhh.exec:\ttbbhh.exe55⤵
- Executes dropped EXE
-
\??\c:\hbbbth.exec:\hbbbth.exe56⤵
- Executes dropped EXE
-
\??\c:\pvjdv.exec:\pvjdv.exe57⤵
- Executes dropped EXE
-
\??\c:\1jjdv.exec:\1jjdv.exe58⤵
- Executes dropped EXE
-
\??\c:\xlxrllr.exec:\xlxrllr.exe59⤵
- Executes dropped EXE
-
\??\c:\fxlllff.exec:\fxlllff.exe60⤵
- Executes dropped EXE
-
\??\c:\htnntt.exec:\htnntt.exe61⤵
- Executes dropped EXE
-
\??\c:\hthbtt.exec:\hthbtt.exe62⤵
- Executes dropped EXE
-
\??\c:\ppvvd.exec:\ppvvd.exe63⤵
- Executes dropped EXE
-
\??\c:\dpvpd.exec:\dpvpd.exe64⤵
- Executes dropped EXE
-
\??\c:\lfffxxr.exec:\lfffxxr.exe65⤵
- Executes dropped EXE
-
\??\c:\llrlffr.exec:\llrlffr.exe66⤵
-
\??\c:\bhnttt.exec:\bhnttt.exe67⤵
-
\??\c:\dvddd.exec:\dvddd.exe68⤵
-
\??\c:\djdjd.exec:\djdjd.exe69⤵
-
\??\c:\jddvp.exec:\jddvp.exe70⤵
-
\??\c:\fxrrrrr.exec:\fxrrrrr.exe71⤵
-
\??\c:\hntbbb.exec:\hntbbb.exe72⤵
-
\??\c:\hhnnhn.exec:\hhnnhn.exe73⤵
-
\??\c:\jddvj.exec:\jddvj.exe74⤵
-
\??\c:\jjjjd.exec:\jjjjd.exe75⤵
-
\??\c:\3vddp.exec:\3vddp.exe76⤵
-
\??\c:\lxfxllx.exec:\lxfxllx.exe77⤵
-
\??\c:\ntttnn.exec:\ntttnn.exe78⤵
-
\??\c:\hntnbb.exec:\hntnbb.exe79⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe80⤵
-
\??\c:\dpppd.exec:\dpppd.exe81⤵
-
\??\c:\pdppp.exec:\pdppp.exe82⤵
-
\??\c:\lxrrfxx.exec:\lxrrfxx.exe83⤵
-
\??\c:\lxxxxxr.exec:\lxxxxxr.exe84⤵
-
\??\c:\tttnnn.exec:\tttnnn.exe85⤵
-
\??\c:\tbbhtt.exec:\tbbhtt.exe86⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe87⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe88⤵
-
\??\c:\thhhhn.exec:\thhhhn.exe89⤵
-
\??\c:\vpvdv.exec:\vpvdv.exe90⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe91⤵
-
\??\c:\pjpdv.exec:\pjpdv.exe92⤵
-
\??\c:\rfrlxxx.exec:\rfrlxxx.exe93⤵
-
\??\c:\fxfxlll.exec:\fxfxlll.exe94⤵
-
\??\c:\btbtnn.exec:\btbtnn.exe95⤵
-
\??\c:\vdvvj.exec:\vdvvj.exe96⤵
-
\??\c:\jddvv.exec:\jddvv.exe97⤵
-
\??\c:\flllfff.exec:\flllfff.exe98⤵
-
\??\c:\rxlllff.exec:\rxlllff.exe99⤵
-
\??\c:\hhtthh.exec:\hhtthh.exe100⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe101⤵
-
\??\c:\fxfrxlr.exec:\fxfrxlr.exe102⤵
-
\??\c:\fxfllrr.exec:\fxfllrr.exe103⤵
-
\??\c:\llllfll.exec:\llllfll.exe104⤵
-
\??\c:\bbhhnt.exec:\bbhhnt.exe105⤵
-
\??\c:\3nthbh.exec:\3nthbh.exe106⤵
-
\??\c:\jjppp.exec:\jjppp.exe107⤵
-
\??\c:\pppjd.exec:\pppjd.exe108⤵
-
\??\c:\flflrrx.exec:\flflrrx.exe109⤵
-
\??\c:\lflffff.exec:\lflffff.exe110⤵
-
\??\c:\nbbnbt.exec:\nbbnbt.exe111⤵
-
\??\c:\nbbhhn.exec:\nbbhhn.exe112⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe113⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe114⤵
-
\??\c:\rxxxxfr.exec:\rxxxxfr.exe115⤵
-
\??\c:\xfflllf.exec:\xfflllf.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\thtbnn.exec:\thtbnn.exe117⤵
-
\??\c:\ttnhbb.exec:\ttnhbb.exe118⤵
-
\??\c:\pjvpj.exec:\pjvpj.exe119⤵
-
\??\c:\jpvvj.exec:\jpvvj.exe120⤵
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-