Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-09-2024 16:27
General
-
Target
490e934f46974786dab38398928dc4f0N.exe
-
Size
106KB
-
MD5
490e934f46974786dab38398928dc4f0
-
SHA1
ed18d4739888f3844bcaf8a372c405b7414013a2
-
SHA256
aff61582365b4b40262a068c03faf58711e3c58febc67a8009c2c4c7c0c11da3
-
SHA512
954f945ca0ad67512d132463ca48667d8fae70d40e2a8884dcfb789a2bcc499c1541fbe9f4a0fb2c7b43c891c0f728fc0f2410fdd52654d8ea73f7c074d8b9b3
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+buwUGu3P3CmC+:n3C9BRo7MlrWKVT+buBGu3PHC+
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\490e934f46974786dab38398928dc4f0N.exe"C:\Users\Admin\AppData\Local\Temp\490e934f46974786dab38398928dc4f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpdj.exec:\jdpdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w82086.exec:\w82086.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04648.exec:\04648.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xxlxxl.exec:\9xxlxxl.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\06604.exec:\06604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6082648.exec:\6082648.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrlxr.exec:\rlxrlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xflflx.exec:\1xflflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnntt.exec:\bnnntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxlfx.exec:\fffxlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\40004.exec:\40004.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllrxff.exec:\fllrxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxxllx.exec:\ffxxllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0062644.exec:\0062644.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnhbh.exec:\ntnhbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbtt.exec:\btnbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbtt.exec:\nhbbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvj.exec:\jjjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\820000.exec:\820000.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjddd.exec:\jjddd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q44826.exec:\q44826.exe23⤵
- Executes dropped EXE
-
\??\c:\rlxxxrf.exec:\rlxxxrf.exe24⤵
- Executes dropped EXE
-
\??\c:\w68444.exec:\w68444.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\884646.exec:\884646.exe26⤵
- Executes dropped EXE
-
\??\c:\2860044.exec:\2860044.exe27⤵
- Executes dropped EXE
-
\??\c:\4644888.exec:\4644888.exe28⤵
- Executes dropped EXE
-
\??\c:\0426224.exec:\0426224.exe29⤵
- Executes dropped EXE
-
\??\c:\hhnnbb.exec:\hhnnbb.exe30⤵
- Executes dropped EXE
-
\??\c:\0068288.exec:\0068288.exe31⤵
- Executes dropped EXE
-
\??\c:\606222.exec:\606222.exe32⤵
- Executes dropped EXE
-
\??\c:\i406668.exec:\i406668.exe33⤵
- Executes dropped EXE
-
\??\c:\440822.exec:\440822.exe34⤵
- Executes dropped EXE
-
\??\c:\bhhnbb.exec:\bhhnbb.exe35⤵
- Executes dropped EXE
-
\??\c:\0066000.exec:\0066000.exe36⤵
- Executes dropped EXE
-
\??\c:\2448260.exec:\2448260.exe37⤵
- Executes dropped EXE
-
\??\c:\i026666.exec:\i026666.exe38⤵
- Executes dropped EXE
-
\??\c:\rrrfrxl.exec:\rrrfrxl.exe39⤵
- Executes dropped EXE
-
\??\c:\44622.exec:\44622.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\e24844.exec:\e24844.exe41⤵
- Executes dropped EXE
-
\??\c:\684428.exec:\684428.exe42⤵
- Executes dropped EXE
-
\??\c:\6888888.exec:\6888888.exe43⤵
- Executes dropped EXE
-
\??\c:\rllllrr.exec:\rllllrr.exe44⤵
- Executes dropped EXE
-
\??\c:\fxrlxxf.exec:\fxrlxxf.exe45⤵
- Executes dropped EXE
-
\??\c:\02822.exec:\02822.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\i000444.exec:\i000444.exe47⤵
- Executes dropped EXE
-
\??\c:\82882.exec:\82882.exe48⤵
- Executes dropped EXE
-
\??\c:\vdjdj.exec:\vdjdj.exe49⤵
- Executes dropped EXE
-
\??\c:\tbnnhh.exec:\tbnnhh.exe50⤵
- Executes dropped EXE
-
\??\c:\bthbbb.exec:\bthbbb.exe51⤵
- Executes dropped EXE
-
\??\c:\220840.exec:\220840.exe52⤵
- Executes dropped EXE
-
\??\c:\20082.exec:\20082.exe53⤵
- Executes dropped EXE
-
\??\c:\ttbthh.exec:\ttbthh.exe54⤵
- Executes dropped EXE
-
\??\c:\s0000.exec:\s0000.exe55⤵
- Executes dropped EXE
-
\??\c:\pdddv.exec:\pdddv.exe56⤵
- Executes dropped EXE
-
\??\c:\602288.exec:\602288.exe57⤵
- Executes dropped EXE
-
\??\c:\08660.exec:\08660.exe58⤵
- Executes dropped EXE
-
\??\c:\c000884.exec:\c000884.exe59⤵
- Executes dropped EXE
-
\??\c:\680222.exec:\680222.exe60⤵
- Executes dropped EXE
-
\??\c:\g8000.exec:\g8000.exe61⤵
- Executes dropped EXE
-
\??\c:\hbhhnn.exec:\hbhhnn.exe62⤵
- Executes dropped EXE
-
\??\c:\6004822.exec:\6004822.exe63⤵
- Executes dropped EXE
-
\??\c:\ddddd.exec:\ddddd.exe64⤵
- Executes dropped EXE
-
\??\c:\hbtttt.exec:\hbtttt.exe65⤵
- Executes dropped EXE
-
\??\c:\40648.exec:\40648.exe66⤵
-
\??\c:\4680444.exec:\4680444.exe67⤵
-
\??\c:\k22260.exec:\k22260.exe68⤵
-
\??\c:\rlrlllx.exec:\rlrlllx.exe69⤵
-
\??\c:\2888222.exec:\2888222.exe70⤵
-
\??\c:\9dpvp.exec:\9dpvp.exe71⤵
-
\??\c:\262828.exec:\262828.exe72⤵
-
\??\c:\7ddjd.exec:\7ddjd.exe73⤵
-
\??\c:\800260.exec:\800260.exe74⤵
-
\??\c:\nthhbb.exec:\nthhbb.exe75⤵
-
\??\c:\9lrrrrf.exec:\9lrrrrf.exe76⤵
-
\??\c:\462260.exec:\462260.exe77⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe78⤵
-
\??\c:\lfffxxf.exec:\lfffxxf.exe79⤵
-
\??\c:\02826.exec:\02826.exe80⤵
-
\??\c:\5ffxxxf.exec:\5ffxxxf.exe81⤵
-
\??\c:\lfxfxll.exec:\lfxfxll.exe82⤵
-
\??\c:\ntbtnn.exec:\ntbtnn.exe83⤵
-
\??\c:\2022222.exec:\2022222.exe84⤵
-
\??\c:\842862.exec:\842862.exe85⤵
-
\??\c:\xrlrlxr.exec:\xrlrlxr.exe86⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe87⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe88⤵
-
\??\c:\e64628.exec:\e64628.exe89⤵
-
\??\c:\nhhhnn.exec:\nhhhnn.exe90⤵
-
\??\c:\fffflfl.exec:\fffflfl.exe91⤵
-
\??\c:\48448.exec:\48448.exe92⤵
-
\??\c:\rlllxxf.exec:\rlllxxf.exe93⤵
-
\??\c:\a2222.exec:\a2222.exe94⤵
-
\??\c:\8426222.exec:\8426222.exe95⤵
-
\??\c:\hhbbbb.exec:\hhbbbb.exe96⤵
-
\??\c:\vjppp.exec:\vjppp.exe97⤵
-
\??\c:\htnnhn.exec:\htnnhn.exe98⤵
-
\??\c:\i222646.exec:\i222646.exe99⤵
-
\??\c:\7btnht.exec:\7btnht.exe100⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe101⤵
-
\??\c:\ppddd.exec:\ppddd.exe102⤵
-
\??\c:\bttnhh.exec:\bttnhh.exe103⤵
-
\??\c:\8066060.exec:\8066060.exe104⤵
-
\??\c:\ttnhhh.exec:\ttnhhh.exe105⤵
-
\??\c:\bhtbnn.exec:\bhtbnn.exe106⤵
-
\??\c:\jjvvd.exec:\jjvvd.exe107⤵
-
\??\c:\xxllffx.exec:\xxllffx.exe108⤵
-
\??\c:\rfrlfrl.exec:\rfrlfrl.exe109⤵
-
\??\c:\rlxxffl.exec:\rlxxffl.exe110⤵
-
\??\c:\rfrrxfx.exec:\rfrrxfx.exe111⤵
-
\??\c:\2222444.exec:\2222444.exe112⤵
-
\??\c:\w40480.exec:\w40480.exe113⤵
-
\??\c:\2028666.exec:\2028666.exe114⤵
-
\??\c:\bnnnnn.exec:\bnnnnn.exe115⤵
-
\??\c:\bnbtnn.exec:\bnbtnn.exe116⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe117⤵
-
\??\c:\dvvpv.exec:\dvvpv.exe118⤵
-
\??\c:\jjddv.exec:\jjddv.exe119⤵
-
\??\c:\jdvpp.exec:\jdvpp.exe120⤵
-
\??\c:\i660882.exec:\i660882.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-