Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07-09-2024 18:22
General
-
Target
060391c7188c22580ae9278525b6a427746c4629cdf5c393f6e2b5d24f585c60.exe
-
Size
64KB
-
MD5
b4988fec4542896684d24990aef04412
-
SHA1
e98f6dcd7121bbf51cbdea53418d1acd647a1ae7
-
SHA256
060391c7188c22580ae9278525b6a427746c4629cdf5c393f6e2b5d24f585c60
-
SHA512
6eaeb84effff8c600c8751bd45843e635f330380ded234ae149a3e5ff19eceb6b239125de2eaf5a61e4be374539fb1a2fdfb74a1c510b98d203392bdffce6ebd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27mS:ymb3NkkiQ3mdBjFI9W
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\060391c7188c22580ae9278525b6a427746c4629cdf5c393f6e2b5d24f585c60.exe"C:\Users\Admin\AppData\Local\Temp\060391c7188c22580ae9278525b6a427746c4629cdf5c393f6e2b5d24f585c60.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbtt.exec:\nbhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvjv.exec:\jvvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vpdd.exec:\1vpdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffrlf.exec:\fxffrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bttnh.exec:\7bttnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nnbnh.exec:\7nnbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vddp.exec:\5vddp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnbtn.exec:\thnbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpdd.exec:\vjpdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlfxl.exec:\frrlfxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thhbb.exec:\7thhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbhb.exec:\nnhbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jvpj.exec:\5jvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxlffx.exec:\ffxlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnntt.exec:\htnntt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnntht.exec:\hnntht.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpj.exec:\vpvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxlxxl.exec:\xlxlxxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnbhb.exec:\nbnbhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hnbbh.exec:\1hnbbh.exe23⤵
- Executes dropped EXE
-
\??\c:\dvjdp.exec:\dvjdp.exe24⤵
- Executes dropped EXE
-
\??\c:\1flfllr.exec:\1flfllr.exe25⤵
- Executes dropped EXE
-
\??\c:\bbnntt.exec:\bbnntt.exe26⤵
- Executes dropped EXE
-
\??\c:\ppdvv.exec:\ppdvv.exe27⤵
- Executes dropped EXE
-
\??\c:\jpddv.exec:\jpddv.exe28⤵
- Executes dropped EXE
-
\??\c:\9ffxrrl.exec:\9ffxrrl.exe29⤵
- Executes dropped EXE
-
\??\c:\xxxrffx.exec:\xxxrffx.exe30⤵
- Executes dropped EXE
-
\??\c:\nhtnbb.exec:\nhtnbb.exe31⤵
- Executes dropped EXE
-
\??\c:\vpvdv.exec:\vpvdv.exe32⤵
- Executes dropped EXE
-
\??\c:\llfllrr.exec:\llfllrr.exe33⤵
- Executes dropped EXE
-
\??\c:\lfllfxr.exec:\lfllfxr.exe34⤵
- Executes dropped EXE
-
\??\c:\nnnhhb.exec:\nnnhhb.exe35⤵
- Executes dropped EXE
-
\??\c:\djppj.exec:\djppj.exe36⤵
- Executes dropped EXE
-
\??\c:\rflfrlx.exec:\rflfrlx.exe37⤵
- Executes dropped EXE
-
\??\c:\ntbntn.exec:\ntbntn.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nhnbbb.exec:\nhnbbb.exe39⤵
- Executes dropped EXE
-
\??\c:\pjvpd.exec:\pjvpd.exe40⤵
- Executes dropped EXE
-
\??\c:\lfxlfff.exec:\lfxlfff.exe41⤵
- Executes dropped EXE
-
\??\c:\lffffxf.exec:\lffffxf.exe42⤵
- Executes dropped EXE
-
\??\c:\tbtnbt.exec:\tbtnbt.exe43⤵
- Executes dropped EXE
-
\??\c:\tntnbh.exec:\tntnbh.exe44⤵
- Executes dropped EXE
-
\??\c:\jdpjd.exec:\jdpjd.exe45⤵
- Executes dropped EXE
-
\??\c:\3vpjv.exec:\3vpjv.exe46⤵
- Executes dropped EXE
-
\??\c:\3xffrrl.exec:\3xffrrl.exe47⤵
- Executes dropped EXE
-
\??\c:\fxxrllf.exec:\fxxrllf.exe48⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\nnhhtt.exec:\nnhhtt.exe50⤵
- Executes dropped EXE
-
\??\c:\dvdpj.exec:\dvdpj.exe51⤵
- Executes dropped EXE
-
\??\c:\3vpjv.exec:\3vpjv.exe52⤵
- Executes dropped EXE
-
\??\c:\ffllrrx.exec:\ffllrrx.exe53⤵
- Executes dropped EXE
-
\??\c:\rffxrlx.exec:\rffxrlx.exe54⤵
- Executes dropped EXE
-
\??\c:\3tbnhb.exec:\3tbnhb.exe55⤵
- Executes dropped EXE
-
\??\c:\hhbnhn.exec:\hhbnhn.exe56⤵
- Executes dropped EXE
-
\??\c:\jjpjv.exec:\jjpjv.exe57⤵
- Executes dropped EXE
-
\??\c:\1vvvj.exec:\1vvvj.exe58⤵
- Executes dropped EXE
-
\??\c:\3llfrrf.exec:\3llfrrf.exe59⤵
- Executes dropped EXE
-
\??\c:\rlrxxxx.exec:\rlrxxxx.exe60⤵
- Executes dropped EXE
-
\??\c:\nnhhbb.exec:\nnhhbb.exe61⤵
- Executes dropped EXE
-
\??\c:\bbbbhn.exec:\bbbbhn.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ppdvj.exec:\ppdvj.exe63⤵
- Executes dropped EXE
-
\??\c:\ppjjd.exec:\ppjjd.exe64⤵
- Executes dropped EXE
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe65⤵
- Executes dropped EXE
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe66⤵
-
\??\c:\thbthh.exec:\thbthh.exe67⤵
-
\??\c:\bbthbb.exec:\bbthbb.exe68⤵
-
\??\c:\7jdjd.exec:\7jdjd.exe69⤵
-
\??\c:\vvjjd.exec:\vvjjd.exe70⤵
-
\??\c:\rlfflll.exec:\rlfflll.exe71⤵
-
\??\c:\rrllrrx.exec:\rrllrrx.exe72⤵
-
\??\c:\btbthh.exec:\btbthh.exe73⤵
-
\??\c:\httnnn.exec:\httnnn.exe74⤵
-
\??\c:\pjvjd.exec:\pjvjd.exe75⤵
-
\??\c:\djjdv.exec:\djjdv.exe76⤵
-
\??\c:\3fxlffx.exec:\3fxlffx.exe77⤵
-
\??\c:\btbtbn.exec:\btbtbn.exe78⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3bhtnh.exec:\3bhtnh.exe79⤵
-
\??\c:\ppjdp.exec:\ppjdp.exe80⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe81⤵
-
\??\c:\7lfxrlf.exec:\7lfxrlf.exe82⤵
-
\??\c:\tthhhh.exec:\tthhhh.exe83⤵
-
\??\c:\vjdpj.exec:\vjdpj.exe84⤵
-
\??\c:\7xrlxxl.exec:\7xrlxxl.exe85⤵
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe86⤵
-
\??\c:\hnhhbt.exec:\hnhhbt.exe87⤵
-
\??\c:\3tntht.exec:\3tntht.exe88⤵
-
\??\c:\hbbthb.exec:\hbbthb.exe89⤵
-
\??\c:\9jpjj.exec:\9jpjj.exe90⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe91⤵
-
\??\c:\3lllxlf.exec:\3lllxlf.exe92⤵
-
\??\c:\5rxllll.exec:\5rxllll.exe93⤵
-
\??\c:\bbtttt.exec:\bbtttt.exe94⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe95⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe96⤵
-
\??\c:\5jpjd.exec:\5jpjd.exe97⤵
-
\??\c:\lrrlffx.exec:\lrrlffx.exe98⤵
-
\??\c:\9flfrrl.exec:\9flfrrl.exe99⤵
-
\??\c:\btnnhh.exec:\btnnhh.exe100⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe101⤵
-
\??\c:\pdddv.exec:\pdddv.exe102⤵
-
\??\c:\9vvpd.exec:\9vvpd.exe103⤵
-
\??\c:\xrrlllf.exec:\xrrlllf.exe104⤵
-
\??\c:\tthhnn.exec:\tthhnn.exe105⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe106⤵
-
\??\c:\5jjjj.exec:\5jjjj.exe107⤵
-
\??\c:\ffxrrrl.exec:\ffxrrrl.exe108⤵
-
\??\c:\xrxffrf.exec:\xrxffrf.exe109⤵
-
\??\c:\bnhtnh.exec:\bnhtnh.exe110⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jdvpj.exec:\jdvpj.exe111⤵
-
\??\c:\pjpdd.exec:\pjpdd.exe112⤵
-
\??\c:\dpjdp.exec:\dpjdp.exe113⤵
-
\??\c:\llrrxxf.exec:\llrrxxf.exe114⤵
-
\??\c:\xrlrfrl.exec:\xrlrfrl.exe115⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe116⤵
-
\??\c:\vpjvp.exec:\vpjvp.exe117⤵
-
\??\c:\1jpjd.exec:\1jpjd.exe118⤵
-
\??\c:\3rfxffl.exec:\3rfxffl.exe119⤵
-
\??\c:\xfllffx.exec:\xfllffx.exe120⤵
-
\??\c:\1tbnhn.exec:\1tbnhn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-