Analysis
-
max time kernel
120s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11-09-2024 21:48
General
-
Target
bfaba925143fe5b888b4fcccbe66a800N.exe
-
Size
68KB
-
MD5
bfaba925143fe5b888b4fcccbe66a800
-
SHA1
05f82d1d603cf7adaabd62e7c5f8e39c0c42679e
-
SHA256
5dc23cf3f9e28d6923d50d11bb0dacb191a24d240a1a36a28781ca145b1ef958
-
SHA512
6955e220af497b33e7cbb3911ff2008871f8ac3f8874c4fd3ec28db70ef3506a6d92fd6b342ddf9030e097da432df9b015673805921913a59700d19c8d0c5b1c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAcb:ymb3NkkiQ3mdBjFIsIVcb
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfaba925143fe5b888b4fcccbe66a800N.exe"C:\Users\Admin\AppData\Local\Temp\bfaba925143fe5b888b4fcccbe66a800N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\thbhtt.exec:\thbhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddjd.exec:\jddjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddjv.exec:\vddjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xrrllf.exec:\5xrrllf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnntt.exec:\hhnntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jddj.exec:\3jddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdp.exec:\dvjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxrl.exec:\lfffxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnnn.exec:\tntnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdv.exec:\ddpdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffffxxx.exec:\ffffxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bhbtn.exec:\3bhbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdjv.exec:\vvdjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrllll.exec:\7lrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hhnhh.exec:\7hhnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpj.exec:\dddpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxlfxf.exec:\lxxlfxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfxrrx.exec:\rrfxrrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvv.exec:\vvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppvd.exec:\dppvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfllxx.exec:\llfllxx.exe23⤵
- Executes dropped EXE
-
\??\c:\hbbhbn.exec:\hbbhbn.exe24⤵
- Executes dropped EXE
-
\??\c:\vjddv.exec:\vjddv.exe25⤵
- Executes dropped EXE
-
\??\c:\5djdp.exec:\5djdp.exe26⤵
- Executes dropped EXE
-
\??\c:\llrlfxx.exec:\llrlfxx.exe27⤵
- Executes dropped EXE
-
\??\c:\7bbtbt.exec:\7bbtbt.exe28⤵
- Executes dropped EXE
-
\??\c:\3bhhhn.exec:\3bhhhn.exe29⤵
- Executes dropped EXE
-
\??\c:\pdvvp.exec:\pdvvp.exe30⤵
- Executes dropped EXE
-
\??\c:\lxxrxrr.exec:\lxxrxrr.exe31⤵
- Executes dropped EXE
-
\??\c:\lffrfrr.exec:\lffrfrr.exe32⤵
- Executes dropped EXE
-
\??\c:\nhhhhb.exec:\nhhhhb.exe33⤵
- Executes dropped EXE
-
\??\c:\9jpvv.exec:\9jpvv.exe34⤵
- Executes dropped EXE
-
\??\c:\jvjjv.exec:\jvjjv.exe35⤵
- Executes dropped EXE
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe36⤵
- Executes dropped EXE
-
\??\c:\xfllfff.exec:\xfllfff.exe37⤵
- Executes dropped EXE
-
\??\c:\htntbh.exec:\htntbh.exe38⤵
- Executes dropped EXE
-
\??\c:\hthbbb.exec:\hthbbb.exe39⤵
- Executes dropped EXE
-
\??\c:\vvddv.exec:\vvddv.exe40⤵
- Executes dropped EXE
-
\??\c:\7ddvj.exec:\7ddvj.exe41⤵
- Executes dropped EXE
-
\??\c:\jdvjv.exec:\jdvjv.exe42⤵
- Executes dropped EXE
-
\??\c:\rxffxll.exec:\rxffxll.exe43⤵
- Executes dropped EXE
-
\??\c:\5xlfxxx.exec:\5xlfxxx.exe44⤵
- Executes dropped EXE
-
\??\c:\btttnn.exec:\btttnn.exe45⤵
- Executes dropped EXE
-
\??\c:\bbnntb.exec:\bbnntb.exe46⤵
- Executes dropped EXE
-
\??\c:\dpvvp.exec:\dpvvp.exe47⤵
- Executes dropped EXE
-
\??\c:\vppjj.exec:\vppjj.exe48⤵
- Executes dropped EXE
-
\??\c:\ffxrlll.exec:\ffxrlll.exe49⤵
- Executes dropped EXE
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe50⤵
- Executes dropped EXE
-
\??\c:\ttnnnt.exec:\ttnnnt.exe51⤵
- Executes dropped EXE
-
\??\c:\tntttt.exec:\tntttt.exe52⤵
- Executes dropped EXE
-
\??\c:\vpddv.exec:\vpddv.exe53⤵
- Executes dropped EXE
-
\??\c:\1vddd.exec:\1vddd.exe54⤵
- Executes dropped EXE
-
\??\c:\rlrlrxf.exec:\rlrlrxf.exe55⤵
- Executes dropped EXE
-
\??\c:\rrllflf.exec:\rrllflf.exe56⤵
- Executes dropped EXE
-
\??\c:\ttntnn.exec:\ttntnn.exe57⤵
- Executes dropped EXE
-
\??\c:\tthnht.exec:\tthnht.exe58⤵
- Executes dropped EXE
-
\??\c:\pjjpd.exec:\pjjpd.exe59⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe60⤵
- Executes dropped EXE
-
\??\c:\xlrlllf.exec:\xlrlllf.exe61⤵
- Executes dropped EXE
-
\??\c:\7llllll.exec:\7llllll.exe62⤵
- Executes dropped EXE
-
\??\c:\thbbhn.exec:\thbbhn.exe63⤵
- Executes dropped EXE
-
\??\c:\5pvpd.exec:\5pvpd.exe64⤵
- Executes dropped EXE
-
\??\c:\dvvvv.exec:\dvvvv.exe65⤵
- Executes dropped EXE
-
\??\c:\lxxlfff.exec:\lxxlfff.exe66⤵
-
\??\c:\xlrllfx.exec:\xlrllfx.exe67⤵
-
\??\c:\bhthtb.exec:\bhthtb.exe68⤵
-
\??\c:\hbnhnn.exec:\hbnhnn.exe69⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe70⤵
-
\??\c:\vjvvv.exec:\vjvvv.exe71⤵
-
\??\c:\rxfxllx.exec:\rxfxllx.exe72⤵
-
\??\c:\nhnhnh.exec:\nhnhnh.exe73⤵
-
\??\c:\ttnnnt.exec:\ttnnnt.exe74⤵
-
\??\c:\9dppp.exec:\9dppp.exe75⤵
-
\??\c:\fxffxxx.exec:\fxffxxx.exe76⤵
-
\??\c:\bbnhtt.exec:\bbnhtt.exe77⤵
-
\??\c:\3nbbnt.exec:\3nbbnt.exe78⤵
-
\??\c:\pvdjd.exec:\pvdjd.exe79⤵
-
\??\c:\vpddd.exec:\vpddd.exe80⤵
-
\??\c:\9lllflf.exec:\9lllflf.exe81⤵
-
\??\c:\fxxxxrr.exec:\fxxxxrr.exe82⤵
-
\??\c:\bnntbb.exec:\bnntbb.exe83⤵
-
\??\c:\bbbtnt.exec:\bbbtnt.exe84⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe85⤵
-
\??\c:\llrrfrx.exec:\llrrfrx.exe86⤵
-
\??\c:\7nntnn.exec:\7nntnn.exe87⤵
-
\??\c:\9vvpj.exec:\9vvpj.exe88⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe89⤵
-
\??\c:\7xrrlll.exec:\7xrrlll.exe90⤵
-
\??\c:\7lrxxxx.exec:\7lrxxxx.exe91⤵
-
\??\c:\nhttnn.exec:\nhttnn.exe92⤵
-
\??\c:\nhnnnn.exec:\nhnnnn.exe93⤵
-
\??\c:\dpddj.exec:\dpddj.exe94⤵
-
\??\c:\xrlffff.exec:\xrlffff.exe95⤵
-
\??\c:\rrxllrl.exec:\rrxllrl.exe96⤵
-
\??\c:\nnhhht.exec:\nnhhht.exe97⤵
-
\??\c:\hhbhht.exec:\hhbhht.exe98⤵
-
\??\c:\dpjvv.exec:\dpjvv.exe99⤵
-
\??\c:\jvjdv.exec:\jvjdv.exe100⤵
-
\??\c:\llrrxfl.exec:\llrrxfl.exe101⤵
-
\??\c:\ffffffx.exec:\ffffffx.exe102⤵
-
\??\c:\xrxrrrf.exec:\xrxrrrf.exe103⤵
-
\??\c:\hnbnnn.exec:\hnbnnn.exe104⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe105⤵
-
\??\c:\rflfrlf.exec:\rflfrlf.exe106⤵
-
\??\c:\llrlfxr.exec:\llrlfxr.exe107⤵
-
\??\c:\htbtnn.exec:\htbtnn.exe108⤵
-
\??\c:\bttnbb.exec:\bttnbb.exe109⤵
-
\??\c:\dvjdp.exec:\dvjdp.exe110⤵
-
\??\c:\9dvpj.exec:\9dvpj.exe111⤵
-
\??\c:\1pjjd.exec:\1pjjd.exe112⤵
-
\??\c:\frlfxrl.exec:\frlfxrl.exe113⤵
-
\??\c:\lflxrxr.exec:\lflxrxr.exe114⤵
-
\??\c:\nbbbbh.exec:\nbbbbh.exe115⤵
-
\??\c:\tnhhbh.exec:\tnhhbh.exe116⤵
-
\??\c:\vdpvj.exec:\vdpvj.exe117⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe118⤵
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe119⤵
-
\??\c:\5rfxrrl.exec:\5rfxrrl.exe120⤵
-
\??\c:\9htnnn.exec:\9htnnn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-