Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11-09-2024 08:04
General
-
Target
6f5c589d3adacd26919bac7eaf987540N.exe
-
Size
589KB
-
MD5
6f5c589d3adacd26919bac7eaf987540
-
SHA1
2d580faca35e9e88b3075a5cb85ffc08e1b58634
-
SHA256
9d4ab1dc9029542ab5b7d6447f63c9a5023ff260a23f89ed608d172a4d653888
-
SHA512
a1144bdfb826c9a4e3533c513824f90c6d682233609d6eca3e4ac276b38b604c92a8fc5f32c6be38ee2c8d6da9dcd95bc2101d47888b68d5df223721f08684f3
-
SSDEEP
6144:n3C9BRIj+ebjcSbcY+CaQdaFOY4iGFYtRdzzoyYxJAyfgayu:n3C9Lebz+xt4vFeFmgayu
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f5c589d3adacd26919bac7eaf987540N.exe"C:\Users\Admin\AppData\Local\Temp\6f5c589d3adacd26919bac7eaf987540N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbtnn.exec:\ntbtnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dvpp.exec:\7dvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frfxrr.exec:\3frfxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllrxf.exec:\rxllrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vpjj.exec:\3vpjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpv.exec:\jjvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlfxxl.exec:\frlfxxl.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhbb.exec:\nnnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjd.exec:\vvpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhhn.exec:\tnnhhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pdjd.exec:\5pdjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdvv.exec:\jjdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tntnt.exec:\9tntnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvppj.exec:\jvppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrlff.exec:\xlrrlff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5fxrrrr.exec:\5fxrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhbt.exec:\tnnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjdp.exec:\djjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllffff.exec:\lllffff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbtnn.exec:\tbbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dppp.exec:\1dppp.exe23⤵
- Executes dropped EXE
-
\??\c:\lffffff.exec:\lffffff.exe24⤵
- Executes dropped EXE
-
\??\c:\5lxrxrx.exec:\5lxrxrx.exe25⤵
- Executes dropped EXE
-
\??\c:\bntthh.exec:\bntthh.exe26⤵
- Executes dropped EXE
-
\??\c:\vdjdd.exec:\vdjdd.exe27⤵
- Executes dropped EXE
-
\??\c:\lfxrllf.exec:\lfxrllf.exe28⤵
- Executes dropped EXE
-
\??\c:\1lxrrrr.exec:\1lxrrrr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3nnhnn.exec:\3nnhnn.exe30⤵
- Executes dropped EXE
-
\??\c:\vjpjd.exec:\vjpjd.exe31⤵
- Executes dropped EXE
-
\??\c:\5xffffx.exec:\5xffffx.exe32⤵
- Executes dropped EXE
-
\??\c:\xrlrrll.exec:\xrlrrll.exe33⤵
- Executes dropped EXE
-
\??\c:\nbnhtt.exec:\nbnhtt.exe34⤵
- Executes dropped EXE
-
\??\c:\pjvpv.exec:\pjvpv.exe35⤵
- Executes dropped EXE
-
\??\c:\xrrfllr.exec:\xrrfllr.exe36⤵
- Executes dropped EXE
-
\??\c:\nnhhbb.exec:\nnhhbb.exe37⤵
- Executes dropped EXE
-
\??\c:\ffxlffr.exec:\ffxlffr.exe38⤵
- Executes dropped EXE
-
\??\c:\3lrlffx.exec:\3lrlffx.exe39⤵
- Executes dropped EXE
-
\??\c:\vdvjd.exec:\vdvjd.exe40⤵
- Executes dropped EXE
-
\??\c:\1llxxfx.exec:\1llxxfx.exe41⤵
- Executes dropped EXE
-
\??\c:\9nnhhh.exec:\9nnhhh.exe42⤵
- Executes dropped EXE
-
\??\c:\bhhhbb.exec:\bhhhbb.exe43⤵
- Executes dropped EXE
-
\??\c:\dvvjd.exec:\dvvjd.exe44⤵
- Executes dropped EXE
-
\??\c:\5lllllf.exec:\5lllllf.exe45⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe46⤵
- Executes dropped EXE
-
\??\c:\lflxrrl.exec:\lflxrrl.exe47⤵
- Executes dropped EXE
-
\??\c:\nnnnnn.exec:\nnnnnn.exe48⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe49⤵
- Executes dropped EXE
-
\??\c:\djvpp.exec:\djvpp.exe50⤵
- Executes dropped EXE
-
\??\c:\xflxlfr.exec:\xflxlfr.exe51⤵
- Executes dropped EXE
-
\??\c:\3tthhn.exec:\3tthhn.exe52⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe53⤵
- Executes dropped EXE
-
\??\c:\lrlrrrf.exec:\lrlrrrf.exe54⤵
- Executes dropped EXE
-
\??\c:\llrlfff.exec:\llrlfff.exe55⤵
- Executes dropped EXE
-
\??\c:\nnnhbb.exec:\nnnhbb.exe56⤵
- Executes dropped EXE
-
\??\c:\pvdpj.exec:\pvdpj.exe57⤵
- Executes dropped EXE
-
\??\c:\rflfrrl.exec:\rflfrrl.exe58⤵
- Executes dropped EXE
-
\??\c:\1hhhbb.exec:\1hhhbb.exe59⤵
- Executes dropped EXE
-
\??\c:\nnbbnb.exec:\nnbbnb.exe60⤵
- Executes dropped EXE
-
\??\c:\jdddd.exec:\jdddd.exe61⤵
- Executes dropped EXE
-
\??\c:\9lfxrfx.exec:\9lfxrfx.exe62⤵
- Executes dropped EXE
-
\??\c:\bttnnn.exec:\bttnnn.exe63⤵
- Executes dropped EXE
-
\??\c:\dvdvv.exec:\dvdvv.exe64⤵
- Executes dropped EXE
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe65⤵
- Executes dropped EXE
-
\??\c:\bnnnnn.exec:\bnnnnn.exe66⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe67⤵
-
\??\c:\rlxxxxx.exec:\rlxxxxx.exe68⤵
-
\??\c:\7ttnhh.exec:\7ttnhh.exe69⤵
-
\??\c:\vddjj.exec:\vddjj.exe70⤵
-
\??\c:\flfxlfr.exec:\flfxlfr.exe71⤵
-
\??\c:\nhnhtt.exec:\nhnhtt.exe72⤵
-
\??\c:\dddvj.exec:\dddvj.exe73⤵
-
\??\c:\3jjdv.exec:\3jjdv.exe74⤵
-
\??\c:\xxrrlll.exec:\xxrrlll.exe75⤵
-
\??\c:\bbtnht.exec:\bbtnht.exe76⤵
-
\??\c:\dvdjj.exec:\dvdjj.exe77⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe78⤵
-
\??\c:\7rfxrfx.exec:\7rfxrfx.exe79⤵
-
\??\c:\3nthtt.exec:\3nthtt.exe80⤵
-
\??\c:\5vpjd.exec:\5vpjd.exe81⤵
-
\??\c:\xlxxllf.exec:\xlxxllf.exe82⤵
-
\??\c:\rlfrlrl.exec:\rlfrlrl.exe83⤵
-
\??\c:\thbbtt.exec:\thbbtt.exe84⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe85⤵
-
\??\c:\fffxrxx.exec:\fffxrxx.exe86⤵
-
\??\c:\3ttnhb.exec:\3ttnhb.exe87⤵
-
\??\c:\jdvvp.exec:\jdvvp.exe88⤵
-
\??\c:\7jvvd.exec:\7jvvd.exe89⤵
-
\??\c:\frxfffx.exec:\frxfffx.exe90⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe91⤵
-
\??\c:\pvdpp.exec:\pvdpp.exe92⤵
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe93⤵
-
\??\c:\tbhbtt.exec:\tbhbtt.exe94⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe95⤵
-
\??\c:\1djvp.exec:\1djvp.exe96⤵
-
\??\c:\fxlfllr.exec:\fxlfllr.exe97⤵
-
\??\c:\5nbtnt.exec:\5nbtnt.exe98⤵
-
\??\c:\vddvj.exec:\vddvj.exe99⤵
-
\??\c:\rrfxxrr.exec:\rrfxxrr.exe100⤵
-
\??\c:\tbtthb.exec:\tbtthb.exe101⤵
-
\??\c:\vppdv.exec:\vppdv.exe102⤵
-
\??\c:\xflfrrl.exec:\xflfrrl.exe103⤵
-
\??\c:\hhhhtt.exec:\hhhhtt.exe104⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe105⤵
-
\??\c:\xxfrxrx.exec:\xxfrxrx.exe106⤵
-
\??\c:\thhtnt.exec:\thhtnt.exe107⤵
-
\??\c:\ddvjd.exec:\ddvjd.exe108⤵
-
\??\c:\xlfxxxr.exec:\xlfxxxr.exe109⤵
-
\??\c:\7bbtnn.exec:\7bbtnn.exe110⤵
-
\??\c:\tnhbbb.exec:\tnhbbb.exe111⤵
-
\??\c:\djjdv.exec:\djjdv.exe112⤵
-
\??\c:\lrfxrrr.exec:\lrfxrrr.exe113⤵
-
\??\c:\hnbttt.exec:\hnbttt.exe114⤵
-
\??\c:\jddvp.exec:\jddvp.exe115⤵
-
\??\c:\xlxxrff.exec:\xlxxrff.exe116⤵
-
\??\c:\flrffxx.exec:\flrffxx.exe117⤵
-
\??\c:\btttnn.exec:\btttnn.exe118⤵
-
\??\c:\pdjdv.exec:\pdjdv.exe119⤵
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe120⤵
-
\??\c:\bnnnhh.exec:\bnnnhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-