Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11/09/2024, 13:13
General
-
Target
ce8bfd43cff8fdc8df1f3bf84f730d00N.exe
-
Size
82KB
-
MD5
ce8bfd43cff8fdc8df1f3bf84f730d00
-
SHA1
0b02a97cefbb4dae67e88da7271576ab608f85cd
-
SHA256
b48a849535f9cc0d8da68a7b63d589d307de604162135db8804d98d714988474
-
SHA512
eb78883ee4e690cde25ead2b9d7585f1fea0c15c8bbb6e350b61563fb569ef83f2eeedf86ea188794393ccaf7aa00c6f40cd319f3ea199be6ec1ac4c7141b381
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qi:ymb3NkkiQ3mdBjFIIp9L9QrrA8d
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce8bfd43cff8fdc8df1f3bf84f730d00N.exe"C:\Users\Admin\AppData\Local\Temp\ce8bfd43cff8fdc8df1f3bf84f730d00N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7frxfll.exec:\7frxfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrrrlf.exec:\frrrrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhhhn.exec:\bhhhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjpj.exec:\pdjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrllxf.exec:\lxrllxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnttb.exec:\htnttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdjj.exec:\jvdjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvjp.exec:\ddvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tthhn.exec:\3tthhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbhtt.exec:\ntbhtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdjj.exec:\jpdjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnthn.exec:\ttnthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vpjd.exec:\9vpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llllfff.exec:\llllfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhhhn.exec:\hhhhhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntbhb.exec:\tntbhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djpd.exec:\5djpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbht.exec:\nhbbht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvv.exec:\jpvvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpvp.exec:\djpvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffflr.exec:\xrffflr.exe23⤵
- Executes dropped EXE
-
\??\c:\bbbbbh.exec:\bbbbbh.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vjppp.exec:\vjppp.exe25⤵
- Executes dropped EXE
-
\??\c:\3djjp.exec:\3djjp.exe26⤵
- Executes dropped EXE
-
\??\c:\xflllrr.exec:\xflllrr.exe27⤵
- Executes dropped EXE
-
\??\c:\xfxrrff.exec:\xfxrrff.exe28⤵
- Executes dropped EXE
-
\??\c:\nbhhhh.exec:\nbhhhh.exe29⤵
- Executes dropped EXE
-
\??\c:\vjjjj.exec:\vjjjj.exe30⤵
- Executes dropped EXE
-
\??\c:\dddpp.exec:\dddpp.exe31⤵
- Executes dropped EXE
-
\??\c:\rlxfrfr.exec:\rlxfrfr.exe32⤵
- Executes dropped EXE
-
\??\c:\hnthnt.exec:\hnthnt.exe33⤵
- Executes dropped EXE
-
\??\c:\hnbbbt.exec:\hnbbbt.exe34⤵
- Executes dropped EXE
-
\??\c:\ppjjd.exec:\ppjjd.exe35⤵
- Executes dropped EXE
-
\??\c:\7djjj.exec:\7djjj.exe36⤵
- Executes dropped EXE
-
\??\c:\llllxxr.exec:\llllxxr.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\flrxxff.exec:\flrxxff.exe38⤵
- Executes dropped EXE
-
\??\c:\9hbbtt.exec:\9hbbtt.exe39⤵
- Executes dropped EXE
-
\??\c:\tttnbb.exec:\tttnbb.exe40⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe41⤵
- Executes dropped EXE
-
\??\c:\vvvvj.exec:\vvvvj.exe42⤵
- Executes dropped EXE
-
\??\c:\rxrfllx.exec:\rxrfllx.exe43⤵
- Executes dropped EXE
-
\??\c:\fxllfxf.exec:\fxllfxf.exe44⤵
- Executes dropped EXE
-
\??\c:\ttnnnn.exec:\ttnnnn.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\5hnnnt.exec:\5hnnnt.exe46⤵
- Executes dropped EXE
-
\??\c:\jpppv.exec:\jpppv.exe47⤵
- Executes dropped EXE
-
\??\c:\djjjd.exec:\djjjd.exe48⤵
- Executes dropped EXE
-
\??\c:\3dppp.exec:\3dppp.exe49⤵
- Executes dropped EXE
-
\??\c:\1frlfxr.exec:\1frlfxr.exe50⤵
- Executes dropped EXE
-
\??\c:\xxxxffl.exec:\xxxxffl.exe51⤵
- Executes dropped EXE
-
\??\c:\7bttnn.exec:\7bttnn.exe52⤵
- Executes dropped EXE
-
\??\c:\nbnnnn.exec:\nbnnnn.exe53⤵
- Executes dropped EXE
-
\??\c:\9vvvp.exec:\9vvvp.exe54⤵
- Executes dropped EXE
-
\??\c:\pvddv.exec:\pvddv.exe55⤵
- Executes dropped EXE
-
\??\c:\llfflrf.exec:\llfflrf.exe56⤵
- Executes dropped EXE
-
\??\c:\1lxxrxl.exec:\1lxxrxl.exe57⤵
- Executes dropped EXE
-
\??\c:\fffrrxf.exec:\fffrrxf.exe58⤵
- Executes dropped EXE
-
\??\c:\bntntb.exec:\bntntb.exe59⤵
- Executes dropped EXE
-
\??\c:\ntbbbt.exec:\ntbbbt.exe60⤵
- Executes dropped EXE
-
\??\c:\jdvvv.exec:\jdvvv.exe61⤵
- Executes dropped EXE
-
\??\c:\dddvv.exec:\dddvv.exe62⤵
- Executes dropped EXE
-
\??\c:\lllfrrx.exec:\lllfrrx.exe63⤵
- Executes dropped EXE
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe64⤵
- Executes dropped EXE
-
\??\c:\ntbnbb.exec:\ntbnbb.exe65⤵
- Executes dropped EXE
-
\??\c:\nhbnnt.exec:\nhbnnt.exe66⤵
-
\??\c:\3djpv.exec:\3djpv.exe67⤵
-
\??\c:\vvppv.exec:\vvppv.exe68⤵
-
\??\c:\flxxrrf.exec:\flxxrrf.exe69⤵
-
\??\c:\fxffxxx.exec:\fxffxxx.exe70⤵
-
\??\c:\bbnthn.exec:\bbnthn.exe71⤵
-
\??\c:\7jjpv.exec:\7jjpv.exe72⤵
-
\??\c:\jjvjd.exec:\jjvjd.exe73⤵
-
\??\c:\lrxxfff.exec:\lrxxfff.exe74⤵
-
\??\c:\3lrrxff.exec:\3lrrxff.exe75⤵
-
\??\c:\nbhhhn.exec:\nbhhhn.exe76⤵
-
\??\c:\nbttbh.exec:\nbttbh.exe77⤵
-
\??\c:\vdppj.exec:\vdppj.exe78⤵
-
\??\c:\vdvvv.exec:\vdvvv.exe79⤵
-
\??\c:\7frlfff.exec:\7frlfff.exe80⤵
-
\??\c:\xxxxlrr.exec:\xxxxlrr.exe81⤵
-
\??\c:\5thhht.exec:\5thhht.exe82⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bhnhnt.exec:\bhnhnt.exe83⤵
-
\??\c:\jvddd.exec:\jvddd.exe84⤵
-
\??\c:\jdvvp.exec:\jdvvp.exe85⤵
-
\??\c:\lfrrrlr.exec:\lfrrrlr.exe86⤵
-
\??\c:\frxxxfl.exec:\frxxxfl.exe87⤵
-
\??\c:\vvjjd.exec:\vvjjd.exe88⤵
-
\??\c:\vvddv.exec:\vvddv.exe89⤵
-
\??\c:\flffxxf.exec:\flffxxf.exe90⤵
-
\??\c:\rfrxfrf.exec:\rfrxfrf.exe91⤵
-
\??\c:\ntbthb.exec:\ntbthb.exe92⤵
-
\??\c:\hhntnt.exec:\hhntnt.exe93⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe94⤵
-
\??\c:\3dvvp.exec:\3dvvp.exe95⤵
-
\??\c:\rrxxxfr.exec:\rrxxxfr.exe96⤵
-
\??\c:\9ntttb.exec:\9ntttb.exe97⤵
-
\??\c:\nhbbtb.exec:\nhbbtb.exe98⤵
-
\??\c:\9htntt.exec:\9htntt.exe99⤵
-
\??\c:\7vvvd.exec:\7vvvd.exe100⤵
-
\??\c:\xrllrxx.exec:\xrllrxx.exe101⤵
-
\??\c:\lrrlrfx.exec:\lrrlrfx.exe102⤵
-
\??\c:\tnnhhh.exec:\tnnhhh.exe103⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe104⤵
-
\??\c:\9djvv.exec:\9djvv.exe105⤵
-
\??\c:\xxllfll.exec:\xxllfll.exe106⤵
-
\??\c:\3rffxff.exec:\3rffxff.exe107⤵
-
\??\c:\3nbtnt.exec:\3nbtnt.exe108⤵
-
\??\c:\hhnnbb.exec:\hhnnbb.exe109⤵
-
\??\c:\3pvjj.exec:\3pvjj.exe110⤵
-
\??\c:\9dvpv.exec:\9dvpv.exe111⤵
-
\??\c:\xxxrlff.exec:\xxxrlff.exe112⤵
-
\??\c:\tnbttb.exec:\tnbttb.exe113⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe114⤵
-
\??\c:\rrxrlfl.exec:\rrxrlfl.exe115⤵
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe116⤵
-
\??\c:\nnnntt.exec:\nnnntt.exe117⤵
-
\??\c:\dpvjj.exec:\dpvjj.exe118⤵
-
\??\c:\ddpvj.exec:\ddpvj.exe119⤵
-
\??\c:\9rxrrrx.exec:\9rxrrrx.exe120⤵
-
\??\c:\lfllrrx.exec:\lfllrrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-