Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12-09-2024 04:31
General
-
Target
16661edacddb4bfb6aa5bd10301c5580N.exe
-
Size
64KB
-
MD5
16661edacddb4bfb6aa5bd10301c5580
-
SHA1
6f72cf2f5c1d9ad7ddbce3cdd55392c9e0429d30
-
SHA256
3f04d082c1b822186b37e1340d22184c6099c8e3976ae482b17b1a162403b347
-
SHA512
5272114d42411e8cdb3558d2ec0d1bb7675d8ccc6632d5962d4f0a9707e4a4d152f997a85608606251a20d40c7a306598256987f47ea9bbd216e8f3e4bbe3090
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxiX:ymb3NkkiQ3mdBjF0y7kbA
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16661edacddb4bfb6aa5bd10301c5580N.exe"C:\Users\Admin\AppData\Local\Temp\16661edacddb4bfb6aa5bd10301c5580N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntnnn.exec:\5ntnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjd.exec:\vdjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrrrl.exec:\xlrrrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnnnb.exec:\thnnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntnhb.exec:\5ntnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjpj.exec:\pvjpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlfrl.exec:\lxrlfrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflfxfx.exec:\xflfxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbtt.exec:\thbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjd.exec:\pjjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxflxx.exec:\lfxflxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnbth.exec:\thnbth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnntt.exec:\btnntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjd.exec:\jdvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllfxxr.exec:\fllfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxrxr.exec:\xrfxrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbbb.exec:\btbbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddvp.exec:\dddvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlxrrr.exec:\rxlxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnnnn.exec:\htnnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbttnn.exec:\bbttnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhnhh.exec:\thhnhh.exe23⤵
- Executes dropped EXE
-
\??\c:\jvdpj.exec:\jvdpj.exe24⤵
- Executes dropped EXE
-
\??\c:\frlflfl.exec:\frlflfl.exe25⤵
- Executes dropped EXE
-
\??\c:\flrrllf.exec:\flrrllf.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xfrllll.exec:\xfrllll.exe27⤵
- Executes dropped EXE
-
\??\c:\hntbht.exec:\hntbht.exe28⤵
- Executes dropped EXE
-
\??\c:\vddvv.exec:\vddvv.exe29⤵
- Executes dropped EXE
-
\??\c:\jddvd.exec:\jddvd.exe30⤵
- Executes dropped EXE
-
\??\c:\flxrffr.exec:\flxrffr.exe31⤵
- Executes dropped EXE
-
\??\c:\lxlffxx.exec:\lxlffxx.exe32⤵
- Executes dropped EXE
-
\??\c:\hbnhnn.exec:\hbnhnn.exe33⤵
- Executes dropped EXE
-
\??\c:\nhttnn.exec:\nhttnn.exe34⤵
- Executes dropped EXE
-
\??\c:\vpvjd.exec:\vpvjd.exe35⤵
- Executes dropped EXE
-
\??\c:\dvpjj.exec:\dvpjj.exe36⤵
- Executes dropped EXE
-
\??\c:\lrxflff.exec:\lrxflff.exe37⤵
- Executes dropped EXE
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe38⤵
- Executes dropped EXE
-
\??\c:\tbbnht.exec:\tbbnht.exe39⤵
- Executes dropped EXE
-
\??\c:\tnbthb.exec:\tnbthb.exe40⤵
- Executes dropped EXE
-
\??\c:\vpjvd.exec:\vpjvd.exe41⤵
- Executes dropped EXE
-
\??\c:\jjddd.exec:\jjddd.exe42⤵
- Executes dropped EXE
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe43⤵
- Executes dropped EXE
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe44⤵
- Executes dropped EXE
-
\??\c:\nnbtnh.exec:\nnbtnh.exe45⤵
- Executes dropped EXE
-
\??\c:\vpvpp.exec:\vpvpp.exe46⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe47⤵
- Executes dropped EXE
-
\??\c:\lxxrxxx.exec:\lxxrxxx.exe48⤵
- Executes dropped EXE
-
\??\c:\rxfffff.exec:\rxfffff.exe49⤵
- Executes dropped EXE
-
\??\c:\xxfxxrl.exec:\xxfxxrl.exe50⤵
- Executes dropped EXE
-
\??\c:\nbhbbb.exec:\nbhbbb.exe51⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe52⤵
- Executes dropped EXE
-
\??\c:\dvvvj.exec:\dvvvj.exe53⤵
- Executes dropped EXE
-
\??\c:\fffflxx.exec:\fffflxx.exe54⤵
- Executes dropped EXE
-
\??\c:\lllllll.exec:\lllllll.exe55⤵
- Executes dropped EXE
-
\??\c:\tnhtnb.exec:\tnhtnb.exe56⤵
- Executes dropped EXE
-
\??\c:\hhtnhh.exec:\hhtnhh.exe57⤵
- Executes dropped EXE
-
\??\c:\5jjdd.exec:\5jjdd.exe58⤵
- Executes dropped EXE
-
\??\c:\dddvp.exec:\dddvp.exe59⤵
- Executes dropped EXE
-
\??\c:\xxxxrxx.exec:\xxxxrxx.exe60⤵
- Executes dropped EXE
-
\??\c:\lxflfff.exec:\lxflfff.exe61⤵
- Executes dropped EXE
-
\??\c:\nbnhbt.exec:\nbnhbt.exe62⤵
- Executes dropped EXE
-
\??\c:\tnhbtn.exec:\tnhbtn.exe63⤵
- Executes dropped EXE
-
\??\c:\dvvvj.exec:\dvvvj.exe64⤵
- Executes dropped EXE
-
\??\c:\ppvdd.exec:\ppvdd.exe65⤵
- Executes dropped EXE
-
\??\c:\rxlffxr.exec:\rxlffxr.exe66⤵
-
\??\c:\3frlrrx.exec:\3frlrrx.exe67⤵
-
\??\c:\nbbtnn.exec:\nbbtnn.exe68⤵
-
\??\c:\ddjjv.exec:\ddjjv.exe69⤵
-
\??\c:\djdpd.exec:\djdpd.exe70⤵
-
\??\c:\lxrfllf.exec:\lxrfllf.exe71⤵
-
\??\c:\hnnhbn.exec:\hnnhbn.exe72⤵
-
\??\c:\bhhthh.exec:\bhhthh.exe73⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe74⤵
-
\??\c:\pvdpd.exec:\pvdpd.exe75⤵
-
\??\c:\flfrfxr.exec:\flfrfxr.exe76⤵
-
\??\c:\bhbtht.exec:\bhbtht.exe77⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hnhnbt.exec:\hnhnbt.exe78⤵
-
\??\c:\pvdvj.exec:\pvdvj.exe79⤵
-
\??\c:\jvdvj.exec:\jvdvj.exe80⤵
-
\??\c:\xlfrfrl.exec:\xlfrfrl.exe81⤵
-
\??\c:\bhnnhh.exec:\bhnnhh.exe82⤵
-
\??\c:\nbhbtn.exec:\nbhbtn.exe83⤵
-
\??\c:\ttbnbt.exec:\ttbnbt.exe84⤵
-
\??\c:\dpvjd.exec:\dpvjd.exe85⤵
-
\??\c:\lxxfrlf.exec:\lxxfrlf.exe86⤵
-
\??\c:\1rrlxrl.exec:\1rrlxrl.exe87⤵
-
\??\c:\btnthb.exec:\btnthb.exe88⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bbhbnb.exec:\bbhbnb.exe89⤵
-
\??\c:\jddvp.exec:\jddvp.exe90⤵
-
\??\c:\jvvjp.exec:\jvvjp.exe91⤵
-
\??\c:\3xxlfxr.exec:\3xxlfxr.exe92⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe93⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe94⤵
-
\??\c:\lrlxfxl.exec:\lrlxfxl.exe95⤵
-
\??\c:\nbnhth.exec:\nbnhth.exe96⤵
-
\??\c:\btnhbt.exec:\btnhbt.exe97⤵
-
\??\c:\pvdvj.exec:\pvdvj.exe98⤵
-
\??\c:\dddvj.exec:\dddvj.exe99⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xxrflfx.exec:\xxrflfx.exe100⤵
-
\??\c:\frxlfxr.exec:\frxlfxr.exe101⤵
-
\??\c:\nbbnbt.exec:\nbbnbt.exe102⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hnhtnh.exec:\hnhtnh.exe103⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe104⤵
-
\??\c:\jddvv.exec:\jddvv.exe105⤵
-
\??\c:\xlrfrrf.exec:\xlrfrrf.exe106⤵
-
\??\c:\fxxlfrf.exec:\fxxlfrf.exe107⤵
-
\??\c:\bbbnth.exec:\bbbnth.exe108⤵
-
\??\c:\bnnhtn.exec:\bnnhtn.exe109⤵
-
\??\c:\pvdpd.exec:\pvdpd.exe110⤵
-
\??\c:\3jdvd.exec:\3jdvd.exe111⤵
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe112⤵
-
\??\c:\9rrlfxl.exec:\9rrlfxl.exe113⤵
-
\??\c:\nttnhb.exec:\nttnhb.exe114⤵
-
\??\c:\htbnbt.exec:\htbnbt.exe115⤵
-
\??\c:\vppjd.exec:\vppjd.exe116⤵
-
\??\c:\rxlxlfx.exec:\rxlxlfx.exe117⤵
-
\??\c:\lxlxxrx.exec:\lxlxxrx.exe118⤵
-
\??\c:\hhhbnh.exec:\hhhbnh.exe119⤵
-
\??\c:\bntnhh.exec:\bntnhh.exe120⤵
-
\??\c:\pvjvp.exec:\pvjvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-