Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13/09/2024, 03:24
General
-
Target
b7012da042209abcfec2d6da31936af0N.exe
-
Size
62KB
-
MD5
b7012da042209abcfec2d6da31936af0
-
SHA1
e649f450275764e6cf128636e79d6a3cbe2b72f7
-
SHA256
aadd3e41eada708919c0d74ef8a9db26afcff915113249c5dee297284229cd1a
-
SHA512
f47ff6c839484ea3c011fd00cae29fd4d1549460be09c0104958aaa9df996b68c5fb884b267d73009bea2ac282449ffdc5f6b89451e6fad1165af742905b5cdd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIrmCeRo:ymb3NkkiQ3mdBjFIjey
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7012da042209abcfec2d6da31936af0N.exe"C:\Users\Admin\AppData\Local\Temp\b7012da042209abcfec2d6da31936af0N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\llrllrr.exec:\llrllrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvv.exec:\vjdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04660.exec:\04660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\622262.exec:\622262.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxxlll.exec:\fxxxlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s0660.exec:\s0660.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppj.exec:\jdppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrlll.exec:\xrrrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdd.exec:\vpjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnttnn.exec:\bnttnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjv.exec:\ppjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k26426.exec:\k26426.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhtnh.exec:\bnhtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8022660.exec:\8022660.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppjd.exec:\jppjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhtt.exec:\btnhtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhntnn.exec:\bhntnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnbt.exec:\httnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4226482.exec:\4226482.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxffx.exec:\lllxffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6204826.exec:\6204826.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m0042.exec:\m0042.exe23⤵
- Executes dropped EXE
-
\??\c:\222600.exec:\222600.exe24⤵
- Executes dropped EXE
-
\??\c:\60260.exec:\60260.exe25⤵
- Executes dropped EXE
-
\??\c:\2646482.exec:\2646482.exe26⤵
- Executes dropped EXE
-
\??\c:\1pvvv.exec:\1pvvv.exe27⤵
-
\??\c:\3hhbbb.exec:\3hhbbb.exe28⤵
- Executes dropped EXE
-
\??\c:\btbthb.exec:\btbthb.exe29⤵
- Executes dropped EXE
-
\??\c:\frxrfff.exec:\frxrfff.exe30⤵
- Executes dropped EXE
-
\??\c:\dpvdp.exec:\dpvdp.exe31⤵
- Executes dropped EXE
-
\??\c:\2008620.exec:\2008620.exe32⤵
- Executes dropped EXE
-
\??\c:\242442.exec:\242442.exe33⤵
- Executes dropped EXE
-
\??\c:\44282.exec:\44282.exe34⤵
- Executes dropped EXE
-
\??\c:\rlrfrxl.exec:\rlrfrxl.exe35⤵
- Executes dropped EXE
-
\??\c:\26042.exec:\26042.exe36⤵
- Executes dropped EXE
-
\??\c:\flrfxff.exec:\flrfxff.exe37⤵
- Executes dropped EXE
-
\??\c:\22826.exec:\22826.exe38⤵
- Executes dropped EXE
-
\??\c:\664088.exec:\664088.exe39⤵
- Executes dropped EXE
-
\??\c:\vddpd.exec:\vddpd.exe40⤵
- Executes dropped EXE
-
\??\c:\vvjdj.exec:\vvjdj.exe41⤵
- Executes dropped EXE
-
\??\c:\q84248.exec:\q84248.exe42⤵
- Executes dropped EXE
-
\??\c:\i408088.exec:\i408088.exe43⤵
- Executes dropped EXE
-
\??\c:\42264.exec:\42264.exe44⤵
- Executes dropped EXE
-
\??\c:\428260.exec:\428260.exe45⤵
- Executes dropped EXE
-
\??\c:\0000260.exec:\0000260.exe46⤵
- Executes dropped EXE
-
\??\c:\3tttnn.exec:\3tttnn.exe47⤵
- Executes dropped EXE
-
\??\c:\k66204.exec:\k66204.exe48⤵
- Executes dropped EXE
-
\??\c:\xrxxlrf.exec:\xrxxlrf.exe49⤵
- Executes dropped EXE
-
\??\c:\8282482.exec:\8282482.exe50⤵
- Executes dropped EXE
-
\??\c:\q28266.exec:\q28266.exe51⤵
- Executes dropped EXE
-
\??\c:\fffrlxf.exec:\fffrlxf.exe52⤵
- Executes dropped EXE
-
\??\c:\44280.exec:\44280.exe53⤵
- Executes dropped EXE
-
\??\c:\8424028.exec:\8424028.exe54⤵
- Executes dropped EXE
-
\??\c:\00802.exec:\00802.exe55⤵
- Executes dropped EXE
-
\??\c:\284860.exec:\284860.exe56⤵
- Executes dropped EXE
-
\??\c:\hbthtb.exec:\hbthtb.exe57⤵
- Executes dropped EXE
-
\??\c:\1jpdv.exec:\1jpdv.exe58⤵
- Executes dropped EXE
-
\??\c:\nbtbtn.exec:\nbtbtn.exe59⤵
- Executes dropped EXE
-
\??\c:\dpdvj.exec:\dpdvj.exe60⤵
- Executes dropped EXE
-
\??\c:\62860.exec:\62860.exe61⤵
- Executes dropped EXE
-
\??\c:\pjjvd.exec:\pjjvd.exe62⤵
- Executes dropped EXE
-
\??\c:\7bhbtn.exec:\7bhbtn.exe63⤵
- Executes dropped EXE
-
\??\c:\8608260.exec:\8608260.exe64⤵
- Executes dropped EXE
-
\??\c:\ddjdp.exec:\ddjdp.exe65⤵
- Executes dropped EXE
-
\??\c:\lffxllf.exec:\lffxllf.exe66⤵
- Executes dropped EXE
-
\??\c:\82264.exec:\82264.exe67⤵
-
\??\c:\66264.exec:\66264.exe68⤵
-
\??\c:\0628004.exec:\0628004.exe69⤵
-
\??\c:\s2204.exec:\s2204.exe70⤵
-
\??\c:\q06082.exec:\q06082.exe71⤵
-
\??\c:\m6608.exec:\m6608.exe72⤵
-
\??\c:\hthhtn.exec:\hthhtn.exe73⤵
-
\??\c:\e22600.exec:\e22600.exe74⤵
-
\??\c:\024826.exec:\024826.exe75⤵
-
\??\c:\6426482.exec:\6426482.exe76⤵
-
\??\c:\rflxrrf.exec:\rflxrrf.exe77⤵
-
\??\c:\826482.exec:\826482.exe78⤵
-
\??\c:\jvpjv.exec:\jvpjv.exe79⤵
-
\??\c:\fxrxlfx.exec:\fxrxlfx.exe80⤵
-
\??\c:\262226.exec:\262226.exe81⤵
-
\??\c:\5jdpd.exec:\5jdpd.exe82⤵
-
\??\c:\2200284.exec:\2200284.exe83⤵
-
\??\c:\llxrlfx.exec:\llxrlfx.exe84⤵
-
\??\c:\28482.exec:\28482.exe85⤵
-
\??\c:\48044.exec:\48044.exe86⤵
-
\??\c:\frrxllf.exec:\frrxllf.exe87⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe88⤵
-
\??\c:\vjjdj.exec:\vjjdj.exe89⤵
-
\??\c:\7lffxxx.exec:\7lffxxx.exe90⤵
-
\??\c:\bnbbbh.exec:\bnbbbh.exe91⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe92⤵
-
\??\c:\c022026.exec:\c022026.exe93⤵
-
\??\c:\9vdvv.exec:\9vdvv.exe94⤵
-
\??\c:\jjjpp.exec:\jjjpp.exe95⤵
-
\??\c:\3thbtn.exec:\3thbtn.exe96⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe97⤵
-
\??\c:\240804.exec:\240804.exe98⤵
-
\??\c:\jjpdd.exec:\jjpdd.exe99⤵
-
\??\c:\26424.exec:\26424.exe100⤵
-
\??\c:\02608.exec:\02608.exe101⤵
-
\??\c:\64662.exec:\64662.exe102⤵
-
\??\c:\880866.exec:\880866.exe103⤵
-
\??\c:\7rxrlll.exec:\7rxrlll.exe104⤵
-
\??\c:\0020260.exec:\0020260.exe105⤵
-
\??\c:\rxxxrlf.exec:\rxxxrlf.exe106⤵
-
\??\c:\04280.exec:\04280.exe107⤵
-
\??\c:\vppdp.exec:\vppdp.exe108⤵
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe109⤵
-
\??\c:\628204.exec:\628204.exe110⤵
-
\??\c:\i460488.exec:\i460488.exe111⤵
-
\??\c:\068644.exec:\068644.exe112⤵
-
\??\c:\frllrxx.exec:\frllrxx.exe113⤵
-
\??\c:\284822.exec:\284822.exe114⤵
-
\??\c:\u660266.exec:\u660266.exe115⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe116⤵
-
\??\c:\228040.exec:\228040.exe117⤵
-
\??\c:\00026.exec:\00026.exe118⤵
-
\??\c:\80644.exec:\80644.exe119⤵
-
\??\c:\62264.exec:\62264.exe120⤵
-
\??\c:\djdvp.exec:\djdvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-