Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13/09/2024, 03:27
General
-
Target
ef15702faa8c946783203062c67ae1c56641ba2e2f53367a5d334c348968b93d.exe
-
Size
715KB
-
MD5
0a36d22f185334da30499366e6d05287
-
SHA1
811accfc8b01e60ee0058ce5c284dfcefc4c6963
-
SHA256
ef15702faa8c946783203062c67ae1c56641ba2e2f53367a5d334c348968b93d
-
SHA512
0416c98aa7e048b4352f42776526fe91373cd22074763fd6b1ce7d5e56d0e86a1f6b5164a6241f384f3568e58e329dc898b8bc278a427102ba5580a96024c265
-
SSDEEP
12288:n3C9yMo+S0L9xRnoq7H9xqYLzKoq73lRa2dBD6:SgD4bhoqLDqYLzKoqTM
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef15702faa8c946783203062c67ae1c56641ba2e2f53367a5d334c348968b93d.exe"C:\Users\Admin\AppData\Local\Temp\ef15702faa8c946783203062c67ae1c56641ba2e2f53367a5d334c348968b93d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\28026.exec:\28026.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0800886.exec:\0800886.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60600.exec:\60600.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4486426.exec:\4486426.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\868208.exec:\868208.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnbtn.exec:\htnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlrrff.exec:\frlrrff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdvv.exec:\dpdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvjv.exec:\7vvjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2880848.exec:\2880848.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1fxrlff.exec:\1fxrlff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dddv.exec:\9dddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxlxlx.exec:\xlxlxlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhhhb.exec:\7nhhhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\206482.exec:\206482.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhnt.exec:\tthhnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60444.exec:\60444.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80260.exec:\80260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnbh.exec:\httnbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrxxf.exec:\llrrxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4808260.exec:\4808260.exe23⤵
- Executes dropped EXE
-
\??\c:\tthbhb.exec:\tthbhb.exe24⤵
- Executes dropped EXE
-
\??\c:\m2044.exec:\m2044.exe25⤵
- Executes dropped EXE
-
\??\c:\fxxrxll.exec:\fxxrxll.exe26⤵
- Executes dropped EXE
-
\??\c:\bnhbbb.exec:\bnhbbb.exe27⤵
- Executes dropped EXE
-
\??\c:\jdppj.exec:\jdppj.exe28⤵
- Executes dropped EXE
-
\??\c:\pdjjv.exec:\pdjjv.exe29⤵
- Executes dropped EXE
-
\??\c:\xxrrfxx.exec:\xxrrfxx.exe30⤵
- Executes dropped EXE
-
\??\c:\bbhbnn.exec:\bbhbnn.exe31⤵
- Executes dropped EXE
-
\??\c:\7vjpv.exec:\7vjpv.exe32⤵
- Executes dropped EXE
-
\??\c:\64440.exec:\64440.exe33⤵
- Executes dropped EXE
-
\??\c:\22260.exec:\22260.exe34⤵
- Executes dropped EXE
-
\??\c:\vvdpj.exec:\vvdpj.exe35⤵
- Executes dropped EXE
-
\??\c:\vpdjd.exec:\vpdjd.exe36⤵
- Executes dropped EXE
-
\??\c:\02400.exec:\02400.exe37⤵
- Executes dropped EXE
-
\??\c:\48062.exec:\48062.exe38⤵
- Executes dropped EXE
-
\??\c:\206200.exec:\206200.exe39⤵
- Executes dropped EXE
-
\??\c:\42288.exec:\42288.exe40⤵
- Executes dropped EXE
-
\??\c:\m2428.exec:\m2428.exe41⤵
- Executes dropped EXE
-
\??\c:\3thttt.exec:\3thttt.exe42⤵
- Executes dropped EXE
-
\??\c:\280466.exec:\280466.exe43⤵
- Executes dropped EXE
-
\??\c:\jddpd.exec:\jddpd.exe44⤵
- Executes dropped EXE
-
\??\c:\a0626.exec:\a0626.exe45⤵
- Executes dropped EXE
-
\??\c:\46266.exec:\46266.exe46⤵
- Executes dropped EXE
-
\??\c:\g0260.exec:\g0260.exe47⤵
- Executes dropped EXE
-
\??\c:\6248226.exec:\6248226.exe48⤵
- Executes dropped EXE
-
\??\c:\464688.exec:\464688.exe49⤵
- Executes dropped EXE
-
\??\c:\m2484.exec:\m2484.exe50⤵
- Executes dropped EXE
-
\??\c:\644822.exec:\644822.exe51⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe52⤵
- Executes dropped EXE
-
\??\c:\00004.exec:\00004.exe53⤵
- Executes dropped EXE
-
\??\c:\jvpjj.exec:\jvpjj.exe54⤵
- Executes dropped EXE
-
\??\c:\bhtnbt.exec:\bhtnbt.exe55⤵
- Executes dropped EXE
-
\??\c:\lflrlrr.exec:\lflrlrr.exe56⤵
- Executes dropped EXE
-
\??\c:\c248266.exec:\c248266.exe57⤵
- Executes dropped EXE
-
\??\c:\djpjd.exec:\djpjd.exe58⤵
- Executes dropped EXE
-
\??\c:\fxxrffx.exec:\fxxrffx.exe59⤵
- Executes dropped EXE
-
\??\c:\hhbtnt.exec:\hhbtnt.exe60⤵
- Executes dropped EXE
-
\??\c:\nbhhbt.exec:\nbhhbt.exe61⤵
- Executes dropped EXE
-
\??\c:\vpvpv.exec:\vpvpv.exe62⤵
- Executes dropped EXE
-
\??\c:\7tbtnn.exec:\7tbtnn.exe63⤵
- Executes dropped EXE
-
\??\c:\3btnhh.exec:\3btnhh.exe64⤵
- Executes dropped EXE
-
\??\c:\406448.exec:\406448.exe65⤵
- Executes dropped EXE
-
\??\c:\46882.exec:\46882.exe66⤵
-
\??\c:\xxrlxfx.exec:\xxrlxfx.exe67⤵
-
\??\c:\26266.exec:\26266.exe68⤵
-
\??\c:\dvjdj.exec:\dvjdj.exe69⤵
-
\??\c:\e02600.exec:\e02600.exe70⤵
-
\??\c:\ttbtnn.exec:\ttbtnn.exe71⤵
-
\??\c:\ntbnhh.exec:\ntbnhh.exe72⤵
-
\??\c:\rfrlxxr.exec:\rfrlxxr.exe73⤵
-
\??\c:\nhtbhb.exec:\nhtbhb.exe74⤵
-
\??\c:\e04480.exec:\e04480.exe75⤵
-
\??\c:\68642.exec:\68642.exe76⤵
-
\??\c:\vpppj.exec:\vpppj.exe77⤵
-
\??\c:\8660408.exec:\8660408.exe78⤵
-
\??\c:\608444.exec:\608444.exe79⤵
-
\??\c:\6048604.exec:\6048604.exe80⤵
-
\??\c:\hnbtbt.exec:\hnbtbt.exe81⤵
-
\??\c:\rllfrlf.exec:\rllfrlf.exe82⤵
-
\??\c:\80622.exec:\80622.exe83⤵
-
\??\c:\264082.exec:\264082.exe84⤵
-
\??\c:\pvjjv.exec:\pvjjv.exe85⤵
-
\??\c:\dvvjd.exec:\dvvjd.exe86⤵
-
\??\c:\lrxxllf.exec:\lrxxllf.exe87⤵
-
\??\c:\a6260.exec:\a6260.exe88⤵
-
\??\c:\484242.exec:\484242.exe89⤵
-
\??\c:\04826.exec:\04826.exe90⤵
-
\??\c:\88088.exec:\88088.exe91⤵
-
\??\c:\7bnbtn.exec:\7bnbtn.exe92⤵
-
\??\c:\c848226.exec:\c848226.exe93⤵
-
\??\c:\9ntnhb.exec:\9ntnhb.exe94⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe95⤵
-
\??\c:\62262.exec:\62262.exe96⤵
- System Location Discovery: System Language Discovery
-
\??\c:\64422.exec:\64422.exe97⤵
-
\??\c:\06082.exec:\06082.exe98⤵
-
\??\c:\w28426.exec:\w28426.exe99⤵
-
\??\c:\3tntbn.exec:\3tntbn.exe100⤵
-
\??\c:\hnnnhh.exec:\hnnnhh.exe101⤵
-
\??\c:\46466.exec:\46466.exe102⤵
-
\??\c:\g4086.exec:\g4086.exe103⤵
-
\??\c:\bnbntn.exec:\bnbntn.exe104⤵
-
\??\c:\0468226.exec:\0468226.exe105⤵
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe106⤵
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe107⤵
-
\??\c:\vjvjp.exec:\vjvjp.exe108⤵
-
\??\c:\80424.exec:\80424.exe109⤵
-
\??\c:\9bthnh.exec:\9bthnh.exe110⤵
-
\??\c:\604206.exec:\604206.exe111⤵
-
\??\c:\c486426.exec:\c486426.exe112⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe113⤵
-
\??\c:\808606.exec:\808606.exe114⤵
-
\??\c:\208204.exec:\208204.exe115⤵
-
\??\c:\rflffxf.exec:\rflffxf.exe116⤵
-
\??\c:\64826.exec:\64826.exe117⤵
-
\??\c:\9lfrlrf.exec:\9lfrlrf.exe118⤵
-
\??\c:\fxrfxfr.exec:\fxrfxfr.exe119⤵
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe120⤵
-
\??\c:\c000864.exec:\c000864.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-