Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
14/09/2024, 22:13
General
-
Target
2b905c244355bd79f7a65b9dcc7fbb00N.exe
-
Size
71KB
-
MD5
2b905c244355bd79f7a65b9dcc7fbb00
-
SHA1
feaaa6077fe0774320833d7092bf91ccab293815
-
SHA256
12ace5f535a91baa4616d297c4accdea3c415e04198a64afd225c692ca2db0db
-
SHA512
0a6bec48597fcb0c9a3de6b69eaeb680ea45cd7da2462a9a5b58ba767611aff6ceff59f4ad4e52391a6a64b53c5388fad77925007f2848968932de9f3c4eaa99
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfj4W:ymb3NkkiQ3mdBjFI4VIW
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b905c244355bd79f7a65b9dcc7fbb00N.exe"C:\Users\Admin\AppData\Local\Temp\2b905c244355bd79f7a65b9dcc7fbb00N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ntthbb.exec:\ntthbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pjdv.exec:\3pjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvp.exec:\vvvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflfffx.exec:\lflfffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbbb.exec:\bnbbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdv.exec:\dpjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfxfx.exec:\xrlfxfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppd.exec:\pjppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llflfxr.exec:\llflfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbhh.exec:\nhhbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjd.exec:\vvvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lxxllf.exec:\1lxxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxxrll.exec:\rlxxrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnhn.exec:\tnnnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djdpd.exec:\djdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrlll.exec:\fxrrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rrrlff.exec:\1rrrlff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bnhhh.exec:\7bnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppj.exec:\pjppj.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxxrxx.exec:\rxxxrxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnhh.exec:\thtnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhhh.exec:\tthhhh.exe23⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe24⤵
- Executes dropped EXE
-
\??\c:\dddvj.exec:\dddvj.exe25⤵
- Executes dropped EXE
-
\??\c:\lllxrxx.exec:\lllxrxx.exe26⤵
- Executes dropped EXE
-
\??\c:\bttnnh.exec:\bttnnh.exe27⤵
- Executes dropped EXE
-
\??\c:\thhhhb.exec:\thhhhb.exe28⤵
- Executes dropped EXE
-
\??\c:\pjvpv.exec:\pjvpv.exe29⤵
- Executes dropped EXE
-
\??\c:\flrrllf.exec:\flrrllf.exe30⤵
- Executes dropped EXE
-
\??\c:\rlrlxxf.exec:\rlrlxxf.exe31⤵
- Executes dropped EXE
-
\??\c:\nhttnb.exec:\nhttnb.exe32⤵
- Executes dropped EXE
-
\??\c:\ppvpv.exec:\ppvpv.exe33⤵
- Executes dropped EXE
-
\??\c:\ddjdv.exec:\ddjdv.exe34⤵
- Executes dropped EXE
-
\??\c:\3rfxrlf.exec:\3rfxrlf.exe35⤵
- Executes dropped EXE
-
\??\c:\bhhhhh.exec:\bhhhhh.exe36⤵
- Executes dropped EXE
-
\??\c:\tbhhhh.exec:\tbhhhh.exe37⤵
- Executes dropped EXE
-
\??\c:\htnhnn.exec:\htnhnn.exe38⤵
- Executes dropped EXE
-
\??\c:\pjvpd.exec:\pjvpd.exe39⤵
- Executes dropped EXE
-
\??\c:\vpppp.exec:\vpppp.exe40⤵
- Executes dropped EXE
-
\??\c:\llxxrrl.exec:\llxxrrl.exe41⤵
- Executes dropped EXE
-
\??\c:\rrxxxff.exec:\rrxxxff.exe42⤵
- Executes dropped EXE
-
\??\c:\btbtnt.exec:\btbtnt.exe43⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe44⤵
- Executes dropped EXE
-
\??\c:\pvddp.exec:\pvddp.exe45⤵
- Executes dropped EXE
-
\??\c:\jpjdp.exec:\jpjdp.exe46⤵
- Executes dropped EXE
-
\??\c:\rflfffl.exec:\rflfffl.exe47⤵
- Executes dropped EXE
-
\??\c:\xrffllf.exec:\xrffllf.exe48⤵
- Executes dropped EXE
-
\??\c:\fxrrllf.exec:\fxrrllf.exe49⤵
- Executes dropped EXE
-
\??\c:\hbthbb.exec:\hbthbb.exe50⤵
- Executes dropped EXE
-
\??\c:\ttttnh.exec:\ttttnh.exe51⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jdpjj.exec:\jdpjj.exe53⤵
- Executes dropped EXE
-
\??\c:\flxrxxf.exec:\flxrxxf.exe54⤵
- Executes dropped EXE
-
\??\c:\xrrxrrr.exec:\xrrxrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\5nhnnh.exec:\5nhnnh.exe56⤵
- Executes dropped EXE
-
\??\c:\tnnhbb.exec:\tnnhbb.exe57⤵
- Executes dropped EXE
-
\??\c:\jpvjv.exec:\jpvjv.exe58⤵
- Executes dropped EXE
-
\??\c:\djpjp.exec:\djpjp.exe59⤵
- Executes dropped EXE
-
\??\c:\rrrxxff.exec:\rrrxxff.exe60⤵
- Executes dropped EXE
-
\??\c:\rrlrrxr.exec:\rrlrrxr.exe61⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe62⤵
- Executes dropped EXE
-
\??\c:\bhbnhh.exec:\bhbnhh.exe63⤵
- Executes dropped EXE
-
\??\c:\3dvvp.exec:\3dvvp.exe64⤵
- Executes dropped EXE
-
\??\c:\jdjdj.exec:\jdjdj.exe65⤵
- Executes dropped EXE
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe66⤵
-
\??\c:\flrrffl.exec:\flrrffl.exe67⤵
-
\??\c:\nhnnth.exec:\nhnnth.exe68⤵
-
\??\c:\nthhhn.exec:\nthhhn.exe69⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe70⤵
-
\??\c:\dddvp.exec:\dddvp.exe71⤵
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe72⤵
-
\??\c:\ffxrlrl.exec:\ffxrlrl.exe73⤵
-
\??\c:\nbbttn.exec:\nbbttn.exe74⤵
-
\??\c:\3djdd.exec:\3djdd.exe75⤵
-
\??\c:\vjdvp.exec:\vjdvp.exe76⤵
-
\??\c:\lffrlrr.exec:\lffrlrr.exe77⤵
-
\??\c:\3fxxlxl.exec:\3fxxlxl.exe78⤵
-
\??\c:\bhhhtn.exec:\bhhhtn.exe79⤵
-
\??\c:\hbhhht.exec:\hbhhht.exe80⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe81⤵
-
\??\c:\rrrrfff.exec:\rrrrfff.exe82⤵
-
\??\c:\llrrxxx.exec:\llrrxxx.exe83⤵
-
\??\c:\hhhbnn.exec:\hhhbnn.exe84⤵
-
\??\c:\nhnhhh.exec:\nhnhhh.exe85⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe86⤵
-
\??\c:\pppjj.exec:\pppjj.exe87⤵
-
\??\c:\flrlxxx.exec:\flrlxxx.exe88⤵
-
\??\c:\nbhbbh.exec:\nbhbbh.exe89⤵
-
\??\c:\thhbth.exec:\thhbth.exe90⤵
-
\??\c:\vvvpd.exec:\vvvpd.exe91⤵
-
\??\c:\xrrfrff.exec:\xrrfrff.exe92⤵
-
\??\c:\5bhbtt.exec:\5bhbtt.exe93⤵
-
\??\c:\vjdpd.exec:\vjdpd.exe94⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe95⤵
-
\??\c:\lfffrlf.exec:\lfffrlf.exe96⤵
-
\??\c:\rflfxrl.exec:\rflfxrl.exe97⤵
-
\??\c:\bthnhn.exec:\bthnhn.exe98⤵
-
\??\c:\nbbtnn.exec:\nbbtnn.exe99⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe100⤵
-
\??\c:\ddddd.exec:\ddddd.exe101⤵
-
\??\c:\rrxxflf.exec:\rrxxflf.exe102⤵
-
\??\c:\bbttnh.exec:\bbttnh.exe103⤵
-
\??\c:\hbtnnh.exec:\hbtnnh.exe104⤵
-
\??\c:\pppdj.exec:\pppdj.exe105⤵
-
\??\c:\pjpdv.exec:\pjpdv.exe106⤵
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe107⤵
-
\??\c:\lllfffx.exec:\lllfffx.exe108⤵
-
\??\c:\hnhttn.exec:\hnhttn.exe109⤵
-
\??\c:\3tnhhn.exec:\3tnhhn.exe110⤵
-
\??\c:\jddpj.exec:\jddpj.exe111⤵
-
\??\c:\vvdjp.exec:\vvdjp.exe112⤵
-
\??\c:\xrxfxfx.exec:\xrxfxfx.exe113⤵
-
\??\c:\9xxrrll.exec:\9xxrrll.exe114⤵
-
\??\c:\nbtbtb.exec:\nbtbtb.exe115⤵
-
\??\c:\7tnhtt.exec:\7tnhtt.exe116⤵
-
\??\c:\jpvvp.exec:\jpvvp.exe117⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe118⤵
-
\??\c:\xrffllr.exec:\xrffllr.exe119⤵
-
\??\c:\xfffxxr.exec:\xfffxxr.exe120⤵
-
\??\c:\fllffxx.exec:\fllffxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-