Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/09/2024, 04:41
General
-
Target
f9b57753d8a24987669f07e596989aec4c377eaeaf94fb639ea8cbaa6ca2cd47N.exe
-
Size
74KB
-
MD5
93bbf19da1860bd5e537ab11edeee0d0
-
SHA1
5e9c3ea3b0c64d659963147734a5c060b973e6fb
-
SHA256
f9b57753d8a24987669f07e596989aec4c377eaeaf94fb639ea8cbaa6ca2cd47
-
SHA512
a8c07f28f39e149af4bc8e8bdc6499c736c14bd58756b7c5785b4190bbebc2983f827826a63826381ef988fc3460f1625d928bd670a213cb7ce005bbf70d9825
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmP5O:ymb3NkkiQ3mdBjFIvl358nLA89OMFVHN
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9b57753d8a24987669f07e596989aec4c377eaeaf94fb639ea8cbaa6ca2cd47N.exe"C:\Users\Admin\AppData\Local\Temp\f9b57753d8a24987669f07e596989aec4c377eaeaf94fb639ea8cbaa6ca2cd47N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\406004.exec:\406004.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06886.exec:\06886.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbthbn.exec:\nbthbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u262468.exec:\u262468.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrflflf.exec:\lrflflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbtnn.exec:\hbbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2808226.exec:\2808226.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2004260.exec:\2004260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djdp.exec:\5djdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxlfx.exec:\lffxlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ttbtn.exec:\3ttbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnthbt.exec:\bnthbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g8222.exec:\g8222.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbntb.exec:\thbntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffflfx.exec:\lffflfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s6646.exec:\s6646.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i428006.exec:\i428006.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\268800.exec:\268800.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvddp.exec:\vvddp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\622204.exec:\622204.exe23⤵
- Executes dropped EXE
-
\??\c:\llxffxf.exec:\llxffxf.exe24⤵
- Executes dropped EXE
-
\??\c:\5pdjv.exec:\5pdjv.exe25⤵
- Executes dropped EXE
-
\??\c:\06666.exec:\06666.exe26⤵
- Executes dropped EXE
-
\??\c:\8026604.exec:\8026604.exe27⤵
- Executes dropped EXE
-
\??\c:\02260.exec:\02260.exe28⤵
- Executes dropped EXE
-
\??\c:\djpjv.exec:\djpjv.exe29⤵
- Executes dropped EXE
-
\??\c:\4224288.exec:\4224288.exe30⤵
- Executes dropped EXE
-
\??\c:\bnnbth.exec:\bnnbth.exe31⤵
- Executes dropped EXE
-
\??\c:\fllxfxr.exec:\fllxfxr.exe32⤵
- Executes dropped EXE
-
\??\c:\pddpj.exec:\pddpj.exe33⤵
- Executes dropped EXE
-
\??\c:\k80206.exec:\k80206.exe34⤵
- Executes dropped EXE
-
\??\c:\7lrllrr.exec:\7lrllrr.exe35⤵
- Executes dropped EXE
-
\??\c:\pjpjv.exec:\pjpjv.exe36⤵
- Executes dropped EXE
-
\??\c:\64460.exec:\64460.exe37⤵
- Executes dropped EXE
-
\??\c:\xfxlffr.exec:\xfxlffr.exe38⤵
- Executes dropped EXE
-
\??\c:\lfrlrxx.exec:\lfrlrxx.exe39⤵
- Executes dropped EXE
-
\??\c:\pvvdj.exec:\pvvdj.exe40⤵
- Executes dropped EXE
-
\??\c:\862420.exec:\862420.exe41⤵
- Executes dropped EXE
-
\??\c:\k68688.exec:\k68688.exe42⤵
- Executes dropped EXE
-
\??\c:\24684.exec:\24684.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\600088.exec:\600088.exe44⤵
- Executes dropped EXE
-
\??\c:\w84484.exec:\w84484.exe45⤵
- Executes dropped EXE
-
\??\c:\22260.exec:\22260.exe46⤵
- Executes dropped EXE
-
\??\c:\hbbnbb.exec:\hbbnbb.exe47⤵
- Executes dropped EXE
-
\??\c:\bnhbtt.exec:\bnhbtt.exe48⤵
- Executes dropped EXE
-
\??\c:\tnnhbt.exec:\tnnhbt.exe49⤵
- Executes dropped EXE
-
\??\c:\s0264.exec:\s0264.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\024240.exec:\024240.exe51⤵
- Executes dropped EXE
-
\??\c:\hntnth.exec:\hntnth.exe52⤵
- Executes dropped EXE
-
\??\c:\3rrlxlf.exec:\3rrlxlf.exe53⤵
- Executes dropped EXE
-
\??\c:\6622042.exec:\6622042.exe54⤵
- Executes dropped EXE
-
\??\c:\lffxlff.exec:\lffxlff.exe55⤵
- Executes dropped EXE
-
\??\c:\vvddv.exec:\vvddv.exe56⤵
- Executes dropped EXE
-
\??\c:\flrffll.exec:\flrffll.exe57⤵
- Executes dropped EXE
-
\??\c:\280022.exec:\280022.exe58⤵
- Executes dropped EXE
-
\??\c:\jpvpd.exec:\jpvpd.exe59⤵
- Executes dropped EXE
-
\??\c:\462644.exec:\462644.exe60⤵
- Executes dropped EXE
-
\??\c:\66224.exec:\66224.exe61⤵
- Executes dropped EXE
-
\??\c:\q66224.exec:\q66224.exe62⤵
- Executes dropped EXE
-
\??\c:\thbttb.exec:\thbttb.exe63⤵
- Executes dropped EXE
-
\??\c:\062644.exec:\062644.exe64⤵
- Executes dropped EXE
-
\??\c:\rrfflrr.exec:\rrfflrr.exe65⤵
- Executes dropped EXE
-
\??\c:\pvdvv.exec:\pvdvv.exe66⤵
-
\??\c:\86264.exec:\86264.exe67⤵
-
\??\c:\40040.exec:\40040.exe68⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe69⤵
-
\??\c:\rfffrlf.exec:\rfffrlf.exe70⤵
-
\??\c:\488226.exec:\488226.exe71⤵
-
\??\c:\rxxxfrl.exec:\rxxxfrl.exe72⤵
-
\??\c:\tttnnt.exec:\tttnnt.exe73⤵
-
\??\c:\flxxrxr.exec:\flxxrxr.exe74⤵
-
\??\c:\tnhbbb.exec:\tnhbbb.exe75⤵
-
\??\c:\48688.exec:\48688.exe76⤵
-
\??\c:\04622.exec:\04622.exe77⤵
-
\??\c:\vppjd.exec:\vppjd.exe78⤵
-
\??\c:\lrlfrlx.exec:\lrlfrlx.exe79⤵
-
\??\c:\btnnhh.exec:\btnnhh.exe80⤵
-
\??\c:\9hnhtt.exec:\9hnhtt.exe81⤵
-
\??\c:\jvjdd.exec:\jvjdd.exe82⤵
-
\??\c:\826060.exec:\826060.exe83⤵
-
\??\c:\2288602.exec:\2288602.exe84⤵
-
\??\c:\vppjd.exec:\vppjd.exe85⤵
-
\??\c:\a0088.exec:\a0088.exe86⤵
-
\??\c:\tbbtnb.exec:\tbbtnb.exe87⤵
-
\??\c:\w26040.exec:\w26040.exe88⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe89⤵
-
\??\c:\440482.exec:\440482.exe90⤵
-
\??\c:\xrfllll.exec:\xrfllll.exe91⤵
-
\??\c:\htnbtn.exec:\htnbtn.exe92⤵
-
\??\c:\o024882.exec:\o024882.exe93⤵
-
\??\c:\2002060.exec:\2002060.exe94⤵
-
\??\c:\c882604.exec:\c882604.exe95⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe96⤵
-
\??\c:\6004826.exec:\6004826.exe97⤵
-
\??\c:\pvvvj.exec:\pvvvj.exe98⤵
-
\??\c:\0882604.exec:\0882604.exe99⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe100⤵
-
\??\c:\rffxlfx.exec:\rffxlfx.exe101⤵
-
\??\c:\fxlrfll.exec:\fxlrfll.exe102⤵
-
\??\c:\pjddv.exec:\pjddv.exe103⤵
-
\??\c:\ththnb.exec:\ththnb.exe104⤵
-
\??\c:\68468.exec:\68468.exe105⤵
-
\??\c:\o466048.exec:\o466048.exe106⤵
-
\??\c:\ffxxlrl.exec:\ffxxlrl.exe107⤵
-
\??\c:\60600.exec:\60600.exe108⤵
-
\??\c:\nthnnb.exec:\nthnnb.exe109⤵
-
\??\c:\lfffxxr.exec:\lfffxxr.exe110⤵
-
\??\c:\u664204.exec:\u664204.exe111⤵
-
\??\c:\04268.exec:\04268.exe112⤵
-
\??\c:\xlxllfr.exec:\xlxllfr.exe113⤵
-
\??\c:\9nntth.exec:\9nntth.exe114⤵
-
\??\c:\8266822.exec:\8266822.exe115⤵
-
\??\c:\24004.exec:\24004.exe116⤵
-
\??\c:\q06048.exec:\q06048.exe117⤵
-
\??\c:\662828.exec:\662828.exe118⤵
-
\??\c:\5bhbtt.exec:\5bhbtt.exe119⤵
-
\??\c:\ffrxlrr.exec:\ffrxlrr.exe120⤵
-
\??\c:\1lllfll.exec:\1lllfll.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-