Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-09-2024 06:58
General
-
Target
835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe
-
Size
64KB
-
MD5
b14b0cd2e4f803c4683e0f2387842220
-
SHA1
6bdc74f881cae50019224f0c408b1176b8cfaead
-
SHA256
835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770f
-
SHA512
02d40ba4e745f59b933987741344253713f3207b2dd49d962d18bd06080a9eec067800c9ded3c9980b314764988a7f5200d9c7d34f9bdf18cbc121fd94ded7d9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxiP:ymb3NkkiQ3mdBjF0y7kbK
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe"C:\Users\Admin\AppData\Local\Temp\835dbad3eb763155c3f8b935c58d141a70e588c1fa6986c643f8bbfd310a770fN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddd.exec:\jvddd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjpv.exec:\dpjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflxrxl.exec:\fflxrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hntnn.exec:\3hntnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hnnhn.exec:\5hnnhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlfxxf.exec:\frlfxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnnhb.exec:\bbnnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvj.exec:\pjdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxfrr.exec:\xxxxfrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbtbn.exec:\htbtbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjd.exec:\jjvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrlxxx.exec:\7xrlxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1thbnn.exec:\1thbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jvvp.exec:\5jvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxxxrr.exec:\fxxxxrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flllffx.exec:\flllffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7btnnn.exec:\7btnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjj.exec:\ppjjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtbhh.exec:\hhtbhh.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\9thnnb.exec:\9thnnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvpp.exec:\ppvpp.exe23⤵
- Executes dropped EXE
-
\??\c:\5lrlllf.exec:\5lrlllf.exe24⤵
- Executes dropped EXE
-
\??\c:\hbnttb.exec:\hbnttb.exe25⤵
- Executes dropped EXE
-
\??\c:\dvjpp.exec:\dvjpp.exe26⤵
- Executes dropped EXE
-
\??\c:\fffffll.exec:\fffffll.exe27⤵
- Executes dropped EXE
-
\??\c:\1htthh.exec:\1htthh.exe28⤵
- Executes dropped EXE
-
\??\c:\hbttnb.exec:\hbttnb.exe29⤵
- Executes dropped EXE
-
\??\c:\jvvdv.exec:\jvvdv.exe30⤵
- Executes dropped EXE
-
\??\c:\vdppp.exec:\vdppp.exe31⤵
- Executes dropped EXE
-
\??\c:\lffxrxx.exec:\lffxrxx.exe32⤵
- Executes dropped EXE
-
\??\c:\bttttb.exec:\bttttb.exe33⤵
- Executes dropped EXE
-
\??\c:\jjvpv.exec:\jjvpv.exe34⤵
- Executes dropped EXE
-
\??\c:\pdpvv.exec:\pdpvv.exe35⤵
- Executes dropped EXE
-
\??\c:\7rxfrrl.exec:\7rxfrrl.exe36⤵
- Executes dropped EXE
-
\??\c:\lrrxfxl.exec:\lrrxfxl.exe37⤵
- Executes dropped EXE
-
\??\c:\5bthtb.exec:\5bthtb.exe38⤵
- Executes dropped EXE
-
\??\c:\ppvpp.exec:\ppvpp.exe39⤵
- Executes dropped EXE
-
\??\c:\flxffxl.exec:\flxffxl.exe40⤵
- Executes dropped EXE
-
\??\c:\fxfxxfx.exec:\fxfxxfx.exe41⤵
- Executes dropped EXE
-
\??\c:\nnnnnt.exec:\nnnnnt.exe42⤵
- Executes dropped EXE
-
\??\c:\7thhhn.exec:\7thhhn.exe43⤵
- Executes dropped EXE
-
\??\c:\jjpvp.exec:\jjpvp.exe44⤵
- Executes dropped EXE
-
\??\c:\ppvpv.exec:\ppvpv.exe45⤵
- Executes dropped EXE
-
\??\c:\fffffll.exec:\fffffll.exe46⤵
- Executes dropped EXE
-
\??\c:\ntbhhh.exec:\ntbhhh.exe47⤵
- Executes dropped EXE
-
\??\c:\tnhhbb.exec:\tnhhbb.exe48⤵
- Executes dropped EXE
-
\??\c:\vvvdv.exec:\vvvdv.exe49⤵
- Executes dropped EXE
-
\??\c:\xxrffff.exec:\xxrffff.exe50⤵
- Executes dropped EXE
-
\??\c:\pvjpp.exec:\pvjpp.exe51⤵
- Executes dropped EXE
-
\??\c:\bbnttb.exec:\bbnttb.exe52⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe53⤵
- Executes dropped EXE
-
\??\c:\1lrxxxx.exec:\1lrxxxx.exe54⤵
- Executes dropped EXE
-
\??\c:\rrxfflr.exec:\rrxfflr.exe55⤵
- Executes dropped EXE
-
\??\c:\7hnnnn.exec:\7hnnnn.exe56⤵
- Executes dropped EXE
-
\??\c:\3pvvd.exec:\3pvvd.exe57⤵
- Executes dropped EXE
-
\??\c:\ttbhbh.exec:\ttbhbh.exe58⤵
- Executes dropped EXE
-
\??\c:\nhtbtb.exec:\nhtbtb.exe59⤵
- Executes dropped EXE
-
\??\c:\5dppj.exec:\5dppj.exe60⤵
- Executes dropped EXE
-
\??\c:\7jpvp.exec:\7jpvp.exe61⤵
- Executes dropped EXE
-
\??\c:\xxffxff.exec:\xxffxff.exe62⤵
- Executes dropped EXE
-
\??\c:\frrrrrr.exec:\frrrrrr.exe63⤵
- Executes dropped EXE
-
\??\c:\1bbttt.exec:\1bbttt.exe64⤵
- Executes dropped EXE
-
\??\c:\pdjjd.exec:\pdjjd.exe65⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe66⤵
-
\??\c:\xxlrrxf.exec:\xxlrrxf.exe67⤵
-
\??\c:\flfrlff.exec:\flfrlff.exe68⤵
-
\??\c:\jjvvj.exec:\jjvvj.exe69⤵
-
\??\c:\rfrrlrr.exec:\rfrrlrr.exe70⤵
-
\??\c:\rflrfff.exec:\rflrfff.exe71⤵
-
\??\c:\tnbhhn.exec:\tnbhhn.exe72⤵
-
\??\c:\tnbbtb.exec:\tnbbtb.exe73⤵
-
\??\c:\dpddp.exec:\dpddp.exe74⤵
-
\??\c:\lfrlflr.exec:\lfrlflr.exe75⤵
-
\??\c:\lllllrr.exec:\lllllrr.exe76⤵
-
\??\c:\bbhbbb.exec:\bbhbbb.exe77⤵
-
\??\c:\bbnnhn.exec:\bbnnhn.exe78⤵
-
\??\c:\1pjjj.exec:\1pjjj.exe79⤵
-
\??\c:\7rflfrr.exec:\7rflfrr.exe80⤵
-
\??\c:\5lrxxff.exec:\5lrxxff.exe81⤵
-
\??\c:\thnbhn.exec:\thnbhn.exe82⤵
-
\??\c:\vpppj.exec:\vpppj.exe83⤵
-
\??\c:\9flllrr.exec:\9flllrr.exe84⤵
-
\??\c:\5xxffff.exec:\5xxffff.exe85⤵
-
\??\c:\btbhnb.exec:\btbhnb.exe86⤵
-
\??\c:\nbhntt.exec:\nbhntt.exe87⤵
-
\??\c:\ppppj.exec:\ppppj.exe88⤵
-
\??\c:\jjjjd.exec:\jjjjd.exe89⤵
-
\??\c:\xfllrrf.exec:\xfllrrf.exe90⤵
-
\??\c:\llllllr.exec:\llllllr.exe91⤵
-
\??\c:\ttbbhn.exec:\ttbbhn.exe92⤵
-
\??\c:\bhhtnb.exec:\bhhtnb.exe93⤵
-
\??\c:\7ppvv.exec:\7ppvv.exe94⤵
-
\??\c:\xxffxfx.exec:\xxffxfx.exe95⤵
-
\??\c:\rxrxrxf.exec:\rxrxrxf.exe96⤵
-
\??\c:\nhnnnn.exec:\nhnnnn.exe97⤵
-
\??\c:\1djjv.exec:\1djjv.exe98⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe99⤵
-
\??\c:\xfllfll.exec:\xfllfll.exe100⤵
-
\??\c:\rrllllx.exec:\rrllllx.exe101⤵
-
\??\c:\btbbbb.exec:\btbbbb.exe102⤵
-
\??\c:\ddddp.exec:\ddddp.exe103⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe104⤵
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe105⤵
-
\??\c:\hhttnt.exec:\hhttnt.exe106⤵
-
\??\c:\1hnnhn.exec:\1hnnhn.exe107⤵
-
\??\c:\pdvpp.exec:\pdvpp.exe108⤵
-
\??\c:\pjppj.exec:\pjppj.exe109⤵
-
\??\c:\llrrlxx.exec:\llrrlxx.exe110⤵
-
\??\c:\nhbtbh.exec:\nhbtbh.exe111⤵
-
\??\c:\9nbbnt.exec:\9nbbnt.exe112⤵
-
\??\c:\hbnhhh.exec:\hbnhhh.exe113⤵
-
\??\c:\ppjjd.exec:\ppjjd.exe114⤵
-
\??\c:\rxxxflf.exec:\rxxxflf.exe115⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xfrlxxl.exec:\xfrlxxl.exe116⤵
-
\??\c:\nhhhnt.exec:\nhhhnt.exe117⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe118⤵
-
\??\c:\rrxrllf.exec:\rrxrllf.exe119⤵
-
\??\c:\llrrrrr.exec:\llrrrrr.exe120⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nttnnn.exec:\nttnnn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-