Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-09-2024 15:34
General
-
Target
4dfbfe769a796c5f5959b06cb43ccc8d2dc721e8ea7afffc7b79c23b1188bb56N.exe
-
Size
230KB
-
MD5
e2840e57e191c900d87dbd0bf2c74fe0
-
SHA1
c2be22b68bb4191392583a4d5f6a7c2e00df96b4
-
SHA256
4dfbfe769a796c5f5959b06cb43ccc8d2dc721e8ea7afffc7b79c23b1188bb56
-
SHA512
b32e44ed44632ac96fc8fabccf9fd168c419ff2a51213450b9b2af4605aa95653b9f09ccf23f9c185cb7fbc4bfd40e557d4819697f79fc570491fdceb83be398
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fp:n3C9BRo7MlrWKo+lxKk1fp
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dfbfe769a796c5f5959b06cb43ccc8d2dc721e8ea7afffc7b79c23b1188bb56N.exe"C:\Users\Admin\AppData\Local\Temp\4dfbfe769a796c5f5959b06cb43ccc8d2dc721e8ea7afffc7b79c23b1188bb56N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdv.exec:\ddpdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjdv.exec:\djjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxrffl.exec:\xxxrffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxffl.exec:\lfxxffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlrfxl.exec:\lxlrfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bbbtt.exec:\9bbbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrrlll.exec:\7xrrlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bnhbh.exec:\3bnhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pppj.exec:\5pppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlrrxr.exec:\frlrrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9htttt.exec:\9htttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjj.exec:\ppjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlfxlf.exec:\rrlfxlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhbn.exec:\bbhhbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ppjj.exec:\1ppjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnnn.exec:\bttnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvp.exec:\vjdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lfxxxx.exec:\7lfxxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bhbtt.exec:\5bhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrlff.exec:\flrrlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnhh.exec:\tnnnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvd.exec:\dvdvd.exe23⤵
- Executes dropped EXE
-
\??\c:\lrlllrl.exec:\lrlllrl.exe24⤵
- Executes dropped EXE
-
\??\c:\bhbbbb.exec:\bhbbbb.exe25⤵
- Executes dropped EXE
-
\??\c:\3djdd.exec:\3djdd.exe26⤵
- Executes dropped EXE
-
\??\c:\9fxlrrf.exec:\9fxlrrf.exe27⤵
- Executes dropped EXE
-
\??\c:\xrxlxfr.exec:\xrxlxfr.exe28⤵
- Executes dropped EXE
-
\??\c:\1ntnbt.exec:\1ntnbt.exe29⤵
- Executes dropped EXE
-
\??\c:\dvjjd.exec:\dvjjd.exe30⤵
- Executes dropped EXE
-
\??\c:\rrxfllr.exec:\rrxfllr.exe31⤵
- Executes dropped EXE
-
\??\c:\bnbtnn.exec:\bnbtnn.exe32⤵
- Executes dropped EXE
-
\??\c:\jvddp.exec:\jvddp.exe33⤵
- Executes dropped EXE
-
\??\c:\5lffxll.exec:\5lffxll.exe34⤵
- Executes dropped EXE
-
\??\c:\hhnnnn.exec:\hhnnnn.exe35⤵
- Executes dropped EXE
-
\??\c:\frlxlfx.exec:\frlxlfx.exe36⤵
- Executes dropped EXE
-
\??\c:\xlrrrrf.exec:\xlrrrrf.exe37⤵
- Executes dropped EXE
-
\??\c:\bhbbbb.exec:\bhbbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\jjjjp.exec:\jjjjp.exe39⤵
- Executes dropped EXE
-
\??\c:\xffxrrl.exec:\xffxrrl.exe40⤵
- Executes dropped EXE
-
\??\c:\flrlffx.exec:\flrlffx.exe41⤵
- Executes dropped EXE
-
\??\c:\thnnnn.exec:\thnnnn.exe42⤵
- Executes dropped EXE
-
\??\c:\5ppvj.exec:\5ppvj.exe43⤵
- Executes dropped EXE
-
\??\c:\ddvvv.exec:\ddvvv.exe44⤵
- Executes dropped EXE
-
\??\c:\1rlfffx.exec:\1rlfffx.exe45⤵
- Executes dropped EXE
-
\??\c:\9tbttn.exec:\9tbttn.exe46⤵
- Executes dropped EXE
-
\??\c:\5ddvj.exec:\5ddvj.exe47⤵
- Executes dropped EXE
-
\??\c:\3pdvd.exec:\3pdvd.exe48⤵
- Executes dropped EXE
-
\??\c:\xrrfrrl.exec:\xrrfrrl.exe49⤵
- Executes dropped EXE
-
\??\c:\rlxfffx.exec:\rlxfffx.exe50⤵
- Executes dropped EXE
-
\??\c:\9nbthb.exec:\9nbthb.exe51⤵
- Executes dropped EXE
-
\??\c:\1pjdp.exec:\1pjdp.exe52⤵
- Executes dropped EXE
-
\??\c:\jvdpd.exec:\jvdpd.exe53⤵
- Executes dropped EXE
-
\??\c:\flrfffr.exec:\flrfffr.exe54⤵
- Executes dropped EXE
-
\??\c:\ttbbtt.exec:\ttbbtt.exe55⤵
- Executes dropped EXE
-
\??\c:\hnttnh.exec:\hnttnh.exe56⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe57⤵
- Executes dropped EXE
-
\??\c:\xxrlfll.exec:\xxrlfll.exe58⤵
- Executes dropped EXE
-
\??\c:\lllfffx.exec:\lllfffx.exe59⤵
- Executes dropped EXE
-
\??\c:\btbnbt.exec:\btbnbt.exe60⤵
- Executes dropped EXE
-
\??\c:\7hbtnn.exec:\7hbtnn.exe61⤵
- Executes dropped EXE
-
\??\c:\vvvpd.exec:\vvvpd.exe62⤵
- Executes dropped EXE
-
\??\c:\rlxrffx.exec:\rlxrffx.exe63⤵
- Executes dropped EXE
-
\??\c:\lffxrrl.exec:\lffxrrl.exe64⤵
- Executes dropped EXE
-
\??\c:\ttbttn.exec:\ttbttn.exe65⤵
- Executes dropped EXE
-
\??\c:\nbtnhn.exec:\nbtnhn.exe66⤵
-
\??\c:\pddpj.exec:\pddpj.exe67⤵
-
\??\c:\xffxrrl.exec:\xffxrrl.exe68⤵
-
\??\c:\hnnhnb.exec:\hnnhnb.exe69⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe70⤵
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe71⤵
-
\??\c:\frxxfxx.exec:\frxxfxx.exe72⤵
-
\??\c:\hhnhhb.exec:\hhnhhb.exe73⤵
-
\??\c:\jjdvj.exec:\jjdvj.exe74⤵
-
\??\c:\vvvjv.exec:\vvvjv.exe75⤵
-
\??\c:\7xfxxxr.exec:\7xfxxxr.exe76⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ttbtnh.exec:\ttbtnh.exe77⤵
-
\??\c:\3nhtnh.exec:\3nhtnh.exe78⤵
-
\??\c:\1dpdp.exec:\1dpdp.exe79⤵
-
\??\c:\lfxrllr.exec:\lfxrllr.exe80⤵
-
\??\c:\3lxrlfr.exec:\3lxrlfr.exe81⤵
-
\??\c:\nnnhhh.exec:\nnnhhh.exe82⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe83⤵
-
\??\c:\pjppp.exec:\pjppp.exe84⤵
-
\??\c:\1llrlll.exec:\1llrlll.exe85⤵
-
\??\c:\flffxxx.exec:\flffxxx.exe86⤵
-
\??\c:\bbhhnn.exec:\bbhhnn.exe87⤵
-
\??\c:\vvdvd.exec:\vvdvd.exe88⤵
-
\??\c:\7vddv.exec:\7vddv.exe89⤵
-
\??\c:\frxrlll.exec:\frxrlll.exe90⤵
-
\??\c:\nnbhbn.exec:\nnbhbn.exe91⤵
-
\??\c:\tnnhtt.exec:\tnnhtt.exe92⤵
-
\??\c:\vjvjj.exec:\vjvjj.exe93⤵
-
\??\c:\xlxrfxl.exec:\xlxrfxl.exe94⤵
-
\??\c:\5lrxllx.exec:\5lrxllx.exe95⤵
-
\??\c:\hnnhbn.exec:\hnnhbn.exe96⤵
-
\??\c:\rxrlrrl.exec:\rxrlrrl.exe97⤵
-
\??\c:\1nnbtn.exec:\1nnbtn.exe98⤵
-
\??\c:\3hnhbb.exec:\3hnhbb.exe99⤵
-
\??\c:\djvjd.exec:\djvjd.exe100⤵
-
\??\c:\3xfxrxr.exec:\3xfxrxr.exe101⤵
-
\??\c:\thbbnn.exec:\thbbnn.exe102⤵
-
\??\c:\btbtth.exec:\btbtth.exe103⤵
-
\??\c:\1jdpj.exec:\1jdpj.exe104⤵
-
\??\c:\3xxrlxx.exec:\3xxrlxx.exe105⤵
-
\??\c:\9hnhbn.exec:\9hnhbn.exe106⤵
-
\??\c:\3jppd.exec:\3jppd.exe107⤵
-
\??\c:\jpjjv.exec:\jpjjv.exe108⤵
-
\??\c:\rrllxxr.exec:\rrllxxr.exe109⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7hnhhh.exec:\7hnhhh.exe110⤵
-
\??\c:\nnbhbt.exec:\nnbhbt.exe111⤵
-
\??\c:\ppvjv.exec:\ppvjv.exe112⤵
-
\??\c:\jvddv.exec:\jvddv.exe113⤵
-
\??\c:\xxxxxfx.exec:\xxxxxfx.exe114⤵
-
\??\c:\tbhhtt.exec:\tbhhtt.exe115⤵
-
\??\c:\hnnhth.exec:\hnnhth.exe116⤵
-
\??\c:\7jdvv.exec:\7jdvv.exe117⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe118⤵
-
\??\c:\lrrlrlf.exec:\lrrlrlf.exe119⤵
-
\??\c:\ntnnhh.exec:\ntnnhh.exe120⤵
-
\??\c:\bnnnhh.exec:\bnnnhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-