Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-09-2024 21:30
General
-
Target
6d20f1f8a985af185a9e837bae43c42ba865a1996094a8df6803728e16026fa6N.exe
-
Size
79KB
-
MD5
f80cfb91ff24007a8869eaeb5a423900
-
SHA1
0d301c578e0ec5e4dce34d3e3f3b81c0f4cb4dd2
-
SHA256
6d20f1f8a985af185a9e837bae43c42ba865a1996094a8df6803728e16026fa6
-
SHA512
b5549713a5e94d5a74034144acff3c214876d5de9276c6ac995e29172a6c19f613651bce60794d3f99715839bf11da139401341bc4ba4a66371037b163f5d63c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeF:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4i
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d20f1f8a985af185a9e837bae43c42ba865a1996094a8df6803728e16026fa6N.exe"C:\Users\Admin\AppData\Local\Temp\6d20f1f8a985af185a9e837bae43c42ba865a1996094a8df6803728e16026fa6N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tttbhh.exec:\tttbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vddd.exec:\7vddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xxrlll.exec:\7xxrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlllfff.exec:\xlllfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tnnhh.exec:\9tnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbtnn.exec:\ntbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpj.exec:\pjvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrllfff.exec:\rrllfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllllrr.exec:\rllllrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhbt.exec:\bthhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddv.exec:\dvddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddv.exec:\dvddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrflfxf.exec:\xrflfxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbtb.exec:\nhtbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddj.exec:\pvddj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrlffx.exec:\lrrlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtnn.exec:\tnbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlrrl.exec:\flrlrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lrrxxf.exec:\9lrrxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnnt.exec:\ttnnnt.exe23⤵
- Executes dropped EXE
-
\??\c:\1pppd.exec:\1pppd.exe24⤵
- Executes dropped EXE
-
\??\c:\9rxrlff.exec:\9rxrlff.exe25⤵
- Executes dropped EXE
-
\??\c:\rffxrrr.exec:\rffxrrr.exe26⤵
- Executes dropped EXE
-
\??\c:\htbttt.exec:\htbttt.exe27⤵
- Executes dropped EXE
-
\??\c:\jjdjj.exec:\jjdjj.exe28⤵
- Executes dropped EXE
-
\??\c:\jjvpd.exec:\jjvpd.exe29⤵
- Executes dropped EXE
-
\??\c:\fxxrllf.exec:\fxxrllf.exe30⤵
- Executes dropped EXE
-
\??\c:\bbbbtt.exec:\bbbbtt.exe31⤵
- Executes dropped EXE
-
\??\c:\dvdvd.exec:\dvdvd.exe32⤵
- Executes dropped EXE
-
\??\c:\lxrrrxx.exec:\lxrrrxx.exe33⤵
- Executes dropped EXE
-
\??\c:\tthtth.exec:\tthtth.exe34⤵
- Executes dropped EXE
-
\??\c:\jdvvp.exec:\jdvvp.exe35⤵
- Executes dropped EXE
-
\??\c:\vvdpv.exec:\vvdpv.exe36⤵
- Executes dropped EXE
-
\??\c:\xrrllll.exec:\xrrllll.exe37⤵
- Executes dropped EXE
-
\??\c:\rlrllll.exec:\rlrllll.exe38⤵
- Executes dropped EXE
-
\??\c:\vdddv.exec:\vdddv.exe39⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe40⤵
- Executes dropped EXE
-
\??\c:\rrxrflr.exec:\rrxrflr.exe41⤵
- Executes dropped EXE
-
\??\c:\9xrrllf.exec:\9xrrllf.exe42⤵
- Executes dropped EXE
-
\??\c:\ntbhbb.exec:\ntbhbb.exe43⤵
- Executes dropped EXE
-
\??\c:\vdpjd.exec:\vdpjd.exe44⤵
- Executes dropped EXE
-
\??\c:\rlrlllr.exec:\rlrlllr.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe46⤵
- Executes dropped EXE
-
\??\c:\jddpj.exec:\jddpj.exe47⤵
- Executes dropped EXE
-
\??\c:\frxrrrr.exec:\frxrrrr.exe48⤵
- Executes dropped EXE
-
\??\c:\nnnntb.exec:\nnnntb.exe49⤵
- Executes dropped EXE
-
\??\c:\ddpjd.exec:\ddpjd.exe50⤵
- Executes dropped EXE
-
\??\c:\nbhttn.exec:\nbhttn.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rlfxffx.exec:\rlfxffx.exe52⤵
- Executes dropped EXE
-
\??\c:\pdddd.exec:\pdddd.exe53⤵
- Executes dropped EXE
-
\??\c:\1rffllf.exec:\1rffllf.exe54⤵
- Executes dropped EXE
-
\??\c:\9fflfrr.exec:\9fflfrr.exe55⤵
- Executes dropped EXE
-
\??\c:\1ttttt.exec:\1ttttt.exe56⤵
- Executes dropped EXE
-
\??\c:\nnhtnb.exec:\nnhtnb.exe57⤵
- Executes dropped EXE
-
\??\c:\pjjjj.exec:\pjjjj.exe58⤵
- Executes dropped EXE
-
\??\c:\rxrlfrl.exec:\rxrlfrl.exe59⤵
- Executes dropped EXE
-
\??\c:\5rrllxr.exec:\5rrllxr.exe60⤵
- Executes dropped EXE
-
\??\c:\bthbtt.exec:\bthbtt.exe61⤵
- Executes dropped EXE
-
\??\c:\3vppd.exec:\3vppd.exe62⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\xrrrlll.exec:\xrrrlll.exe64⤵
- Executes dropped EXE
-
\??\c:\bttttt.exec:\bttttt.exe65⤵
- Executes dropped EXE
-
\??\c:\tthtnn.exec:\tthtnn.exe66⤵
-
\??\c:\7ddjv.exec:\7ddjv.exe67⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5bhhbh.exec:\5bhhbh.exe68⤵
-
\??\c:\ppvpd.exec:\ppvpd.exe69⤵
-
\??\c:\pdddj.exec:\pdddj.exe70⤵
-
\??\c:\xfxfrfl.exec:\xfxfrfl.exe71⤵
-
\??\c:\fxffxxx.exec:\fxffxxx.exe72⤵
-
\??\c:\ntttnn.exec:\ntttnn.exe73⤵
-
\??\c:\vpvdj.exec:\vpvdj.exe74⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe75⤵
-
\??\c:\flllllr.exec:\flllllr.exe76⤵
-
\??\c:\ffxfrrx.exec:\ffxfrrx.exe77⤵
-
\??\c:\tnbthb.exec:\tnbthb.exe78⤵
-
\??\c:\5jjjd.exec:\5jjjd.exe79⤵
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe80⤵
-
\??\c:\7rxrlrr.exec:\7rxrlrr.exe81⤵
-
\??\c:\5ttnbh.exec:\5ttnbh.exe82⤵
-
\??\c:\9hhbtt.exec:\9hhbtt.exe83⤵
-
\??\c:\jpvvj.exec:\jpvvj.exe84⤵
-
\??\c:\3rllxff.exec:\3rllxff.exe85⤵
-
\??\c:\httbbb.exec:\httbbb.exe86⤵
-
\??\c:\nhbhtb.exec:\nhbhtb.exe87⤵
-
\??\c:\vdddv.exec:\vdddv.exe88⤵
-
\??\c:\vjdpj.exec:\vjdpj.exe89⤵
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe90⤵
-
\??\c:\fxfrfxr.exec:\fxfrfxr.exe91⤵
-
\??\c:\1ntnth.exec:\1ntnth.exe92⤵
-
\??\c:\3nnhbb.exec:\3nnhbb.exe93⤵
-
\??\c:\5dvvj.exec:\5dvvj.exe94⤵
-
\??\c:\flfxrll.exec:\flfxrll.exe95⤵
-
\??\c:\nnttbb.exec:\nnttbb.exe96⤵
-
\??\c:\hhtnnn.exec:\hhtnnn.exe97⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe98⤵
-
\??\c:\vvpvd.exec:\vvpvd.exe99⤵
-
\??\c:\rlfxffl.exec:\rlfxffl.exe100⤵
-
\??\c:\nhnnnt.exec:\nhnnnt.exe101⤵
-
\??\c:\3ttttb.exec:\3ttttb.exe102⤵
-
\??\c:\dvvvv.exec:\dvvvv.exe103⤵
-
\??\c:\7pddp.exec:\7pddp.exe104⤵
-
\??\c:\lrxrlll.exec:\lrxrlll.exe105⤵
-
\??\c:\flxffll.exec:\flxffll.exe106⤵
-
\??\c:\9ttbtt.exec:\9ttbtt.exe107⤵
-
\??\c:\hbhbtb.exec:\hbhbtb.exe108⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe109⤵
-
\??\c:\lfxrrll.exec:\lfxrrll.exe110⤵
-
\??\c:\3lxxffr.exec:\3lxxffr.exe111⤵
-
\??\c:\hhhttt.exec:\hhhttt.exe112⤵
-
\??\c:\7ttttn.exec:\7ttttn.exe113⤵
-
\??\c:\1vddv.exec:\1vddv.exe114⤵
-
\??\c:\ntbttt.exec:\ntbttt.exe115⤵
-
\??\c:\bhbtnn.exec:\bhbtnn.exe116⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe117⤵
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe118⤵
-
\??\c:\lffxrrl.exec:\lffxrrl.exe119⤵
-
\??\c:\bthbbb.exec:\bthbbb.exe120⤵
-
\??\c:\tbhbbh.exec:\tbhbbh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-