Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27/09/2024, 14:06
General
-
Target
1793b318d98e68980202af7526559a827a3127e53fe95a56efe40351bbcdc76bN.exe
-
Size
71KB
-
MD5
1ade8b39c6e1d586768139bd2a9d3180
-
SHA1
eb9380d3cd3c7fbba5caee983b13d6ae3a5abe20
-
SHA256
1793b318d98e68980202af7526559a827a3127e53fe95a56efe40351bbcdc76b
-
SHA512
1b1a15646308f97a086220038c80a2d0b358caf719c8e2a2cedab98b09f4f346ca8e63a1f6ba4a537bfbe0ed4150cd186fcf4ef15f7e16737ac75338b74bde1d
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfj9:ymb3NkkiQ3mdBjFI4Vt
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1793b318d98e68980202af7526559a827a3127e53fe95a56efe40351bbcdc76bN.exe"C:\Users\Admin\AppData\Local\Temp\1793b318d98e68980202af7526559a827a3127e53fe95a56efe40351bbcdc76bN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ddddd.exec:\ddddd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrxxll.exec:\ffrxxll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttttt.exec:\tttttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnnnn.exec:\htnnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhbb.exec:\bnhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjddv.exec:\vjddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ddjd.exec:\5ddjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfflrf.exec:\flfflrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxxxx.exec:\fffxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhthn.exec:\nnhthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttttt.exec:\nttttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvjd.exec:\pdvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrflfl.exec:\7lrflfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfrflx.exec:\xlfrflx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtttb.exec:\hhtttb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbbn.exec:\thbbbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdvv.exec:\jjdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvp.exec:\ddvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrrff.exec:\fxrrrff.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrrrl.exec:\fxlrrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbbhn.exec:\ntbbhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nntnt.exec:\3nntnt.exe23⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe24⤵
- Executes dropped EXE
-
\??\c:\vvpvp.exec:\vvpvp.exe25⤵
- Executes dropped EXE
-
\??\c:\ffrrrxr.exec:\ffrrrxr.exe26⤵
- Executes dropped EXE
-
\??\c:\flxrrll.exec:\flxrrll.exe27⤵
- Executes dropped EXE
-
\??\c:\tbnttb.exec:\tbnttb.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nnbhnh.exec:\nnbhnh.exe29⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe30⤵
- Executes dropped EXE
-
\??\c:\pjvdv.exec:\pjvdv.exe31⤵
- Executes dropped EXE
-
\??\c:\xrlrlrx.exec:\xrlrlrx.exe32⤵
- Executes dropped EXE
-
\??\c:\xxlrflf.exec:\xxlrflf.exe33⤵
- Executes dropped EXE
-
\??\c:\nnbtnn.exec:\nnbtnn.exe34⤵
- Executes dropped EXE
-
\??\c:\bntnhn.exec:\bntnhn.exe35⤵
- Executes dropped EXE
-
\??\c:\ddddv.exec:\ddddv.exe36⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe37⤵
- Executes dropped EXE
-
\??\c:\frxxxfx.exec:\frxxxfx.exe38⤵
- Executes dropped EXE
-
\??\c:\xfrfrrf.exec:\xfrfrrf.exe39⤵
- Executes dropped EXE
-
\??\c:\nntbbh.exec:\nntbbh.exe40⤵
- Executes dropped EXE
-
\??\c:\bhbbtt.exec:\bhbbtt.exe41⤵
- Executes dropped EXE
-
\??\c:\bhhnnt.exec:\bhhnnt.exe42⤵
- Executes dropped EXE
-
\??\c:\vddvp.exec:\vddvp.exe43⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe44⤵
- Executes dropped EXE
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe45⤵
- Executes dropped EXE
-
\??\c:\fxflfll.exec:\fxflfll.exe46⤵
- Executes dropped EXE
-
\??\c:\fxxrlll.exec:\fxxrlll.exe47⤵
- Executes dropped EXE
-
\??\c:\nnhbbn.exec:\nnhbbn.exe48⤵
- Executes dropped EXE
-
\??\c:\thhnbh.exec:\thhnbh.exe49⤵
- Executes dropped EXE
-
\??\c:\9dddv.exec:\9dddv.exe50⤵
- Executes dropped EXE
-
\??\c:\ddvjj.exec:\ddvjj.exe51⤵
- Executes dropped EXE
-
\??\c:\llfxflx.exec:\llfxflx.exe52⤵
- Executes dropped EXE
-
\??\c:\llxrlrl.exec:\llxrlrl.exe53⤵
- Executes dropped EXE
-
\??\c:\xllfxrl.exec:\xllfxrl.exe54⤵
- Executes dropped EXE
-
\??\c:\bbnnhb.exec:\bbnnhb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hnbtnt.exec:\hnbtnt.exe56⤵
- Executes dropped EXE
-
\??\c:\7pvvv.exec:\7pvvv.exe57⤵
- Executes dropped EXE
-
\??\c:\ddddp.exec:\ddddp.exe58⤵
- Executes dropped EXE
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe59⤵
- Executes dropped EXE
-
\??\c:\5bhbbb.exec:\5bhbbb.exe60⤵
- Executes dropped EXE
-
\??\c:\hhtttb.exec:\hhtttb.exe61⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe62⤵
- Executes dropped EXE
-
\??\c:\lfrfxfx.exec:\lfrfxfx.exe63⤵
- Executes dropped EXE
-
\??\c:\rrlffll.exec:\rrlffll.exe64⤵
- Executes dropped EXE
-
\??\c:\bnhhnn.exec:\bnhhnn.exe65⤵
- Executes dropped EXE
-
\??\c:\9pppd.exec:\9pppd.exe66⤵
-
\??\c:\pjvvp.exec:\pjvvp.exe67⤵
-
\??\c:\rxffxrr.exec:\rxffxrr.exe68⤵
-
\??\c:\xxxrffr.exec:\xxxrffr.exe69⤵
-
\??\c:\nnhhht.exec:\nnhhht.exe70⤵
-
\??\c:\bbhnnn.exec:\bbhnnn.exe71⤵
-
\??\c:\tntbbt.exec:\tntbbt.exe72⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe73⤵
-
\??\c:\flxlfxf.exec:\flxlfxf.exe74⤵
-
\??\c:\lfxxflr.exec:\lfxxflr.exe75⤵
-
\??\c:\bbnntb.exec:\bbnntb.exe76⤵
-
\??\c:\bttthh.exec:\bttthh.exe77⤵
-
\??\c:\hhnttb.exec:\hhnttb.exe78⤵
-
\??\c:\flllrrx.exec:\flllrrx.exe79⤵
-
\??\c:\7vjpv.exec:\7vjpv.exe80⤵
-
\??\c:\bbtnbh.exec:\bbtnbh.exe81⤵
-
\??\c:\hbnnhh.exec:\hbnnhh.exe82⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe83⤵
-
\??\c:\rfrffff.exec:\rfrffff.exe84⤵
-
\??\c:\nhtbbh.exec:\nhtbbh.exe85⤵
-
\??\c:\xxrrrrx.exec:\xxrrrrx.exe86⤵
-
\??\c:\djdjj.exec:\djdjj.exe87⤵
-
\??\c:\xxxxlll.exec:\xxxxlll.exe88⤵
-
\??\c:\ffrrffr.exec:\ffrrffr.exe89⤵
-
\??\c:\btbhtt.exec:\btbhtt.exe90⤵
-
\??\c:\ddpjv.exec:\ddpjv.exe91⤵
-
\??\c:\nthhht.exec:\nthhht.exe92⤵
-
\??\c:\rflrrrr.exec:\rflrrrr.exe93⤵
-
\??\c:\ntthhh.exec:\ntthhh.exe94⤵
-
\??\c:\tttbnb.exec:\tttbnb.exe95⤵
-
\??\c:\pjvjd.exec:\pjvjd.exe96⤵
-
\??\c:\ffrrfll.exec:\ffrrfll.exe97⤵
-
\??\c:\rrffxxr.exec:\rrffxxr.exe98⤵
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe99⤵
-
\??\c:\ttnnnn.exec:\ttnnnn.exe100⤵
-
\??\c:\vdvpp.exec:\vdvpp.exe101⤵
-
\??\c:\pjjdj.exec:\pjjdj.exe102⤵
-
\??\c:\xrrlfrr.exec:\xrrlfrr.exe103⤵
-
\??\c:\5bnntt.exec:\5bnntt.exe104⤵
-
\??\c:\ntttnn.exec:\ntttnn.exe105⤵
-
\??\c:\pvjvv.exec:\pvjvv.exe106⤵
-
\??\c:\rfxrfff.exec:\rfxrfff.exe107⤵
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe108⤵
-
\??\c:\hhttnn.exec:\hhttnn.exe109⤵
-
\??\c:\dddpj.exec:\dddpj.exe110⤵
-
\??\c:\xfffxll.exec:\xfffxll.exe111⤵
-
\??\c:\rllllrr.exec:\rllllrr.exe112⤵
-
\??\c:\tttbtb.exec:\tttbtb.exe113⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe114⤵
-
\??\c:\rlrrxxr.exec:\rlrrxxr.exe115⤵
-
\??\c:\tntbbb.exec:\tntbbb.exe116⤵
-
\??\c:\bbnbhh.exec:\bbnbhh.exe117⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe118⤵
-
\??\c:\rfllfff.exec:\rfllfff.exe119⤵
-
\??\c:\xxrrflf.exec:\xxrrflf.exe120⤵
-
\??\c:\nhbbhh.exec:\nhbbhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-