Analysis
-
max time kernel
120s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-09-2024 08:37
General
-
Target
5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4N.exe
-
Size
64KB
-
MD5
0e27ecbb18e0117535d284707d2aa900
-
SHA1
cc14e4ec60ca0d8f0cd29398af98a2de9d60b0ca
-
SHA256
5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4
-
SHA512
b3844cd879bd1e9500128534a93a44605a1de6ecfc67cd273654983a507b7fac2cb2be131f26d086c6ffc59ef66771367413b6e698b77817a2af6afb34be84ba
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27i:ymb3NkkiQ3mdBjFI9t
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4N.exe"C:\Users\Admin\AppData\Local\Temp\5ff125fe3e22ed74e97814b76bf9cb11825bc1054b31eb081b8601971a11cff4N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbht.exec:\thhbht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddv.exec:\pvddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhtt.exec:\tthhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnbb.exec:\httnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhbt.exec:\btnhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxlll.exec:\lffxlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbttht.exec:\bbttht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvp.exec:\ddpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhnn.exec:\tthhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvpp.exec:\ppvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffxrrl.exec:\xffxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfxfx.exec:\rxlfxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbbtt.exec:\nbbbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvp.exec:\ddvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpp.exec:\dvvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrxxr.exec:\rrxrxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrflxf.exec:\rxrflxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdv.exec:\ddpdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httthh.exec:\httthh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jpjd.exec:\9jpjd.exe23⤵
- Executes dropped EXE
-
\??\c:\pdddv.exec:\pdddv.exe24⤵
- Executes dropped EXE
-
\??\c:\1lrfxll.exec:\1lrfxll.exe25⤵
- Executes dropped EXE
-
\??\c:\rlxrlxr.exec:\rlxrlxr.exe26⤵
- Executes dropped EXE
-
\??\c:\htnhhb.exec:\htnhhb.exe27⤵
- Executes dropped EXE
-
\??\c:\ppjjd.exec:\ppjjd.exe28⤵
- Executes dropped EXE
-
\??\c:\jvjdv.exec:\jvjdv.exe29⤵
- Executes dropped EXE
-
\??\c:\lfxfxxx.exec:\lfxfxxx.exe30⤵
- Executes dropped EXE
-
\??\c:\nhbhhh.exec:\nhbhhh.exe31⤵
- Executes dropped EXE
-
\??\c:\hbhbtt.exec:\hbhbtt.exe32⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe33⤵
- Executes dropped EXE
-
\??\c:\xflfrrl.exec:\xflfrrl.exe34⤵
- Executes dropped EXE
-
\??\c:\bnbbbb.exec:\bnbbbb.exe35⤵
- Executes dropped EXE
-
\??\c:\pjpvp.exec:\pjpvp.exe36⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe37⤵
- Executes dropped EXE
-
\??\c:\lfxxrrr.exec:\lfxxrrr.exe38⤵
- Executes dropped EXE
-
\??\c:\thtttt.exec:\thtttt.exe39⤵
- Executes dropped EXE
-
\??\c:\hhbbbb.exec:\hhbbbb.exe40⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe41⤵
- Executes dropped EXE
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe42⤵
- Executes dropped EXE
-
\??\c:\7fxflll.exec:\7fxflll.exe43⤵
- Executes dropped EXE
-
\??\c:\jpjjj.exec:\jpjjj.exe44⤵
- Executes dropped EXE
-
\??\c:\nhhbtn.exec:\nhhbtn.exe45⤵
- Executes dropped EXE
-
\??\c:\nttnhh.exec:\nttnhh.exe46⤵
- Executes dropped EXE
-
\??\c:\djpjp.exec:\djpjp.exe47⤵
- Executes dropped EXE
-
\??\c:\vpjjj.exec:\vpjjj.exe48⤵
- Executes dropped EXE
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe49⤵
- Executes dropped EXE
-
\??\c:\btbbnn.exec:\btbbnn.exe50⤵
- Executes dropped EXE
-
\??\c:\pdvvv.exec:\pdvvv.exe51⤵
- Executes dropped EXE
-
\??\c:\vjppj.exec:\vjppj.exe52⤵
- Executes dropped EXE
-
\??\c:\rrlffff.exec:\rrlffff.exe53⤵
- Executes dropped EXE
-
\??\c:\hbhhhh.exec:\hbhhhh.exe54⤵
- Executes dropped EXE
-
\??\c:\1tntnn.exec:\1tntnn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dvjdv.exec:\dvjdv.exe56⤵
- Executes dropped EXE
-
\??\c:\jddpd.exec:\jddpd.exe57⤵
- Executes dropped EXE
-
\??\c:\lfxrllf.exec:\lfxrllf.exe58⤵
- Executes dropped EXE
-
\??\c:\bhttnt.exec:\bhttnt.exe59⤵
- Executes dropped EXE
-
\??\c:\tbbbtb.exec:\tbbbtb.exe60⤵
- Executes dropped EXE
-
\??\c:\ddvvv.exec:\ddvvv.exe61⤵
- Executes dropped EXE
-
\??\c:\xrllffx.exec:\xrllffx.exe62⤵
- Executes dropped EXE
-
\??\c:\llfffxx.exec:\llfffxx.exe63⤵
- Executes dropped EXE
-
\??\c:\nnhbtn.exec:\nnhbtn.exe64⤵
- Executes dropped EXE
-
\??\c:\hhbtnn.exec:\hhbtnn.exe65⤵
- Executes dropped EXE
-
\??\c:\vppdp.exec:\vppdp.exe66⤵
-
\??\c:\llfffff.exec:\llfffff.exe67⤵
-
\??\c:\fxffffx.exec:\fxffffx.exe68⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe69⤵
-
\??\c:\thnnnt.exec:\thnnnt.exe70⤵
-
\??\c:\jdvpj.exec:\jdvpj.exe71⤵
-
\??\c:\flrfxxr.exec:\flrfxxr.exe72⤵
-
\??\c:\1frlfff.exec:\1frlfff.exe73⤵
-
\??\c:\hnbhtt.exec:\hnbhtt.exe74⤵
-
\??\c:\3ttbtt.exec:\3ttbtt.exe75⤵
-
\??\c:\pjjvj.exec:\pjjvj.exe76⤵
-
\??\c:\lxxrrxx.exec:\lxxrrxx.exe77⤵
-
\??\c:\bbhbbh.exec:\bbhbbh.exe78⤵
-
\??\c:\hbtbth.exec:\hbtbth.exe79⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe80⤵
-
\??\c:\xrllrxl.exec:\xrllrxl.exe81⤵
-
\??\c:\frxxrrr.exec:\frxxrrr.exe82⤵
-
\??\c:\hbthbt.exec:\hbthbt.exe83⤵
-
\??\c:\bnhhbb.exec:\bnhhbb.exe84⤵
-
\??\c:\9pvvj.exec:\9pvvj.exe85⤵
-
\??\c:\xrxrlll.exec:\xrxrlll.exe86⤵
-
\??\c:\1bbtnn.exec:\1bbtnn.exe87⤵
-
\??\c:\nbbthh.exec:\nbbthh.exe88⤵
-
\??\c:\5vjjv.exec:\5vjjv.exe89⤵
-
\??\c:\vppjv.exec:\vppjv.exe90⤵
-
\??\c:\xfffxxx.exec:\xfffxxx.exe91⤵
-
\??\c:\7nhhtt.exec:\7nhhtt.exe92⤵
-
\??\c:\3pppj.exec:\3pppj.exe93⤵
-
\??\c:\jpvjp.exec:\jpvjp.exe94⤵
-
\??\c:\7xlffff.exec:\7xlffff.exe95⤵
-
\??\c:\rfllllr.exec:\rfllllr.exe96⤵
-
\??\c:\vvppj.exec:\vvppj.exe97⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe98⤵
-
\??\c:\frrlffx.exec:\frrlffx.exe99⤵
-
\??\c:\tnhnbb.exec:\tnhnbb.exe100⤵
-
\??\c:\nnbbnn.exec:\nnbbnn.exe101⤵
-
\??\c:\5jvpj.exec:\5jvpj.exe102⤵
-
\??\c:\rlrrrll.exec:\rlrrrll.exe103⤵
-
\??\c:\9fffxrr.exec:\9fffxrr.exe104⤵
-
\??\c:\bbbttt.exec:\bbbttt.exe105⤵
-
\??\c:\djpjv.exec:\djpjv.exe106⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe107⤵
-
\??\c:\xfllfff.exec:\xfllfff.exe108⤵
-
\??\c:\hhhhhh.exec:\hhhhhh.exe109⤵
-
\??\c:\3nnhtt.exec:\3nnhtt.exe110⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe111⤵
-
\??\c:\vpppd.exec:\vpppd.exe112⤵
-
\??\c:\lfxxffl.exec:\lfxxffl.exe113⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe114⤵
-
\??\c:\9htnbh.exec:\9htnbh.exe115⤵
-
\??\c:\nntttt.exec:\nntttt.exe116⤵
-
\??\c:\pvpjd.exec:\pvpjd.exe117⤵
-
\??\c:\jjdvd.exec:\jjdvd.exe118⤵
-
\??\c:\rrrfxxx.exec:\rrrfxxx.exe119⤵
-
\??\c:\bhhhhh.exec:\bhhhhh.exe120⤵
-
\??\c:\hbhbbb.exec:\hbhbbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-