Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30/09/2024, 04:01
General
-
Target
9f7bb2559f60a39c715fe616b76ce05ec58b23db74609343ec39157b2cad652aN.exe
-
Size
105KB
-
MD5
f0f374ee51e06c88b1bd95674ed640b0
-
SHA1
a5f9becfc10b3bbae313d9fcb638424a66f97b83
-
SHA256
9f7bb2559f60a39c715fe616b76ce05ec58b23db74609343ec39157b2cad652a
-
SHA512
30c5d5dd92f3b5393ecf567fa5f531e536891580afa25bf57f249cdf0b3c7c7971a2d447624631c287d001623cc5f90aff2b284bac4dc76125951b01f972648d
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+buwUGu3P3Cmr:n3C9BRo7MlrWKVT+buBGu3PHr
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f7bb2559f60a39c715fe616b76ce05ec58b23db74609343ec39157b2cad652aN.exe"C:\Users\Admin\AppData\Local\Temp\9f7bb2559f60a39c715fe616b76ce05ec58b23db74609343ec39157b2cad652aN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ntthb.exec:\9ntthb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdpp.exec:\jvdpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntt.exec:\bthntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjdp.exec:\1pjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxfrl.exec:\rfxxfrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnhtn.exec:\htnhtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbthb.exec:\thbthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvjv.exec:\pvvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rlfrlr.exec:\3rlfrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbtbt.exec:\bbbtbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnn.exec:\thbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppv.exec:\vpppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxfxr.exec:\xlfxfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nnbtn.exec:\1nnbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpv.exec:\vjvpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbhhh.exec:\hbbhhh.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbnbb.exec:\bhbnbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pdvp.exec:\1pdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlxlrl.exec:\frlxlrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbnnh.exec:\tbbnnh.exe23⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe24⤵
- Executes dropped EXE
-
\??\c:\rflffxx.exec:\rflffxx.exe25⤵
- Executes dropped EXE
-
\??\c:\bntnhh.exec:\bntnhh.exe26⤵
- Executes dropped EXE
-
\??\c:\1jpjd.exec:\1jpjd.exe27⤵
- Executes dropped EXE
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe28⤵
- Executes dropped EXE
-
\??\c:\xllrrxf.exec:\xllrrxf.exe29⤵
- Executes dropped EXE
-
\??\c:\hnnhtn.exec:\hnnhtn.exe30⤵
- Executes dropped EXE
-
\??\c:\pjjvp.exec:\pjjvp.exe31⤵
- Executes dropped EXE
-
\??\c:\frrrxfl.exec:\frrrxfl.exe32⤵
- Executes dropped EXE
-
\??\c:\bhbthb.exec:\bhbthb.exe33⤵
- Executes dropped EXE
-
\??\c:\vvdvj.exec:\vvdvj.exe34⤵
- Executes dropped EXE
-
\??\c:\xllxxrl.exec:\xllxxrl.exe35⤵
- Executes dropped EXE
-
\??\c:\9ffxrrl.exec:\9ffxrrl.exe36⤵
- Executes dropped EXE
-
\??\c:\thnhhb.exec:\thnhhb.exe37⤵
- Executes dropped EXE
-
\??\c:\vdddd.exec:\vdddd.exe38⤵
- Executes dropped EXE
-
\??\c:\ppvpd.exec:\ppvpd.exe39⤵
- Executes dropped EXE
-
\??\c:\9fxrrrl.exec:\9fxrrrl.exe40⤵
- Executes dropped EXE
-
\??\c:\3hhtnn.exec:\3hhtnn.exe41⤵
- Executes dropped EXE
-
\??\c:\httnbb.exec:\httnbb.exe42⤵
- Executes dropped EXE
-
\??\c:\ppvvd.exec:\ppvvd.exe43⤵
- Executes dropped EXE
-
\??\c:\3rrrrrl.exec:\3rrrrrl.exe44⤵
- Executes dropped EXE
-
\??\c:\7xffxrr.exec:\7xffxrr.exe45⤵
- Executes dropped EXE
-
\??\c:\3nbttn.exec:\3nbttn.exe46⤵
- Executes dropped EXE
-
\??\c:\hthnbh.exec:\hthnbh.exe47⤵
- Executes dropped EXE
-
\??\c:\jdjvp.exec:\jdjvp.exe48⤵
- Executes dropped EXE
-
\??\c:\lxxfxff.exec:\lxxfxff.exe49⤵
- Executes dropped EXE
-
\??\c:\5lffxxf.exec:\5lffxxf.exe50⤵
- Executes dropped EXE
-
\??\c:\3btnnb.exec:\3btnnb.exe51⤵
- Executes dropped EXE
-
\??\c:\vpdvd.exec:\vpdvd.exe52⤵
- Executes dropped EXE
-
\??\c:\pdjdj.exec:\pdjdj.exe53⤵
- Executes dropped EXE
-
\??\c:\frfxxxf.exec:\frfxxxf.exe54⤵
- Executes dropped EXE
-
\??\c:\ttbnbh.exec:\ttbnbh.exe55⤵
- Executes dropped EXE
-
\??\c:\pvpvd.exec:\pvpvd.exe56⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe57⤵
- Executes dropped EXE
-
\??\c:\ffxrlff.exec:\ffxrlff.exe58⤵
- Executes dropped EXE
-
\??\c:\xflfxrl.exec:\xflfxrl.exe59⤵
- Executes dropped EXE
-
\??\c:\frrlfrl.exec:\frrlfrl.exe60⤵
- Executes dropped EXE
-
\??\c:\nbbthn.exec:\nbbthn.exe61⤵
- Executes dropped EXE
-
\??\c:\dpvpd.exec:\dpvpd.exe62⤵
- Executes dropped EXE
-
\??\c:\ddddv.exec:\ddddv.exe63⤵
- Executes dropped EXE
-
\??\c:\lfxlxxr.exec:\lfxlxxr.exe64⤵
- Executes dropped EXE
-
\??\c:\5xlfxxr.exec:\5xlfxxr.exe65⤵
- Executes dropped EXE
-
\??\c:\nbbhtb.exec:\nbbhtb.exe66⤵
-
\??\c:\pddjj.exec:\pddjj.exe67⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe68⤵
-
\??\c:\jvpjd.exec:\jvpjd.exe69⤵
-
\??\c:\fxlfrrr.exec:\fxlfrrr.exe70⤵
-
\??\c:\nbtnhh.exec:\nbtnhh.exe71⤵
-
\??\c:\hthttt.exec:\hthttt.exe72⤵
-
\??\c:\jvdvp.exec:\jvdvp.exe73⤵
-
\??\c:\7dddp.exec:\7dddp.exe74⤵
-
\??\c:\fxfrfrx.exec:\fxfrfrx.exe75⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe76⤵
-
\??\c:\flrlxfr.exec:\flrlxfr.exe77⤵
-
\??\c:\flllllf.exec:\flllllf.exe78⤵
-
\??\c:\3nhhtt.exec:\3nhhtt.exe79⤵
-
\??\c:\nnnhbn.exec:\nnnhbn.exe80⤵
-
\??\c:\5vpjd.exec:\5vpjd.exe81⤵
-
\??\c:\dpjdp.exec:\dpjdp.exe82⤵
-
\??\c:\lrrxxff.exec:\lrrxxff.exe83⤵
-
\??\c:\xfxllrf.exec:\xfxllrf.exe84⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe85⤵
-
\??\c:\pjpvd.exec:\pjpvd.exe86⤵
-
\??\c:\dddvp.exec:\dddvp.exe87⤵
-
\??\c:\xrflfff.exec:\xrflfff.exe88⤵
-
\??\c:\frlrllf.exec:\frlrllf.exe89⤵
-
\??\c:\thntnn.exec:\thntnn.exe90⤵
-
\??\c:\ppvpj.exec:\ppvpj.exe91⤵
-
\??\c:\lffxxxx.exec:\lffxxxx.exe92⤵
-
\??\c:\9rxrxxf.exec:\9rxrxxf.exe93⤵
-
\??\c:\frxxfff.exec:\frxxfff.exe94⤵
-
\??\c:\nhbbbb.exec:\nhbbbb.exe95⤵
-
\??\c:\htbtbn.exec:\htbtbn.exe96⤵
-
\??\c:\3pdvj.exec:\3pdvj.exe97⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe98⤵
-
\??\c:\llfrffx.exec:\llfrffx.exe99⤵
-
\??\c:\ffxrrlx.exec:\ffxrrlx.exe100⤵
-
\??\c:\tbnnhh.exec:\tbnnhh.exe101⤵
-
\??\c:\httbtt.exec:\httbtt.exe102⤵
-
\??\c:\pdvjp.exec:\pdvjp.exe103⤵
-
\??\c:\jvdvp.exec:\jvdvp.exe104⤵
-
\??\c:\lfxfxxr.exec:\lfxfxxr.exe105⤵
-
\??\c:\bhtbtt.exec:\bhtbtt.exe106⤵
-
\??\c:\ntbthh.exec:\ntbthh.exe107⤵
-
\??\c:\htntht.exec:\htntht.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pppjd.exec:\pppjd.exe109⤵
-
\??\c:\lfxrllf.exec:\lfxrllf.exe110⤵
-
\??\c:\lrrxrrl.exec:\lrrxrrl.exe111⤵
-
\??\c:\3hbbbb.exec:\3hbbbb.exe112⤵
-
\??\c:\hbbbtt.exec:\hbbbtt.exe113⤵
-
\??\c:\5dvpd.exec:\5dvpd.exe114⤵
-
\??\c:\dvdvv.exec:\dvdvv.exe115⤵
-
\??\c:\3fxrllf.exec:\3fxrllf.exe116⤵
-
\??\c:\xllfxfl.exec:\xllfxfl.exe117⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe118⤵
-
\??\c:\bnhbtt.exec:\bnhbtt.exe119⤵
-
\??\c:\jddjd.exec:\jddjd.exe120⤵
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-