Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30/09/2024, 19:36
General
-
Target
e5061c59b75f3b2ead9b003640c6455fb0753539583e3cb7696661ac3dc00c2eN.exe
-
Size
230KB
-
MD5
8d31b2050350690416a2d0616c169230
-
SHA1
37271994f7fad872907e9cae1204cbe0f558d41a
-
SHA256
e5061c59b75f3b2ead9b003640c6455fb0753539583e3cb7696661ac3dc00c2e
-
SHA512
233c21dc35356a46fd6deb75b347e16c83e8d5d681f493299e559d65f055e67d2a203b6aac6f41d3b9558015e42022337c84d525bb36d8fc23f9f9f1be1f3f87
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fX:n3C9BRo7MlrWKo+lxKk1fX
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5061c59b75f3b2ead9b003640c6455fb0753539583e3cb7696661ac3dc00c2eN.exe"C:\Users\Admin\AppData\Local\Temp\e5061c59b75f3b2ead9b003640c6455fb0753539583e3cb7696661ac3dc00c2eN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbhtt.exec:\bhbhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpp.exec:\dvvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxlxlx.exec:\rfxlxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttnnn.exec:\nttnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllfxxx.exec:\xllfxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllfxrl.exec:\fllfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhbb.exec:\tnnhbb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdpj.exec:\dpdpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlrrlx.exec:\lrlrrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbnh.exec:\bhhbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlfxrl.exec:\frlfxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpj.exec:\dvvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhtnh.exec:\bbhtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppjv.exec:\jppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxxx.exec:\lfffxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhnn.exec:\hhbhnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdd.exec:\dvpdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnbtn.exec:\ttnbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhthhb.exec:\hhthhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppjd.exec:\jppjd.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rrrflfx.exec:\rrrflfx.exe24⤵
- Executes dropped EXE
-
\??\c:\rllxrff.exec:\rllxrff.exe25⤵
- Executes dropped EXE
-
\??\c:\hbnhnt.exec:\hbnhnt.exe26⤵
- Executes dropped EXE
-
\??\c:\bntnhb.exec:\bntnhb.exe27⤵
- Executes dropped EXE
-
\??\c:\vvdvj.exec:\vvdvj.exe28⤵
- Executes dropped EXE
-
\??\c:\fxfxfxx.exec:\fxfxfxx.exe29⤵
- Executes dropped EXE
-
\??\c:\nbttnn.exec:\nbttnn.exe30⤵
- Executes dropped EXE
-
\??\c:\dppdj.exec:\dppdj.exe31⤵
- Executes dropped EXE
-
\??\c:\xrlrlll.exec:\xrlrlll.exe32⤵
- Executes dropped EXE
-
\??\c:\thnhnn.exec:\thnhnn.exe33⤵
- Executes dropped EXE
-
\??\c:\tbhbhb.exec:\tbhbhb.exe34⤵
- Executes dropped EXE
-
\??\c:\dppjj.exec:\dppjj.exe35⤵
- Executes dropped EXE
-
\??\c:\7rlfxfx.exec:\7rlfxfx.exe36⤵
- Executes dropped EXE
-
\??\c:\hbthbt.exec:\hbthbt.exe37⤵
- Executes dropped EXE
-
\??\c:\jpvpv.exec:\jpvpv.exe38⤵
- Executes dropped EXE
-
\??\c:\vvvpp.exec:\vvvpp.exe39⤵
- Executes dropped EXE
-
\??\c:\frrlxxr.exec:\frrlxxr.exe40⤵
- Executes dropped EXE
-
\??\c:\9bhbhh.exec:\9bhbhh.exe41⤵
- Executes dropped EXE
-
\??\c:\hbnnhh.exec:\hbnnhh.exe42⤵
- Executes dropped EXE
-
\??\c:\pvdpj.exec:\pvdpj.exe43⤵
- Executes dropped EXE
-
\??\c:\rlrrxlr.exec:\rlrrxlr.exe44⤵
- Executes dropped EXE
-
\??\c:\nthtnh.exec:\nthtnh.exe45⤵
- Executes dropped EXE
-
\??\c:\7hhbbt.exec:\7hhbbt.exe46⤵
- Executes dropped EXE
-
\??\c:\5jdpp.exec:\5jdpp.exe47⤵
- Executes dropped EXE
-
\??\c:\rllfxrl.exec:\rllfxrl.exe48⤵
- Executes dropped EXE
-
\??\c:\fxxrlfl.exec:\fxxrlfl.exe49⤵
- Executes dropped EXE
-
\??\c:\nbnhth.exec:\nbnhth.exe50⤵
- Executes dropped EXE
-
\??\c:\jpjpd.exec:\jpjpd.exe51⤵
- Executes dropped EXE
-
\??\c:\1rxffrl.exec:\1rxffrl.exe52⤵
- Executes dropped EXE
-
\??\c:\htbtnh.exec:\htbtnh.exe53⤵
- Executes dropped EXE
-
\??\c:\xrlllll.exec:\xrlllll.exe54⤵
- Executes dropped EXE
-
\??\c:\nhhnnt.exec:\nhhnnt.exe55⤵
- Executes dropped EXE
-
\??\c:\vdddd.exec:\vdddd.exe56⤵
- Executes dropped EXE
-
\??\c:\vpvjv.exec:\vpvjv.exe57⤵
- Executes dropped EXE
-
\??\c:\rlfxlrx.exec:\rlfxlrx.exe58⤵
- Executes dropped EXE
-
\??\c:\nbnnht.exec:\nbnnht.exe59⤵
- Executes dropped EXE
-
\??\c:\hbhbhh.exec:\hbhbhh.exe60⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe61⤵
- Executes dropped EXE
-
\??\c:\5xxlxxf.exec:\5xxlxxf.exe62⤵
- Executes dropped EXE
-
\??\c:\llxxrrl.exec:\llxxrrl.exe63⤵
- Executes dropped EXE
-
\??\c:\tbbnhb.exec:\tbbnhb.exe64⤵
- Executes dropped EXE
-
\??\c:\3bhbnh.exec:\3bhbnh.exe65⤵
- Executes dropped EXE
-
\??\c:\dvddj.exec:\dvddj.exe66⤵
-
\??\c:\frxxrrl.exec:\frxxrrl.exe67⤵
-
\??\c:\1frlffr.exec:\1frlffr.exe68⤵
-
\??\c:\hnhhbb.exec:\hnhhbb.exe69⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe70⤵
-
\??\c:\7pjdd.exec:\7pjdd.exe71⤵
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe72⤵
-
\??\c:\ffffxfx.exec:\ffffxfx.exe73⤵
-
\??\c:\bnttbt.exec:\bnttbt.exe74⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe75⤵
-
\??\c:\9vpvj.exec:\9vpvj.exe76⤵
-
\??\c:\flxxrll.exec:\flxxrll.exe77⤵
-
\??\c:\lxlfxfx.exec:\lxlfxfx.exe78⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe79⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe80⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe81⤵
-
\??\c:\fxrxxrr.exec:\fxrxxrr.exe82⤵
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe83⤵
-
\??\c:\bthnbt.exec:\bthnbt.exe84⤵
-
\??\c:\pjjvv.exec:\pjjvv.exe85⤵
-
\??\c:\lfrrflr.exec:\lfrrflr.exe86⤵
-
\??\c:\fxffxxx.exec:\fxffxxx.exe87⤵
-
\??\c:\bbhbhh.exec:\bbhbhh.exe88⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe89⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe90⤵
-
\??\c:\1lxrlll.exec:\1lxrlll.exe91⤵
-
\??\c:\5rxxffl.exec:\5rxxffl.exe92⤵
-
\??\c:\bhnhnh.exec:\bhnhnh.exe93⤵
-
\??\c:\jdvpp.exec:\jdvpp.exe94⤵
-
\??\c:\vpjdp.exec:\vpjdp.exe95⤵
-
\??\c:\frxlxxl.exec:\frxlxxl.exe96⤵
-
\??\c:\bttnnh.exec:\bttnnh.exe97⤵
-
\??\c:\bnbttn.exec:\bnbttn.exe98⤵
-
\??\c:\jdddd.exec:\jdddd.exe99⤵
-
\??\c:\pddvj.exec:\pddvj.exe100⤵
-
\??\c:\xrrxxfx.exec:\xrrxxfx.exe101⤵
-
\??\c:\hhnhhh.exec:\hhnhhh.exe102⤵
-
\??\c:\bthbtt.exec:\bthbtt.exe103⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jvvjd.exec:\jvvjd.exe104⤵
-
\??\c:\5vvpd.exec:\5vvpd.exe105⤵
-
\??\c:\rlrrlll.exec:\rlrrlll.exe106⤵
-
\??\c:\bnnnnn.exec:\bnnnnn.exe107⤵
-
\??\c:\7vdpj.exec:\7vdpj.exe108⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe109⤵
-
\??\c:\9xrrlfx.exec:\9xrrlfx.exe110⤵
-
\??\c:\xllffxr.exec:\xllffxr.exe111⤵
-
\??\c:\nhhbbt.exec:\nhhbbt.exe112⤵
-
\??\c:\vvvdd.exec:\vvvdd.exe113⤵
-
\??\c:\djddv.exec:\djddv.exe114⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe115⤵
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe116⤵
-
\??\c:\hntnnt.exec:\hntnnt.exe117⤵
-
\??\c:\thbbbb.exec:\thbbbb.exe118⤵
-
\??\c:\vdpjv.exec:\vdpjv.exe119⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe120⤵
-
\??\c:\lfffflr.exec:\lfffflr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-