Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
01-10-2024 08:24
General
-
Target
9752afb716058c6c11257512c9b965d92bd109326bd36256ff03023630ab73d9N.exe
-
Size
436KB
-
MD5
0712e0b4c599d79044fb56d09b506390
-
SHA1
7a83fdf989ce43dc6c0e3f2f12cee8c79d61a272
-
SHA256
9752afb716058c6c11257512c9b965d92bd109326bd36256ff03023630ab73d9
-
SHA512
84d5033fd8b39bb7b4f087bef9592b5132cc31b14fc546c659866c5b28c6c025e430c32d64bd9b83b6bb9f6ab98d315d0f0a4ec37c1f581797847faa39a794e9
-
SSDEEP
12288:n3C9uMPh2kkkkK4kXkkkkkkkkl888888888888888888nE:ShPh2kkkkK4kXkkkkkkkkm
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9752afb716058c6c11257512c9b965d92bd109326bd36256ff03023630ab73d9N.exe"C:\Users\Admin\AppData\Local\Temp\9752afb716058c6c11257512c9b965d92bd109326bd36256ff03023630ab73d9N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhbb.exec:\tnnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dvpv.exec:\1dvpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxlfxr.exec:\xrxlfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vdvp.exec:\1vdvp.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbbtt.exec:\ttbbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxlxxr.exec:\lfxlxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddvp.exec:\dddvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrrxxl.exec:\ffrrxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvvp.exec:\jjvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbthb.exec:\nbbthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvpj.exec:\7vvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntnhh.exec:\3ntnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhthh.exec:\bnhthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xrlrrf.exec:\3xrlrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnhbb.exec:\hbnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpj.exec:\jpvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxrllf.exec:\flxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnhhh.exec:\htnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hththh.exec:\hththh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvv.exec:\vddvv.exe23⤵
- Executes dropped EXE
-
\??\c:\llxlfrl.exec:\llxlfrl.exe24⤵
- Executes dropped EXE
-
\??\c:\hbbnhb.exec:\hbbnhb.exe25⤵
- Executes dropped EXE
-
\??\c:\rflfxxx.exec:\rflfxxx.exe26⤵
- Executes dropped EXE
-
\??\c:\nbnhbb.exec:\nbnhbb.exe27⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe28⤵
- Executes dropped EXE
-
\??\c:\htbtnh.exec:\htbtnh.exe29⤵
- Executes dropped EXE
-
\??\c:\vjdvj.exec:\vjdvj.exe30⤵
- Executes dropped EXE
-
\??\c:\7rxrlfr.exec:\7rxrlfr.exe31⤵
- Executes dropped EXE
-
\??\c:\hnnhtt.exec:\hnnhtt.exe32⤵
- Executes dropped EXE
-
\??\c:\lxxrffx.exec:\lxxrffx.exe33⤵
- Executes dropped EXE
-
\??\c:\3xxfllf.exec:\3xxfllf.exe34⤵
- Executes dropped EXE
-
\??\c:\vvdvp.exec:\vvdvp.exe35⤵
- Executes dropped EXE
-
\??\c:\xxxrfff.exec:\xxxrfff.exe36⤵
- Executes dropped EXE
-
\??\c:\fffxlxr.exec:\fffxlxr.exe37⤵
- Executes dropped EXE
-
\??\c:\nbnhbb.exec:\nbnhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\hbhbth.exec:\hbhbth.exe39⤵
- Executes dropped EXE
-
\??\c:\3ddpd.exec:\3ddpd.exe40⤵
- Executes dropped EXE
-
\??\c:\lrxlffr.exec:\lrxlffr.exe41⤵
- Executes dropped EXE
-
\??\c:\ntthbt.exec:\ntthbt.exe42⤵
- Executes dropped EXE
-
\??\c:\hbbtbb.exec:\hbbtbb.exe43⤵
- Executes dropped EXE
-
\??\c:\ppjdp.exec:\ppjdp.exe44⤵
- Executes dropped EXE
-
\??\c:\lrfrlfr.exec:\lrfrlfr.exe45⤵
- Executes dropped EXE
-
\??\c:\hhhbbt.exec:\hhhbbt.exe46⤵
- Executes dropped EXE
-
\??\c:\vpdjv.exec:\vpdjv.exe47⤵
- Executes dropped EXE
-
\??\c:\9djvj.exec:\9djvj.exe48⤵
- Executes dropped EXE
-
\??\c:\nbnbbt.exec:\nbnbbt.exe49⤵
- Executes dropped EXE
-
\??\c:\vpvpv.exec:\vpvpv.exe50⤵
- Executes dropped EXE
-
\??\c:\fflflrx.exec:\fflflrx.exe51⤵
- Executes dropped EXE
-
\??\c:\9lxlxxx.exec:\9lxlxxx.exe52⤵
- Executes dropped EXE
-
\??\c:\nhttht.exec:\nhttht.exe53⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe54⤵
- Executes dropped EXE
-
\??\c:\5flxlll.exec:\5flxlll.exe55⤵
- Executes dropped EXE
-
\??\c:\llrrlfl.exec:\llrrlfl.exe56⤵
- Executes dropped EXE
-
\??\c:\nbnnhb.exec:\nbnnhb.exe57⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe58⤵
- Executes dropped EXE
-
\??\c:\xllxrlf.exec:\xllxrlf.exe59⤵
- Executes dropped EXE
-
\??\c:\lfrrlll.exec:\lfrrlll.exe60⤵
- Executes dropped EXE
-
\??\c:\tttnbb.exec:\tttnbb.exe61⤵
- Executes dropped EXE
-
\??\c:\dpddd.exec:\dpddd.exe62⤵
- Executes dropped EXE
-
\??\c:\frrrlxr.exec:\frrrlxr.exe63⤵
- Executes dropped EXE
-
\??\c:\nhnhhb.exec:\nhnhhb.exe64⤵
- Executes dropped EXE
-
\??\c:\hhhhbb.exec:\hhhhbb.exe65⤵
- Executes dropped EXE
-
\??\c:\9jjdj.exec:\9jjdj.exe66⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5xxlllr.exec:\5xxlllr.exe67⤵
-
\??\c:\9nhhtt.exec:\9nhhtt.exe68⤵
-
\??\c:\3bbnbt.exec:\3bbnbt.exe69⤵
-
\??\c:\vpdpd.exec:\vpdpd.exe70⤵
-
\??\c:\lffrllx.exec:\lffrllx.exe71⤵
-
\??\c:\3nttnh.exec:\3nttnh.exe72⤵
-
\??\c:\pdvjv.exec:\pdvjv.exe73⤵
-
\??\c:\xffrlxr.exec:\xffrlxr.exe74⤵
-
\??\c:\bnnhbb.exec:\bnnhbb.exe75⤵
-
\??\c:\nthtbt.exec:\nthtbt.exe76⤵
-
\??\c:\7ddpd.exec:\7ddpd.exe77⤵
-
\??\c:\lxxllll.exec:\lxxllll.exe78⤵
-
\??\c:\nttnbb.exec:\nttnbb.exe79⤵
-
\??\c:\dpvpd.exec:\dpvpd.exe80⤵
-
\??\c:\djjdv.exec:\djjdv.exe81⤵
-
\??\c:\1fxrlff.exec:\1fxrlff.exe82⤵
-
\??\c:\hntnbt.exec:\hntnbt.exe83⤵
-
\??\c:\ppvjj.exec:\ppvjj.exe84⤵
-
\??\c:\ffrlxxr.exec:\ffrlxxr.exe85⤵
-
\??\c:\9hhbnh.exec:\9hhbnh.exe86⤵
-
\??\c:\nbthhh.exec:\nbthhh.exe87⤵
-
\??\c:\vjjjv.exec:\vjjjv.exe88⤵
-
\??\c:\xfrlfxr.exec:\xfrlfxr.exe89⤵
-
\??\c:\tntttn.exec:\tntttn.exe90⤵
-
\??\c:\3pvjj.exec:\3pvjj.exe91⤵
-
\??\c:\ffxrfxr.exec:\ffxrfxr.exe92⤵
-
\??\c:\flfrfxr.exec:\flfrfxr.exe93⤵
-
\??\c:\3tnbtt.exec:\3tnbtt.exe94⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe95⤵
-
\??\c:\rffxllf.exec:\rffxllf.exe96⤵
-
\??\c:\rfllxxr.exec:\rfllxxr.exe97⤵
-
\??\c:\thhbth.exec:\thhbth.exe98⤵
-
\??\c:\pdppj.exec:\pdppj.exe99⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe100⤵
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe101⤵
-
\??\c:\thnnhb.exec:\thnnhb.exe102⤵
-
\??\c:\jvdvj.exec:\jvdvj.exe103⤵
-
\??\c:\ffxlxxr.exec:\ffxlxxr.exe104⤵
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe105⤵
-
\??\c:\vdjvp.exec:\vdjvp.exe106⤵
-
\??\c:\jddpd.exec:\jddpd.exe107⤵
-
\??\c:\7lrlfff.exec:\7lrlfff.exe108⤵
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe109⤵
-
\??\c:\5hhbth.exec:\5hhbth.exe110⤵
-
\??\c:\jddvv.exec:\jddvv.exe111⤵
-
\??\c:\djvpd.exec:\djvpd.exe112⤵
-
\??\c:\lflxffl.exec:\lflxffl.exe113⤵
-
\??\c:\hbtbnb.exec:\hbtbnb.exe114⤵
-
\??\c:\9jjvp.exec:\9jjvp.exe115⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe116⤵
-
\??\c:\rrrlrlr.exec:\rrrlrlr.exe117⤵
-
\??\c:\hntnhb.exec:\hntnhb.exe118⤵
-
\??\c:\jdpjv.exec:\jdpjv.exe119⤵
-
\??\c:\rffrffr.exec:\rffrffr.exe120⤵
-
\??\c:\fxffrrr.exec:\fxffrrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-