Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02/10/2024, 23:07
General
-
Target
0c5623d6fef32b58e3468fd4f5320e81f3b5d74394e26dedb2cd0e791b8238a4N.exe
-
Size
66KB
-
MD5
ce4826005bb4045528189c95d5e48320
-
SHA1
9560083ae24c56640a828487dd336c1b51a59f3e
-
SHA256
0c5623d6fef32b58e3468fd4f5320e81f3b5d74394e26dedb2cd0e791b8238a4
-
SHA512
4f5ee932bcbbcc3f91f254f886b9b03d8b221c56324fe56c057c25542ade64b1fbc74786a48c42211074175006a1dc72108ff614a606c2fed7e1e1910e351c59
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqfo4n:ymb3NkkiQ3mdBjFI9cqfVn
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c5623d6fef32b58e3468fd4f5320e81f3b5d74394e26dedb2cd0e791b8238a4N.exe"C:\Users\Admin\AppData\Local\Temp\0c5623d6fef32b58e3468fd4f5320e81f3b5d74394e26dedb2cd0e791b8238a4N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrlxxf.exec:\7rrlxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnh.exec:\thbtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvpd.exec:\7vvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjdj.exec:\djjdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rlfrrr.exec:\3rlfrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtttn.exec:\bhtttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppdv.exec:\dppdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppdp.exec:\vppdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxrff.exec:\rrlxrff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvpj.exec:\pvvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5dvjd.exec:\5dvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrxr.exec:\frxrrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvp.exec:\jddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xrfrrl.exec:\9xrfrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbtb.exec:\bthbtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbthh.exec:\bnbthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpp.exec:\pjjpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrllff.exec:\rlrllff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvv.exec:\dpvvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lllxrf.exec:\1lllxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrffx.exec:\xrrrffx.exe23⤵
- Executes dropped EXE
-
\??\c:\nttnhh.exec:\nttnhh.exe24⤵
- Executes dropped EXE
-
\??\c:\djjjj.exec:\djjjj.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xfffffx.exec:\xfffffx.exe26⤵
- Executes dropped EXE
-
\??\c:\fxxxffr.exec:\fxxxffr.exe27⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe28⤵
- Executes dropped EXE
-
\??\c:\nbhhbh.exec:\nbhhbh.exe29⤵
- Executes dropped EXE
-
\??\c:\dpjvd.exec:\dpjvd.exe30⤵
- Executes dropped EXE
-
\??\c:\llrrffx.exec:\llrrffx.exe31⤵
- Executes dropped EXE
-
\??\c:\bttnhh.exec:\bttnhh.exe32⤵
- Executes dropped EXE
-
\??\c:\rrxrllf.exec:\rrxrllf.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3rlfxxl.exec:\3rlfxxl.exe34⤵
- Executes dropped EXE
-
\??\c:\pjjjd.exec:\pjjjd.exe35⤵
- Executes dropped EXE
-
\??\c:\vjpjv.exec:\vjpjv.exe36⤵
- Executes dropped EXE
-
\??\c:\tnnhth.exec:\tnnhth.exe37⤵
- Executes dropped EXE
-
\??\c:\jvdvp.exec:\jvdvp.exe38⤵
- Executes dropped EXE
-
\??\c:\djvjd.exec:\djvjd.exe39⤵
- Executes dropped EXE
-
\??\c:\lfxfxrx.exec:\lfxfxrx.exe40⤵
- Executes dropped EXE
-
\??\c:\nhnnnh.exec:\nhnnnh.exe41⤵
- Executes dropped EXE
-
\??\c:\thnhtb.exec:\thnhtb.exe42⤵
- Executes dropped EXE
-
\??\c:\lxrfxxx.exec:\lxrfxxx.exe43⤵
- Executes dropped EXE
-
\??\c:\nbnnhh.exec:\nbnnhh.exe44⤵
- Executes dropped EXE
-
\??\c:\5dpjj.exec:\5dpjj.exe45⤵
- Executes dropped EXE
-
\??\c:\rlrfxrx.exec:\rlrfxrx.exe46⤵
- Executes dropped EXE
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe47⤵
- Executes dropped EXE
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe48⤵
- Executes dropped EXE
-
\??\c:\nntnhh.exec:\nntnhh.exe49⤵
- Executes dropped EXE
-
\??\c:\3ththh.exec:\3ththh.exe50⤵
- Executes dropped EXE
-
\??\c:\pjjpj.exec:\pjjpj.exe51⤵
- Executes dropped EXE
-
\??\c:\rflfrrl.exec:\rflfrrl.exe52⤵
- Executes dropped EXE
-
\??\c:\lflfxrr.exec:\lflfxrr.exe53⤵
- Executes dropped EXE
-
\??\c:\thttnn.exec:\thttnn.exe54⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe55⤵
- Executes dropped EXE
-
\??\c:\pjdpd.exec:\pjdpd.exe56⤵
- Executes dropped EXE
-
\??\c:\fxxxlll.exec:\fxxxlll.exe57⤵
- Executes dropped EXE
-
\??\c:\7rrlxrr.exec:\7rrlxrr.exe58⤵
- Executes dropped EXE
-
\??\c:\3nnhbt.exec:\3nnhbt.exe59⤵
- Executes dropped EXE
-
\??\c:\pvvpd.exec:\pvvpd.exe60⤵
- Executes dropped EXE
-
\??\c:\9vvpd.exec:\9vvpd.exe61⤵
- Executes dropped EXE
-
\??\c:\xrrlrrl.exec:\xrrlrrl.exe62⤵
- Executes dropped EXE
-
\??\c:\nhnnnn.exec:\nhnnnn.exe63⤵
- Executes dropped EXE
-
\??\c:\djvpd.exec:\djvpd.exe64⤵
- Executes dropped EXE
-
\??\c:\jvvvj.exec:\jvvvj.exe65⤵
- Executes dropped EXE
-
\??\c:\xllxrrl.exec:\xllxrrl.exe66⤵
-
\??\c:\tntnhh.exec:\tntnhh.exe67⤵
-
\??\c:\httnhh.exec:\httnhh.exe68⤵
-
\??\c:\pvjdd.exec:\pvjdd.exe69⤵
-
\??\c:\vpppj.exec:\vpppj.exe70⤵
-
\??\c:\lffxrxl.exec:\lffxrxl.exe71⤵
-
\??\c:\5bnhht.exec:\5bnhht.exe72⤵
-
\??\c:\hbnhtt.exec:\hbnhtt.exe73⤵
-
\??\c:\ddjpd.exec:\ddjpd.exe74⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe75⤵
-
\??\c:\9fxrfrx.exec:\9fxrfrx.exe76⤵
-
\??\c:\lfllllf.exec:\lfllllf.exe77⤵
-
\??\c:\btbbhh.exec:\btbbhh.exe78⤵
-
\??\c:\nhhnnn.exec:\nhhnnn.exe79⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe80⤵
-
\??\c:\fxlffxr.exec:\fxlffxr.exe81⤵
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe82⤵
-
\??\c:\btnnnn.exec:\btnnnn.exe83⤵
-
\??\c:\vdddv.exec:\vdddv.exe84⤵
-
\??\c:\vjvjd.exec:\vjvjd.exe85⤵
-
\??\c:\rflfxxr.exec:\rflfxxr.exe86⤵
-
\??\c:\rffffff.exec:\rffffff.exe87⤵
-
\??\c:\jjppp.exec:\jjppp.exe88⤵
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe89⤵
-
\??\c:\hbbbtt.exec:\hbbbtt.exe90⤵
-
\??\c:\bhnhbt.exec:\bhnhbt.exe91⤵
-
\??\c:\dvdvv.exec:\dvdvv.exe92⤵
-
\??\c:\lxrxfff.exec:\lxrxfff.exe93⤵
-
\??\c:\xffxxrl.exec:\xffxxrl.exe94⤵
-
\??\c:\bnnnbh.exec:\bnnnbh.exe95⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe96⤵
-
\??\c:\ddvdd.exec:\ddvdd.exe97⤵
-
\??\c:\9rxrflf.exec:\9rxrflf.exe98⤵
-
\??\c:\flrrllf.exec:\flrrllf.exe99⤵
-
\??\c:\bbtttt.exec:\bbtttt.exe100⤵
-
\??\c:\nntnhh.exec:\nntnhh.exe101⤵
-
\??\c:\1vjdj.exec:\1vjdj.exe102⤵
-
\??\c:\1jjpj.exec:\1jjpj.exe103⤵
-
\??\c:\rlfxllf.exec:\rlfxllf.exe104⤵
-
\??\c:\flfrrxl.exec:\flfrrxl.exe105⤵
-
\??\c:\7btnhh.exec:\7btnhh.exe106⤵
-
\??\c:\pvdvp.exec:\pvdvp.exe107⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe108⤵
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe109⤵
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe110⤵
-
\??\c:\htbtbb.exec:\htbtbb.exe111⤵
-
\??\c:\dppjv.exec:\dppjv.exe112⤵
-
\??\c:\jddvj.exec:\jddvj.exe113⤵
-
\??\c:\5rxrrfx.exec:\5rxrrfx.exe114⤵
-
\??\c:\htnnnn.exec:\htnnnn.exe115⤵
-
\??\c:\hnthnb.exec:\hnthnb.exe116⤵
-
\??\c:\7vpjv.exec:\7vpjv.exe117⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe118⤵
-
\??\c:\bhbnhb.exec:\bhbnhb.exe119⤵
-
\??\c:\tnnbnh.exec:\tnnbnh.exe120⤵
-
\??\c:\pdvjv.exec:\pdvjv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-