Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-10-2024 11:20
General
-
Target
375a88bef01a4a3237a62d910b471c4022ac477e53b25a761f4944cbb7b3a69eN.exe
-
Size
70KB
-
MD5
5ef41b873a0d73ab902e390f788ec5d0
-
SHA1
35dc366a5a453f99d1d95ba2dd00922134534191
-
SHA256
375a88bef01a4a3237a62d910b471c4022ac477e53b25a761f4944cbb7b3a69e
-
SHA512
28f109170c6553a9c65728da9a90b1dfc2777cf473c52e782cbc3c2ce2858dc768d739f1ba65f449cf1765b128a14c2f3790bff999e5da949c5403d265758bd0
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfj5h9:ymb3NkkiQ3mdBjFI4V9
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\375a88bef01a4a3237a62d910b471c4022ac477e53b25a761f4944cbb7b3a69eN.exe"C:\Users\Admin\AppData\Local\Temp\375a88bef01a4a3237a62d910b471c4022ac477e53b25a761f4944cbb7b3a69eN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fflrrrr.exec:\fflrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbbhh.exec:\ttbbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpv.exec:\dpvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffffl.exec:\fxffffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllllrr.exec:\xllllrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhnnn.exec:\nhhnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nhbbb.exec:\9nhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjd.exec:\pjjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfffff.exec:\xxfffff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnttnt.exec:\bnttnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pvvd.exec:\9pvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fllxxr.exec:\9fllxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ththbn.exec:\ththbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdj.exec:\pvjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdv.exec:\vpjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrfrlf.exec:\rfrfrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttttt.exec:\bttttt.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhhbb.exec:\bhhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjd.exec:\vjpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrllf.exec:\llrrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbtbb.exec:\btbtbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhhb.exec:\nnnhhb.exe23⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe24⤵
- Executes dropped EXE
-
\??\c:\ppdvv.exec:\ppdvv.exe25⤵
- Executes dropped EXE
-
\??\c:\dvdvj.exec:\dvdvj.exe26⤵
- Executes dropped EXE
-
\??\c:\ppjdd.exec:\ppjdd.exe27⤵
- Executes dropped EXE
-
\??\c:\lfxxrrr.exec:\lfxxrrr.exe28⤵
- Executes dropped EXE
-
\??\c:\btbbhh.exec:\btbbhh.exe29⤵
- Executes dropped EXE
-
\??\c:\pdpjp.exec:\pdpjp.exe30⤵
- Executes dropped EXE
-
\??\c:\1vdvd.exec:\1vdvd.exe31⤵
- Executes dropped EXE
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe32⤵
- Executes dropped EXE
-
\??\c:\nhhhbb.exec:\nhhhbb.exe33⤵
- Executes dropped EXE
-
\??\c:\tnnhbn.exec:\tnnhbn.exe34⤵
- Executes dropped EXE
-
\??\c:\tnttnn.exec:\tnttnn.exe35⤵
- Executes dropped EXE
-
\??\c:\rllfxxx.exec:\rllfxxx.exe36⤵
- Executes dropped EXE
-
\??\c:\lrxfllr.exec:\lrxfllr.exe37⤵
- Executes dropped EXE
-
\??\c:\bbttnt.exec:\bbttnt.exe38⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe39⤵
- Executes dropped EXE
-
\??\c:\ppjjd.exec:\ppjjd.exe40⤵
- Executes dropped EXE
-
\??\c:\rxfffff.exec:\rxfffff.exe41⤵
- Executes dropped EXE
-
\??\c:\nttttb.exec:\nttttb.exe42⤵
- Executes dropped EXE
-
\??\c:\bhnnnn.exec:\bhnnnn.exe43⤵
- Executes dropped EXE
-
\??\c:\pjjjp.exec:\pjjjp.exe44⤵
- Executes dropped EXE
-
\??\c:\lxfflfl.exec:\lxfflfl.exe45⤵
- Executes dropped EXE
-
\??\c:\hbtnhh.exec:\hbtnhh.exe46⤵
- Executes dropped EXE
-
\??\c:\bttnnn.exec:\bttnnn.exe47⤵
- Executes dropped EXE
-
\??\c:\bbbbtt.exec:\bbbbtt.exe48⤵
- Executes dropped EXE
-
\??\c:\9jppj.exec:\9jppj.exe49⤵
- Executes dropped EXE
-
\??\c:\5llfffx.exec:\5llfffx.exe50⤵
- Executes dropped EXE
-
\??\c:\btnhnn.exec:\btnhnn.exe51⤵
- Executes dropped EXE
-
\??\c:\frxllfx.exec:\frxllfx.exe52⤵
- Executes dropped EXE
-
\??\c:\bhnhbb.exec:\bhnhbb.exe53⤵
- Executes dropped EXE
-
\??\c:\vdjdd.exec:\vdjdd.exe54⤵
- Executes dropped EXE
-
\??\c:\xllfxll.exec:\xllfxll.exe55⤵
- Executes dropped EXE
-
\??\c:\nthhnn.exec:\nthhnn.exe56⤵
- Executes dropped EXE
-
\??\c:\nntttb.exec:\nntttb.exe57⤵
- Executes dropped EXE
-
\??\c:\rxxrllf.exec:\rxxrllf.exe58⤵
- Executes dropped EXE
-
\??\c:\rxrllxr.exec:\rxrllxr.exe59⤵
- Executes dropped EXE
-
\??\c:\5hnbbb.exec:\5hnbbb.exe60⤵
- Executes dropped EXE
-
\??\c:\hnbtbh.exec:\hnbtbh.exe61⤵
- Executes dropped EXE
-
\??\c:\vvvpd.exec:\vvvpd.exe62⤵
- Executes dropped EXE
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe63⤵
- Executes dropped EXE
-
\??\c:\nbbttt.exec:\nbbttt.exe64⤵
- Executes dropped EXE
-
\??\c:\nhhhtb.exec:\nhhhtb.exe65⤵
- Executes dropped EXE
-
\??\c:\dpvdv.exec:\dpvdv.exe66⤵
-
\??\c:\lfrlffl.exec:\lfrlffl.exe67⤵
-
\??\c:\bbtttt.exec:\bbtttt.exe68⤵
-
\??\c:\ddpjp.exec:\ddpjp.exe69⤵
-
\??\c:\jjvpd.exec:\jjvpd.exe70⤵
-
\??\c:\rfrlllr.exec:\rfrlllr.exe71⤵
-
\??\c:\nttnhh.exec:\nttnhh.exe72⤵
-
\??\c:\jvppj.exec:\jvppj.exe73⤵
-
\??\c:\vdddv.exec:\vdddv.exe74⤵
-
\??\c:\llrrxxf.exec:\llrrxxf.exe75⤵
-
\??\c:\nhnnnt.exec:\nhnnnt.exe76⤵
-
\??\c:\thnhhh.exec:\thnhhh.exe77⤵
-
\??\c:\9vdvd.exec:\9vdvd.exe78⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe79⤵
-
\??\c:\xlrrrrr.exec:\xlrrrrr.exe80⤵
-
\??\c:\nnnntt.exec:\nnnntt.exe81⤵
-
\??\c:\1hnhbb.exec:\1hnhbb.exe82⤵
-
\??\c:\dpppd.exec:\dpppd.exe83⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe84⤵
-
\??\c:\1lrlllr.exec:\1lrlllr.exe85⤵
-
\??\c:\thnnhh.exec:\thnnhh.exe86⤵
-
\??\c:\nttnhh.exec:\nttnhh.exe87⤵
-
\??\c:\5jjjj.exec:\5jjjj.exe88⤵
-
\??\c:\1djdj.exec:\1djdj.exe89⤵
-
\??\c:\fffxxfx.exec:\fffxxfx.exe90⤵
-
\??\c:\rrrrllf.exec:\rrrrllf.exe91⤵
-
\??\c:\tnnnhh.exec:\tnnnhh.exe92⤵
-
\??\c:\ppppd.exec:\ppppd.exe93⤵
-
\??\c:\frrlfff.exec:\frrlfff.exe94⤵
-
\??\c:\llrrrrr.exec:\llrrrrr.exe95⤵
-
\??\c:\hhbbtt.exec:\hhbbtt.exe96⤵
-
\??\c:\bnbtnn.exec:\bnbtnn.exe97⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe98⤵
-
\??\c:\lflfrrl.exec:\lflfrrl.exe99⤵
-
\??\c:\ffrrlff.exec:\ffrrlff.exe100⤵
-
\??\c:\bbbbtt.exec:\bbbbtt.exe101⤵
-
\??\c:\nhbttt.exec:\nhbttt.exe102⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe103⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe104⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lfrrfxx.exec:\lfrrfxx.exe105⤵
-
\??\c:\nnhhtt.exec:\nnhhtt.exe106⤵
-
\??\c:\nnnhbh.exec:\nnnhbh.exe107⤵
-
\??\c:\nbbtnn.exec:\nbbtnn.exe108⤵
-
\??\c:\7jpjv.exec:\7jpjv.exe109⤵
-
\??\c:\rffxllf.exec:\rffxllf.exe110⤵
-
\??\c:\xfllfll.exec:\xfllfll.exe111⤵
-
\??\c:\bttthh.exec:\bttthh.exe112⤵
-
\??\c:\thtnhh.exec:\thtnhh.exe113⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe114⤵
-
\??\c:\pjppv.exec:\pjppv.exe115⤵
-
\??\c:\flllflf.exec:\flllflf.exe116⤵
-
\??\c:\3bnnnn.exec:\3bnnnn.exe117⤵
-
\??\c:\nhtntt.exec:\nhtntt.exe118⤵
-
\??\c:\pdjdj.exec:\pdjdj.exe119⤵
-
\??\c:\jjddv.exec:\jjddv.exe120⤵
-
\??\c:\9ffrflf.exec:\9ffrflf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-