Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04/10/2024, 21:05
General
-
Target
96ce1f090f21a6ba9fc85a6cdd7969601d259522a070a02f8856428de6a2718eN.exe
-
Size
70KB
-
MD5
e20a6572f96cbf5076c5dd1fe52bc450
-
SHA1
ea30ec4440c0189c645e9f5b164c0ce4985d11ae
-
SHA256
96ce1f090f21a6ba9fc85a6cdd7969601d259522a070a02f8856428de6a2718e
-
SHA512
edc6b0c84a4c86124e5fa3a57ea478fa4f9fc52ae3453e9942caa971440b9035e96a6d51a29ee8e356ef52bc32f998f89e668d7e48ca5fc598619d9b9209f2fd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjy:ymb3NkkiQ3mdBjFI4VC
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ce1f090f21a6ba9fc85a6cdd7969601d259522a070a02f8856428de6a2718eN.exe"C:\Users\Admin\AppData\Local\Temp\96ce1f090f21a6ba9fc85a6cdd7969601d259522a070a02f8856428de6a2718eN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbnht.exec:\bbbnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjdv.exec:\jpjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrrrl.exec:\llrrrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvvp.exec:\djvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhbbn.exec:\hnhbbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpj.exec:\vvvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffxff.exec:\fxffxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhtb.exec:\hbhhtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tnntb.exec:\3tnntb.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddv.exec:\dvddv.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrlflf.exec:\7rrlflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ffffll.exec:\7ffffll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhtt.exec:\tthhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppp.exec:\vjppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjd.exec:\pjpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfxxff.exec:\frfxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhhh.exec:\nnnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjp.exec:\ddjjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdddp.exec:\vdddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrllrl.exec:\rxrllrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe23⤵
- Executes dropped EXE
-
\??\c:\ttnntb.exec:\ttnntb.exe24⤵
- Executes dropped EXE
-
\??\c:\pjvvp.exec:\pjvvp.exe25⤵
- Executes dropped EXE
-
\??\c:\xrxxxff.exec:\xrxxxff.exe26⤵
- Executes dropped EXE
-
\??\c:\7bhhhn.exec:\7bhhhn.exe27⤵
- Executes dropped EXE
-
\??\c:\7bnhnn.exec:\7bnhnn.exe28⤵
- Executes dropped EXE
-
\??\c:\pppjj.exec:\pppjj.exe29⤵
- Executes dropped EXE
-
\??\c:\xrllxxr.exec:\xrllxxr.exe30⤵
- Executes dropped EXE
-
\??\c:\xfrrrrl.exec:\xfrrrrl.exe31⤵
- Executes dropped EXE
-
\??\c:\tnttnt.exec:\tnttnt.exe32⤵
- Executes dropped EXE
-
\??\c:\5lffrrr.exec:\5lffrrr.exe33⤵
- Executes dropped EXE
-
\??\c:\tthhnt.exec:\tthhnt.exe34⤵
- Executes dropped EXE
-
\??\c:\ddppp.exec:\ddppp.exe35⤵
- Executes dropped EXE
-
\??\c:\xrffffr.exec:\xrffffr.exe36⤵
- Executes dropped EXE
-
\??\c:\ttnhnn.exec:\ttnhnn.exe37⤵
- Executes dropped EXE
-
\??\c:\7dppp.exec:\7dppp.exe38⤵
- Executes dropped EXE
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe39⤵
- Executes dropped EXE
-
\??\c:\fxfrrrr.exec:\fxfrrrr.exe40⤵
- Executes dropped EXE
-
\??\c:\thhbtt.exec:\thhbtt.exe41⤵
- Executes dropped EXE
-
\??\c:\tbhhhn.exec:\tbhhhn.exe42⤵
- Executes dropped EXE
-
\??\c:\pdvpd.exec:\pdvpd.exe43⤵
- Executes dropped EXE
-
\??\c:\bbbttb.exec:\bbbttb.exe44⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe45⤵
- Executes dropped EXE
-
\??\c:\dddjd.exec:\dddjd.exe46⤵
- Executes dropped EXE
-
\??\c:\bbbbbh.exec:\bbbbbh.exe47⤵
- Executes dropped EXE
-
\??\c:\rlrrlxx.exec:\rlrrlxx.exe48⤵
- Executes dropped EXE
-
\??\c:\xflllrr.exec:\xflllrr.exe49⤵
- Executes dropped EXE
-
\??\c:\nntbbh.exec:\nntbbh.exe50⤵
- Executes dropped EXE
-
\??\c:\djdvv.exec:\djdvv.exe51⤵
- Executes dropped EXE
-
\??\c:\ddjdp.exec:\ddjdp.exe52⤵
- Executes dropped EXE
-
\??\c:\3ffxrxr.exec:\3ffxrxr.exe53⤵
- Executes dropped EXE
-
\??\c:\pjvjj.exec:\pjvjj.exe54⤵
- Executes dropped EXE
-
\??\c:\dpjjv.exec:\dpjjv.exe55⤵
- Executes dropped EXE
-
\??\c:\fffxxrx.exec:\fffxxrx.exe56⤵
- Executes dropped EXE
-
\??\c:\xrrrllf.exec:\xrrrllf.exe57⤵
- Executes dropped EXE
-
\??\c:\tntnbn.exec:\tntnbn.exe58⤵
- Executes dropped EXE
-
\??\c:\pjjdd.exec:\pjjdd.exe59⤵
- Executes dropped EXE
-
\??\c:\vppjj.exec:\vppjj.exe60⤵
- Executes dropped EXE
-
\??\c:\5fxrlll.exec:\5fxrlll.exe61⤵
- Executes dropped EXE
-
\??\c:\frxxrlr.exec:\frxxrlr.exe62⤵
- Executes dropped EXE
-
\??\c:\thnhbb.exec:\thnhbb.exe63⤵
- Executes dropped EXE
-
\??\c:\pjdvp.exec:\pjdvp.exe64⤵
- Executes dropped EXE
-
\??\c:\dpvpj.exec:\dpvpj.exe65⤵
- Executes dropped EXE
-
\??\c:\9flfrrr.exec:\9flfrrr.exe66⤵
-
\??\c:\hbbthh.exec:\hbbthh.exe67⤵
-
\??\c:\hbnbth.exec:\hbnbth.exe68⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe69⤵
-
\??\c:\xffxrrl.exec:\xffxrrl.exe70⤵
-
\??\c:\flxxxxx.exec:\flxxxxx.exe71⤵
-
\??\c:\nhtnhn.exec:\nhtnhn.exe72⤵
-
\??\c:\pppjj.exec:\pppjj.exe73⤵
-
\??\c:\jjjjp.exec:\jjjjp.exe74⤵
-
\??\c:\xlxrlrx.exec:\xlxrlrx.exe75⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe76⤵
-
\??\c:\9hnhbt.exec:\9hnhbt.exe77⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe78⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pvjpv.exec:\pvjpv.exe79⤵
-
\??\c:\lfrllrx.exec:\lfrllrx.exe80⤵
-
\??\c:\bttnhb.exec:\bttnhb.exe81⤵
-
\??\c:\3nbbtb.exec:\3nbbtb.exe82⤵
-
\??\c:\pvdpj.exec:\pvdpj.exe83⤵
-
\??\c:\fffxfrl.exec:\fffxfrl.exe84⤵
-
\??\c:\lfxxlrf.exec:\lfxxlrf.exe85⤵
-
\??\c:\3ttnhh.exec:\3ttnhh.exe86⤵
-
\??\c:\5tbbtt.exec:\5tbbtt.exe87⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe88⤵
-
\??\c:\xxlfxrr.exec:\xxlfxrr.exe89⤵
-
\??\c:\9bhhhh.exec:\9bhhhh.exe90⤵
-
\??\c:\nhnhbh.exec:\nhnhbh.exe91⤵
-
\??\c:\vpppp.exec:\vpppp.exe92⤵
-
\??\c:\lllrfll.exec:\lllrfll.exe93⤵
-
\??\c:\xrxfffx.exec:\xrxfffx.exe94⤵
-
\??\c:\1nnnnn.exec:\1nnnnn.exe95⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe96⤵
-
\??\c:\ddjpj.exec:\ddjpj.exe97⤵
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe98⤵
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe99⤵
-
\??\c:\djpvv.exec:\djpvv.exe100⤵
-
\??\c:\1lllrxf.exec:\1lllrxf.exe101⤵
-
\??\c:\1lxxflx.exec:\1lxxflx.exe102⤵
-
\??\c:\nbbbbt.exec:\nbbbbt.exe103⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe104⤵
-
\??\c:\djppj.exec:\djppj.exe105⤵
-
\??\c:\3fxxxff.exec:\3fxxxff.exe106⤵
-
\??\c:\fxllfff.exec:\fxllfff.exe107⤵
-
\??\c:\ttbttb.exec:\ttbttb.exe108⤵
-
\??\c:\bttttt.exec:\bttttt.exe109⤵
-
\??\c:\dppjv.exec:\dppjv.exe110⤵
-
\??\c:\xrrrlrr.exec:\xrrrlrr.exe111⤵
-
\??\c:\ttbbhn.exec:\ttbbhn.exe112⤵
-
\??\c:\thnnnt.exec:\thnnnt.exe113⤵
-
\??\c:\vvddv.exec:\vvddv.exe114⤵
-
\??\c:\lrrrxll.exec:\lrrrxll.exe115⤵
-
\??\c:\lrxxrxl.exec:\lrxxrxl.exe116⤵
-
\??\c:\bbbhhh.exec:\bbbhhh.exe117⤵
-
\??\c:\jjjpv.exec:\jjjpv.exe118⤵
-
\??\c:\jjdpd.exec:\jjdpd.exe119⤵
-
\??\c:\rlxxflf.exec:\rlxxflf.exe120⤵
-
\??\c:\ntbnnt.exec:\ntbnnt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-