Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
05/10/2024, 13:20
General
-
Target
6b78c971930d6c37b38ea559b70f049f59c2b8ec595fd899dbc32a141f6e1523N.exe
-
Size
71KB
-
MD5
fd522946fbdd78bad609fcdd2c529210
-
SHA1
8edca771b1425160c5dfa9df432298db90bde107
-
SHA256
6b78c971930d6c37b38ea559b70f049f59c2b8ec595fd899dbc32a141f6e1523
-
SHA512
539a955d399e335b3ed1cff877f1f221e4bcbdd364bc4aeec3522963a5a08bbb2b022d4f8f10ff7db6f5622da441e3e9854bda281cf3b3782de45d8b25bee3b7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjC:ymb3NkkiQ3mdBjFI4Vy
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b78c971930d6c37b38ea559b70f049f59c2b8ec595fd899dbc32a141f6e1523N.exe"C:\Users\Admin\AppData\Local\Temp\6b78c971930d6c37b38ea559b70f049f59c2b8ec595fd899dbc32a141f6e1523N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbthb.exec:\bhbthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrlll.exec:\fxrrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnhb.exec:\tnnnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtnn.exec:\nbbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvjd.exec:\jpvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllflf.exec:\rxllflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rrxxxx.exec:\9rrxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nbbbh.exec:\9nbbbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jjdv.exec:\5jjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrrll.exec:\lxxrrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhhbb.exec:\thhhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bhbbh.exec:\9bhbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddvd.exec:\dddvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxlll.exec:\lfxxlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbtt.exec:\nhbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbthh.exec:\nhbthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdvp.exec:\dpdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffxff.exec:\xrffxff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hhbtt.exec:\3hhbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddd.exec:\dvddd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dddp.exec:\7dddp.exe23⤵
- Executes dropped EXE
-
\??\c:\nnnbnh.exec:\nnnbnh.exe24⤵
- Executes dropped EXE
-
\??\c:\bthhhh.exec:\bthhhh.exe25⤵
- Executes dropped EXE
-
\??\c:\vvddv.exec:\vvddv.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rflffff.exec:\rflffff.exe27⤵
- Executes dropped EXE
-
\??\c:\flrxxxf.exec:\flrxxxf.exe28⤵
- Executes dropped EXE
-
\??\c:\btttnt.exec:\btttnt.exe29⤵
- Executes dropped EXE
-
\??\c:\5vdvv.exec:\5vdvv.exe30⤵
- Executes dropped EXE
-
\??\c:\llrlffx.exec:\llrlffx.exe31⤵
- Executes dropped EXE
-
\??\c:\frrrllf.exec:\frrrllf.exe32⤵
- Executes dropped EXE
-
\??\c:\3nnnhh.exec:\3nnnhh.exe33⤵
- Executes dropped EXE
-
\??\c:\7thbtt.exec:\7thbtt.exe34⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe35⤵
- Executes dropped EXE
-
\??\c:\9vdvp.exec:\9vdvp.exe36⤵
- Executes dropped EXE
-
\??\c:\flxxrxr.exec:\flxxrxr.exe37⤵
- Executes dropped EXE
-
\??\c:\5xrlffx.exec:\5xrlffx.exe38⤵
- Executes dropped EXE
-
\??\c:\thhnnn.exec:\thhnnn.exe39⤵
- Executes dropped EXE
-
\??\c:\9ntttt.exec:\9ntttt.exe40⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe41⤵
- Executes dropped EXE
-
\??\c:\5vvvj.exec:\5vvvj.exe42⤵
- Executes dropped EXE
-
\??\c:\3lrrrlr.exec:\3lrrrlr.exe43⤵
- Executes dropped EXE
-
\??\c:\rrlrlrr.exec:\rrlrlrr.exe44⤵
- Executes dropped EXE
-
\??\c:\5bhbtt.exec:\5bhbtt.exe45⤵
- Executes dropped EXE
-
\??\c:\hbbnhh.exec:\hbbnhh.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\pjjdd.exec:\pjjdd.exe47⤵
- Executes dropped EXE
-
\??\c:\3jppj.exec:\3jppj.exe48⤵
- Executes dropped EXE
-
\??\c:\lrrrfll.exec:\lrrrfll.exe49⤵
- Executes dropped EXE
-
\??\c:\lxrlllf.exec:\lxrlllf.exe50⤵
- Executes dropped EXE
-
\??\c:\1lrrxxf.exec:\1lrrxxf.exe51⤵
- Executes dropped EXE
-
\??\c:\nbhbbb.exec:\nbhbbb.exe52⤵
- Executes dropped EXE
-
\??\c:\nnhbtn.exec:\nnhbtn.exe53⤵
- Executes dropped EXE
-
\??\c:\7ppjv.exec:\7ppjv.exe54⤵
- Executes dropped EXE
-
\??\c:\pjdjd.exec:\pjdjd.exe55⤵
- Executes dropped EXE
-
\??\c:\rllfxxx.exec:\rllfxxx.exe56⤵
- Executes dropped EXE
-
\??\c:\frrrrrr.exec:\frrrrrr.exe57⤵
- Executes dropped EXE
-
\??\c:\1bbbtt.exec:\1bbbtt.exe58⤵
- Executes dropped EXE
-
\??\c:\btbtnn.exec:\btbtnn.exe59⤵
- Executes dropped EXE
-
\??\c:\djjdv.exec:\djjdv.exe60⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe61⤵
- Executes dropped EXE
-
\??\c:\fffxrrx.exec:\fffxrrx.exe62⤵
- Executes dropped EXE
-
\??\c:\rlxrllf.exec:\rlxrllf.exe63⤵
- Executes dropped EXE
-
\??\c:\1hbtnn.exec:\1hbtnn.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\1hhhth.exec:\1hhhth.exe65⤵
- Executes dropped EXE
-
\??\c:\jjvpj.exec:\jjvpj.exe66⤵
-
\??\c:\lrxrfff.exec:\lrxrfff.exe67⤵
-
\??\c:\fxrllrr.exec:\fxrllrr.exe68⤵
-
\??\c:\9bhbtn.exec:\9bhbtn.exe69⤵
-
\??\c:\ntttnn.exec:\ntttnn.exe70⤵
-
\??\c:\9pdvd.exec:\9pdvd.exe71⤵
-
\??\c:\jjjjd.exec:\jjjjd.exe72⤵
-
\??\c:\9rrlxxr.exec:\9rrlxxr.exe73⤵
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe74⤵
-
\??\c:\ttbthh.exec:\ttbthh.exe75⤵
-
\??\c:\vddjv.exec:\vddjv.exe76⤵
-
\??\c:\5xlfxxr.exec:\5xlfxxr.exe77⤵
-
\??\c:\5flfllr.exec:\5flfllr.exe78⤵
-
\??\c:\bthhbb.exec:\bthhbb.exe79⤵
-
\??\c:\hbtntt.exec:\hbtntt.exe80⤵
-
\??\c:\dppjd.exec:\dppjd.exe81⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe82⤵
-
\??\c:\3vvpd.exec:\3vvpd.exe83⤵
-
\??\c:\lfrrxxx.exec:\lfrrxxx.exe84⤵
-
\??\c:\nhhbtn.exec:\nhhbtn.exe85⤵
-
\??\c:\hhbtnn.exec:\hhbtnn.exe86⤵
-
\??\c:\jddjv.exec:\jddjv.exe87⤵
-
\??\c:\xxrrlrr.exec:\xxrrlrr.exe88⤵
-
\??\c:\fxxfflf.exec:\fxxfflf.exe89⤵
-
\??\c:\btbhbn.exec:\btbhbn.exe90⤵
-
\??\c:\bbnntt.exec:\bbnntt.exe91⤵
-
\??\c:\ppdvv.exec:\ppdvv.exe92⤵
-
\??\c:\dpjvp.exec:\dpjvp.exe93⤵
-
\??\c:\lrfrllf.exec:\lrfrllf.exe94⤵
-
\??\c:\xrrrlff.exec:\xrrrlff.exe95⤵
-
\??\c:\htnhbt.exec:\htnhbt.exe96⤵
-
\??\c:\vjdvv.exec:\vjdvv.exe97⤵
-
\??\c:\pvjvv.exec:\pvjvv.exe98⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe99⤵
-
\??\c:\fflxrrl.exec:\fflxrrl.exe100⤵
-
\??\c:\rlffxxr.exec:\rlffxxr.exe101⤵
-
\??\c:\nbbtbn.exec:\nbbtbn.exe102⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe103⤵
-
\??\c:\jddvj.exec:\jddvj.exe104⤵
-
\??\c:\fllfxxx.exec:\fllfxxx.exe105⤵
-
\??\c:\rlfxffl.exec:\rlfxffl.exe106⤵
-
\??\c:\hhnntb.exec:\hhnntb.exe107⤵
-
\??\c:\tbbbnn.exec:\tbbbnn.exe108⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe109⤵
-
\??\c:\vddvj.exec:\vddvj.exe110⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe111⤵
-
\??\c:\fxlffxf.exec:\fxlffxf.exe112⤵
-
\??\c:\rxllrxf.exec:\rxllrxf.exe113⤵
-
\??\c:\9nnbbh.exec:\9nnbbh.exe114⤵
-
\??\c:\9hbthh.exec:\9hbthh.exe115⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe116⤵
-
\??\c:\dpvjd.exec:\dpvjd.exe117⤵
-
\??\c:\rrrlffx.exec:\rrrlffx.exe118⤵
-
\??\c:\lxxrlff.exec:\lxxrlff.exe119⤵
-
\??\c:\xllffxx.exec:\xllffxx.exe120⤵
-
\??\c:\3hnnnn.exec:\3hnnnn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-