Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06/10/2024, 03:00
General
-
Target
d8686a5b1a4688c2253ae793ca949389c425466a74150a90b1d5fb0887dc4fee.exe
-
Size
71KB
-
MD5
a4673542dd6d0e4ac70ea604f3a3f08c
-
SHA1
8e0fd2b5ad6bcf355fc81943b1924396d531c724
-
SHA256
d8686a5b1a4688c2253ae793ca949389c425466a74150a90b1d5fb0887dc4fee
-
SHA512
9a57b62249a2e758322b146deb733b45e8d0dad1ae1c33d549c1aad59d334f04de2c8cbf81d20252acf80608e0d56f1dc165fb21ad80ec3c20e2ef1decfb407e
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfj5hq:ymb3NkkiQ3mdBjFI4Vq
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8686a5b1a4688c2253ae793ca949389c425466a74150a90b1d5fb0887dc4fee.exe"C:\Users\Admin\AppData\Local\Temp\d8686a5b1a4688c2253ae793ca949389c425466a74150a90b1d5fb0887dc4fee.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtnnn.exec:\bhtnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvp.exec:\vvdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rlfrrr.exec:\1rlfrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlrrl.exec:\rlrlrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntthth.exec:\ntthth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjd.exec:\pjpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvdv.exec:\jpvdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntnhh.exec:\nntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdv.exec:\pvjdv.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxrfl.exec:\rxfxrfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bbttb.exec:\3bbttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvv.exec:\jjjvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ffxxxr.exec:\3ffxxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhbt.exec:\hbhhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddvj.exec:\pddvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntnnn.exec:\hntnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpj.exec:\pdvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdjv.exec:\dpdjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrllflf.exec:\rrllflf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbtbb.exec:\ttbtbb.exe23⤵
- Executes dropped EXE
-
\??\c:\hhnnbb.exec:\hhnnbb.exe24⤵
- Executes dropped EXE
-
\??\c:\7dppj.exec:\7dppj.exe25⤵
- Executes dropped EXE
-
\??\c:\lxxrrfx.exec:\lxxrrfx.exe26⤵
- Executes dropped EXE
-
\??\c:\fxxrllf.exec:\fxxrllf.exe27⤵
- Executes dropped EXE
-
\??\c:\nhthbb.exec:\nhthbb.exe28⤵
- Executes dropped EXE
-
\??\c:\pjvpp.exec:\pjvpp.exe29⤵
- Executes dropped EXE
-
\??\c:\vpdvj.exec:\vpdvj.exe30⤵
- Executes dropped EXE
-
\??\c:\lxlfffl.exec:\lxlfffl.exe31⤵
- Executes dropped EXE
-
\??\c:\5bhhhh.exec:\5bhhhh.exe32⤵
- Executes dropped EXE
-
\??\c:\bbbttt.exec:\bbbttt.exe33⤵
- Executes dropped EXE
-
\??\c:\jdjjd.exec:\jdjjd.exe34⤵
- Executes dropped EXE
-
\??\c:\rfllrrr.exec:\rfllrrr.exe35⤵
- Executes dropped EXE
-
\??\c:\rlxfffx.exec:\rlxfffx.exe36⤵
- Executes dropped EXE
-
\??\c:\bnttnt.exec:\bnttnt.exe37⤵
- Executes dropped EXE
-
\??\c:\hbhbnt.exec:\hbhbnt.exe38⤵
- Executes dropped EXE
-
\??\c:\nnnhhn.exec:\nnnhhn.exe39⤵
- Executes dropped EXE
-
\??\c:\9jpjd.exec:\9jpjd.exe40⤵
- Executes dropped EXE
-
\??\c:\lxllxfx.exec:\lxllxfx.exe41⤵
- Executes dropped EXE
-
\??\c:\rfffxxr.exec:\rfffxxr.exe42⤵
- Executes dropped EXE
-
\??\c:\tnntht.exec:\tnntht.exe43⤵
- Executes dropped EXE
-
\??\c:\dvppp.exec:\dvppp.exe44⤵
- Executes dropped EXE
-
\??\c:\dvpjv.exec:\dvpjv.exe45⤵
- Executes dropped EXE
-
\??\c:\1frfrrl.exec:\1frfrrl.exe46⤵
- Executes dropped EXE
-
\??\c:\tnnnhh.exec:\tnnnhh.exe47⤵
- Executes dropped EXE
-
\??\c:\hbtnnt.exec:\hbtnnt.exe48⤵
- Executes dropped EXE
-
\??\c:\jvdpj.exec:\jvdpj.exe49⤵
- Executes dropped EXE
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe50⤵
- Executes dropped EXE
-
\??\c:\xrxxrxx.exec:\xrxxrxx.exe51⤵
- Executes dropped EXE
-
\??\c:\5bhhnt.exec:\5bhhnt.exe52⤵
- Executes dropped EXE
-
\??\c:\nnnhhh.exec:\nnnhhh.exe53⤵
- Executes dropped EXE
-
\??\c:\tnnhbh.exec:\tnnhbh.exe54⤵
- Executes dropped EXE
-
\??\c:\1dddp.exec:\1dddp.exe55⤵
- Executes dropped EXE
-
\??\c:\rrxrllf.exec:\rrxrllf.exe56⤵
- Executes dropped EXE
-
\??\c:\7lfxrrl.exec:\7lfxrrl.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nbbbnn.exec:\nbbbnn.exe58⤵
- Executes dropped EXE
-
\??\c:\nhnhnb.exec:\nhnhnb.exe59⤵
- Executes dropped EXE
-
\??\c:\ppjdd.exec:\ppjdd.exe60⤵
- Executes dropped EXE
-
\??\c:\rrllxxx.exec:\rrllxxx.exe61⤵
- Executes dropped EXE
-
\??\c:\7xfffll.exec:\7xfffll.exe62⤵
- Executes dropped EXE
-
\??\c:\nhhbbb.exec:\nhhbbb.exe63⤵
- Executes dropped EXE
-
\??\c:\vvvvp.exec:\vvvvp.exe64⤵
- Executes dropped EXE
-
\??\c:\dvdpp.exec:\dvdpp.exe65⤵
- Executes dropped EXE
-
\??\c:\fxlfllf.exec:\fxlfllf.exe66⤵
-
\??\c:\xrlfxlf.exec:\xrlfxlf.exe67⤵
-
\??\c:\tnhbbb.exec:\tnhbbb.exe68⤵
-
\??\c:\7nbbbb.exec:\7nbbbb.exe69⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe70⤵
-
\??\c:\rfllfxf.exec:\rfllfxf.exe71⤵
-
\??\c:\lxfflll.exec:\lxfflll.exe72⤵
-
\??\c:\nhhbhh.exec:\nhhbhh.exe73⤵
-
\??\c:\ddjjv.exec:\ddjjv.exe74⤵
-
\??\c:\vvpjd.exec:\vvpjd.exe75⤵
-
\??\c:\xrllxlr.exec:\xrllxlr.exe76⤵
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe77⤵
-
\??\c:\bbhnhh.exec:\bbhnhh.exe78⤵
-
\??\c:\btbbbb.exec:\btbbbb.exe79⤵
-
\??\c:\pjpjv.exec:\pjpjv.exe80⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe81⤵
-
\??\c:\xlrllfr.exec:\xlrllfr.exe82⤵
-
\??\c:\vvddj.exec:\vvddj.exe83⤵
-
\??\c:\jvdvp.exec:\jvdvp.exe84⤵
-
\??\c:\3lfxxxf.exec:\3lfxxxf.exe85⤵
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe86⤵
-
\??\c:\nttbhh.exec:\nttbhh.exe87⤵
-
\??\c:\1nnnnb.exec:\1nnnnb.exe88⤵
-
\??\c:\pdjvp.exec:\pdjvp.exe89⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe90⤵
-
\??\c:\frrlffx.exec:\frrlffx.exe91⤵
-
\??\c:\lxxfxlf.exec:\lxxfxlf.exe92⤵
-
\??\c:\bthhbb.exec:\bthhbb.exe93⤵
-
\??\c:\7nhhbb.exec:\7nhhbb.exe94⤵
-
\??\c:\pjppd.exec:\pjppd.exe95⤵
-
\??\c:\jddvj.exec:\jddvj.exe96⤵
-
\??\c:\fxxrrll.exec:\fxxrrll.exe97⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rrfxlfl.exec:\rrfxlfl.exe98⤵
-
\??\c:\7hhhbb.exec:\7hhhbb.exe99⤵
-
\??\c:\7bttnb.exec:\7bttnb.exe100⤵
-
\??\c:\jpdjj.exec:\jpdjj.exe101⤵
-
\??\c:\ffflffx.exec:\ffflffx.exe102⤵
-
\??\c:\rfrfffr.exec:\rfrfffr.exe103⤵
-
\??\c:\htbbbb.exec:\htbbbb.exe104⤵
-
\??\c:\jppjv.exec:\jppjv.exe105⤵
-
\??\c:\jjpjv.exec:\jjpjv.exe106⤵
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe107⤵
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe108⤵
-
\??\c:\bhtnhh.exec:\bhtnhh.exe109⤵
-
\??\c:\nnhbtt.exec:\nnhbtt.exe110⤵
-
\??\c:\vvddd.exec:\vvddd.exe111⤵
-
\??\c:\dvpjj.exec:\dvpjj.exe112⤵
-
\??\c:\xxfxxxf.exec:\xxfxxxf.exe113⤵
-
\??\c:\llfxfxf.exec:\llfxfxf.exe114⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe115⤵
-
\??\c:\hhnhnn.exec:\hhnhnn.exe116⤵
-
\??\c:\pddvv.exec:\pddvv.exe117⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe118⤵
-
\??\c:\5ddvj.exec:\5ddvj.exe119⤵
-
\??\c:\fxxrxxx.exec:\fxxrxxx.exe120⤵
-
\??\c:\xfffxxr.exec:\xfffxxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-