Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09/10/2024, 11:48
General
-
Target
c9947f4bcfcbb2cd66e8b210e71508b7a632e5489a0226aa614f4bcfe8eb85c4N.exe
-
Size
78KB
-
MD5
a91b506999abf5fda35055b17cc8f450
-
SHA1
a3193a44ca59a0ea14cc1fc37ff2e6e428401157
-
SHA256
c9947f4bcfcbb2cd66e8b210e71508b7a632e5489a0226aa614f4bcfe8eb85c4
-
SHA512
81e910cc499d851da50fb5e62cdd4a62520e8d0faa459574978e59ba29f70817eac4c385799a4e964af2301dd6e8d7c19dc18d7396226e2c5a7b31fe50c0bf9c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb7GTi3ldD5S:ymb3NkkiQ3mdBjFIWYB5S
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9947f4bcfcbb2cd66e8b210e71508b7a632e5489a0226aa614f4bcfe8eb85c4N.exe"C:\Users\Admin\AppData\Local\Temp\c9947f4bcfcbb2cd66e8b210e71508b7a632e5489a0226aa614f4bcfe8eb85c4N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdv.exec:\pjjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrlfff.exec:\lrrlfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnbb.exec:\bntnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9btnbt.exec:\9btnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfxrfx.exec:\fxfxrfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtnn.exec:\nbbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpj.exec:\vpvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxffrfr.exec:\lxffrfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htttbt.exec:\htttbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bnnhh.exec:\5bnnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7djvj.exec:\7djvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbttn.exec:\thbttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpd.exec:\dpvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdv.exec:\pjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrfxrf.exec:\7lrfxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjjv.exec:\dpjjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjd.exec:\vpjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fxrffx.exec:\7fxrffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntbtb.exec:\3ntbtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1djvp.exec:\1djvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllxrf.exec:\rxllxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxlll.exec:\xrfxlll.exe23⤵
- Executes dropped EXE
-
\??\c:\nhbtnh.exec:\nhbtnh.exe24⤵
- Executes dropped EXE
-
\??\c:\vvjpp.exec:\vvjpp.exe25⤵
- Executes dropped EXE
-
\??\c:\lxlffrx.exec:\lxlffrx.exe26⤵
- Executes dropped EXE
-
\??\c:\nnhhnb.exec:\nnhhnb.exe27⤵
- Executes dropped EXE
-
\??\c:\hhbthh.exec:\hhbthh.exe28⤵
- Executes dropped EXE
-
\??\c:\djjjd.exec:\djjjd.exe29⤵
- Executes dropped EXE
-
\??\c:\rlllxxx.exec:\rlllxxx.exe30⤵
- Executes dropped EXE
-
\??\c:\3fflfff.exec:\3fflfff.exe31⤵
- Executes dropped EXE
-
\??\c:\btntnn.exec:\btntnn.exe32⤵
- Executes dropped EXE
-
\??\c:\jdjdp.exec:\jdjdp.exe33⤵
- Executes dropped EXE
-
\??\c:\rrxrlll.exec:\rrxrlll.exe34⤵
- Executes dropped EXE
-
\??\c:\tntnnb.exec:\tntnnb.exe35⤵
- Executes dropped EXE
-
\??\c:\9dvjv.exec:\9dvjv.exe36⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe37⤵
- Executes dropped EXE
-
\??\c:\nnnnhh.exec:\nnnnhh.exe38⤵
- Executes dropped EXE
-
\??\c:\bbbbtt.exec:\bbbbtt.exe39⤵
- Executes dropped EXE
-
\??\c:\vjvjv.exec:\vjvjv.exe40⤵
- Executes dropped EXE
-
\??\c:\vjpjd.exec:\vjpjd.exe41⤵
- Executes dropped EXE
-
\??\c:\lflfxxx.exec:\lflfxxx.exe42⤵
- Executes dropped EXE
-
\??\c:\nnnhtt.exec:\nnnhtt.exe43⤵
- Executes dropped EXE
-
\??\c:\tnnhhh.exec:\tnnhhh.exe44⤵
- Executes dropped EXE
-
\??\c:\vjvjv.exec:\vjvjv.exe45⤵
- Executes dropped EXE
-
\??\c:\jjjjd.exec:\jjjjd.exe46⤵
- Executes dropped EXE
-
\??\c:\rllffxx.exec:\rllffxx.exe47⤵
- Executes dropped EXE
-
\??\c:\bbnnhh.exec:\bbnnhh.exe48⤵
- Executes dropped EXE
-
\??\c:\dpvpj.exec:\dpvpj.exe49⤵
- Executes dropped EXE
-
\??\c:\vpdvd.exec:\vpdvd.exe50⤵
- Executes dropped EXE
-
\??\c:\xflfxll.exec:\xflfxll.exe51⤵
- Executes dropped EXE
-
\??\c:\btbhht.exec:\btbhht.exe52⤵
- Executes dropped EXE
-
\??\c:\bbbbtt.exec:\bbbbtt.exe53⤵
- Executes dropped EXE
-
\??\c:\dvpdj.exec:\dvpdj.exe54⤵
- Executes dropped EXE
-
\??\c:\pjdvd.exec:\pjdvd.exe55⤵
- Executes dropped EXE
-
\??\c:\frllffx.exec:\frllffx.exe56⤵
- Executes dropped EXE
-
\??\c:\fflrffx.exec:\fflrffx.exe57⤵
- Executes dropped EXE
-
\??\c:\3hbtnh.exec:\3hbtnh.exe58⤵
- Executes dropped EXE
-
\??\c:\nbhtnn.exec:\nbhtnn.exe59⤵
- Executes dropped EXE
-
\??\c:\jdvdj.exec:\jdvdj.exe60⤵
- Executes dropped EXE
-
\??\c:\flffxxf.exec:\flffxxf.exe61⤵
- Executes dropped EXE
-
\??\c:\nhhtnt.exec:\nhhtnt.exe62⤵
- Executes dropped EXE
-
\??\c:\1tbhbb.exec:\1tbhbb.exe63⤵
- Executes dropped EXE
-
\??\c:\djpjd.exec:\djpjd.exe64⤵
- Executes dropped EXE
-
\??\c:\xfflfxf.exec:\xfflfxf.exe65⤵
- Executes dropped EXE
-
\??\c:\nhnhtn.exec:\nhnhtn.exe66⤵
-
\??\c:\jvjdp.exec:\jvjdp.exe67⤵
-
\??\c:\jpdvp.exec:\jpdvp.exe68⤵
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe69⤵
-
\??\c:\lffxlrr.exec:\lffxlrr.exe70⤵
-
\??\c:\hhttht.exec:\hhttht.exe71⤵
-
\??\c:\3pjjp.exec:\3pjjp.exe72⤵
-
\??\c:\llxflxr.exec:\llxflxr.exe73⤵
-
\??\c:\lrxrfxr.exec:\lrxrfxr.exe74⤵
-
\??\c:\httnnn.exec:\httnnn.exe75⤵
-
\??\c:\pvvpp.exec:\pvvpp.exe76⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe77⤵
-
\??\c:\xflffxl.exec:\xflffxl.exe78⤵
-
\??\c:\7bbthh.exec:\7bbthh.exe79⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe80⤵
-
\??\c:\dddvj.exec:\dddvj.exe81⤵
-
\??\c:\3xrrlrl.exec:\3xrrlrl.exe82⤵
-
\??\c:\hbhbtt.exec:\hbhbtt.exe83⤵
-
\??\c:\7hbtbb.exec:\7hbtbb.exe84⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe85⤵
-
\??\c:\frrrrrf.exec:\frrrrrf.exe86⤵
-
\??\c:\tttttb.exec:\tttttb.exe87⤵
-
\??\c:\hhhbnn.exec:\hhhbnn.exe88⤵
-
\??\c:\lxflrxx.exec:\lxflrxx.exe89⤵
-
\??\c:\lfxlfll.exec:\lfxlfll.exe90⤵
-
\??\c:\dvppj.exec:\dvppj.exe91⤵
-
\??\c:\1frflxl.exec:\1frflxl.exe92⤵
-
\??\c:\ffxxxfx.exec:\ffxxxfx.exe93⤵
-
\??\c:\7tthbt.exec:\7tthbt.exe94⤵
-
\??\c:\pvjvj.exec:\pvjvj.exe95⤵
-
\??\c:\fflrrxf.exec:\fflrrxf.exe96⤵
-
\??\c:\xxxxxxr.exec:\xxxxxxr.exe97⤵
-
\??\c:\3ntnhn.exec:\3ntnhn.exe98⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe99⤵
-
\??\c:\5lrlfff.exec:\5lrlfff.exe100⤵
-
\??\c:\hbtnbt.exec:\hbtnbt.exe101⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ttnbtn.exec:\ttnbtn.exe102⤵
-
\??\c:\dvvdv.exec:\dvvdv.exe103⤵
-
\??\c:\lrxrrrx.exec:\lrxrrrx.exe104⤵
-
\??\c:\vdvpv.exec:\vdvpv.exe105⤵
-
\??\c:\lxllrfr.exec:\lxllrfr.exe106⤵
-
\??\c:\llrrlrl.exec:\llrrlrl.exe107⤵
-
\??\c:\bhhnhh.exec:\bhhnhh.exe108⤵
-
\??\c:\thhbtn.exec:\thhbtn.exe109⤵
-
\??\c:\vdpvp.exec:\vdpvp.exe110⤵
-
\??\c:\7rrrllf.exec:\7rrrllf.exe111⤵
-
\??\c:\rflfxxr.exec:\rflfxxr.exe112⤵
-
\??\c:\hthttn.exec:\hthttn.exe113⤵
-
\??\c:\jvddv.exec:\jvddv.exe114⤵
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe115⤵
-
\??\c:\tnthbt.exec:\tnthbt.exe116⤵
-
\??\c:\jddvj.exec:\jddvj.exe117⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe118⤵
-
\??\c:\7xlffxf.exec:\7xlffxf.exe119⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe120⤵
-
\??\c:\nhttnh.exec:\nhttnh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-