Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13/10/2024, 03:31
General
-
Target
d2b32bf0d2bc5dd9c2900b7000365d7e34f01f80ff436754bd7f9e21a299b3fc.exe
-
Size
83KB
-
MD5
c2883033fbf6268999237c503958f74d
-
SHA1
7de01061096419bf907c089c6d41a5f9c9177162
-
SHA256
d2b32bf0d2bc5dd9c2900b7000365d7e34f01f80ff436754bd7f9e21a299b3fc
-
SHA512
c6ae2e26d7edfc9c9ca409dbcd35898b5987551d87a05d8efdb21bc0e782a9e3944b43cecd6a060231c091b04f348f928978f3611860c4d54150e414e5bade1b
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qo1:ymb3NkkiQ3mdBjFIIp9L9QrrA8l1
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2b32bf0d2bc5dd9c2900b7000365d7e34f01f80ff436754bd7f9e21a299b3fc.exe"C:\Users\Admin\AppData\Local\Temp\d2b32bf0d2bc5dd9c2900b7000365d7e34f01f80ff436754bd7f9e21a299b3fc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\c842266.exec:\c842266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m6822.exec:\m6822.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbbb.exec:\nhhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhbb.exec:\nhnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480088.exec:\480088.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnhn.exec:\tnnnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tbtbt.exec:\3tbtbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00400.exec:\00400.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppp.exec:\dvppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\462222.exec:\462222.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\224488.exec:\224488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrllll.exec:\rfrllll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g2848.exec:\g2848.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o400448.exec:\o400448.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbhh.exec:\htbbhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jvpv.exec:\1jvpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvdp.exec:\jpvdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppp.exec:\vpppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\68666.exec:\68666.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjv.exec:\jjvjv.exe23⤵
- Executes dropped EXE
-
\??\c:\g6608.exec:\g6608.exe24⤵
- Executes dropped EXE
-
\??\c:\xflxllf.exec:\xflxllf.exe25⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe26⤵
- Executes dropped EXE
-
\??\c:\2664260.exec:\2664260.exe27⤵
- Executes dropped EXE
-
\??\c:\206662.exec:\206662.exe28⤵
- Executes dropped EXE
-
\??\c:\flrllfr.exec:\flrllfr.exe29⤵
- Executes dropped EXE
-
\??\c:\9rrlfxr.exec:\9rrlfxr.exe30⤵
- Executes dropped EXE
-
\??\c:\q22660.exec:\q22660.exe31⤵
- Executes dropped EXE
-
\??\c:\840422.exec:\840422.exe32⤵
- Executes dropped EXE
-
\??\c:\5hhttn.exec:\5hhttn.exe33⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe34⤵
- Executes dropped EXE
-
\??\c:\g0268.exec:\g0268.exe35⤵
- Executes dropped EXE
-
\??\c:\nhtntn.exec:\nhtntn.exe36⤵
- Executes dropped EXE
-
\??\c:\fffllxf.exec:\fffllxf.exe37⤵
- Executes dropped EXE
-
\??\c:\266024.exec:\266024.exe38⤵
- Executes dropped EXE
-
\??\c:\42268.exec:\42268.exe39⤵
- Executes dropped EXE
-
\??\c:\8026860.exec:\8026860.exe40⤵
- Executes dropped EXE
-
\??\c:\tnhthn.exec:\tnhthn.exe41⤵
- Executes dropped EXE
-
\??\c:\28620.exec:\28620.exe42⤵
- Executes dropped EXE
-
\??\c:\jdvjd.exec:\jdvjd.exe43⤵
- Executes dropped EXE
-
\??\c:\0666442.exec:\0666442.exe44⤵
- Executes dropped EXE
-
\??\c:\xfflxxr.exec:\xfflxxr.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\826826.exec:\826826.exe46⤵
- Executes dropped EXE
-
\??\c:\202600.exec:\202600.exe47⤵
- Executes dropped EXE
-
\??\c:\lxxrxrl.exec:\lxxrxrl.exe48⤵
- Executes dropped EXE
-
\??\c:\hnnnnn.exec:\hnnnnn.exe49⤵
- Executes dropped EXE
-
\??\c:\c826404.exec:\c826404.exe50⤵
- Executes dropped EXE
-
\??\c:\0284444.exec:\0284444.exe51⤵
- Executes dropped EXE
-
\??\c:\lflfrxx.exec:\lflfrxx.exe52⤵
- Executes dropped EXE
-
\??\c:\xrfxrfl.exec:\xrfxrfl.exe53⤵
- Executes dropped EXE
-
\??\c:\000482.exec:\000482.exe54⤵
- Executes dropped EXE
-
\??\c:\vpvjp.exec:\vpvjp.exe55⤵
- Executes dropped EXE
-
\??\c:\lxfxfxx.exec:\lxfxfxx.exe56⤵
- Executes dropped EXE
-
\??\c:\48204.exec:\48204.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\a2820.exec:\a2820.exe58⤵
- Executes dropped EXE
-
\??\c:\88660.exec:\88660.exe59⤵
- Executes dropped EXE
-
\??\c:\bttnhh.exec:\bttnhh.exe60⤵
- Executes dropped EXE
-
\??\c:\q00400.exec:\q00400.exe61⤵
- Executes dropped EXE
-
\??\c:\bbnnhn.exec:\bbnnhn.exe62⤵
- Executes dropped EXE
-
\??\c:\222260.exec:\222260.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fxllffl.exec:\fxllffl.exe64⤵
- Executes dropped EXE
-
\??\c:\u460662.exec:\u460662.exe65⤵
- Executes dropped EXE
-
\??\c:\djvpj.exec:\djvpj.exe66⤵
-
\??\c:\vvddv.exec:\vvddv.exe67⤵
-
\??\c:\k24484.exec:\k24484.exe68⤵
-
\??\c:\8466444.exec:\8466444.exe69⤵
-
\??\c:\2648266.exec:\2648266.exe70⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe71⤵
-
\??\c:\840448.exec:\840448.exe72⤵
-
\??\c:\642266.exec:\642266.exe73⤵
-
\??\c:\60480.exec:\60480.exe74⤵
-
\??\c:\rrfxxfx.exec:\rrfxxfx.exe75⤵
-
\??\c:\xrrlffx.exec:\xrrlffx.exe76⤵
-
\??\c:\ddjdv.exec:\ddjdv.exe77⤵
-
\??\c:\3djjv.exec:\3djjv.exe78⤵
-
\??\c:\0286048.exec:\0286048.exe79⤵
-
\??\c:\jdddv.exec:\jdddv.exe80⤵
-
\??\c:\thhnbn.exec:\thhnbn.exe81⤵
-
\??\c:\c684440.exec:\c684440.exe82⤵
-
\??\c:\02448.exec:\02448.exe83⤵
-
\??\c:\9lrrrxx.exec:\9lrrrxx.exe84⤵
-
\??\c:\0288888.exec:\0288888.exe85⤵
-
\??\c:\hhnbtt.exec:\hhnbtt.exe86⤵
-
\??\c:\9btnhb.exec:\9btnhb.exe87⤵
-
\??\c:\668622.exec:\668622.exe88⤵
-
\??\c:\nhbtbh.exec:\nhbtbh.exe89⤵
-
\??\c:\djdjj.exec:\djdjj.exe90⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vpjdv.exec:\vpjdv.exe91⤵
-
\??\c:\pjjpj.exec:\pjjpj.exe92⤵
-
\??\c:\68208.exec:\68208.exe93⤵
-
\??\c:\004000.exec:\004000.exe94⤵
-
\??\c:\vpjjj.exec:\vpjjj.exe95⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe96⤵
-
\??\c:\2428666.exec:\2428666.exe97⤵
-
\??\c:\tntbtt.exec:\tntbtt.exe98⤵
-
\??\c:\xxxxxfl.exec:\xxxxxfl.exe99⤵
-
\??\c:\w28882.exec:\w28882.exe100⤵
-
\??\c:\fxrrfrr.exec:\fxrrfrr.exe101⤵
-
\??\c:\pjddv.exec:\pjddv.exe102⤵
-
\??\c:\w06000.exec:\w06000.exe103⤵
-
\??\c:\484044.exec:\484044.exe104⤵
-
\??\c:\6064846.exec:\6064846.exe105⤵
-
\??\c:\ppdpj.exec:\ppdpj.exe106⤵
-
\??\c:\k68882.exec:\k68882.exe107⤵
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe108⤵
-
\??\c:\jdddv.exec:\jdddv.exe109⤵
-
\??\c:\vvddp.exec:\vvddp.exe110⤵
-
\??\c:\hhbtnt.exec:\hhbtnt.exe111⤵
-
\??\c:\042828.exec:\042828.exe112⤵
-
\??\c:\jjddp.exec:\jjddp.exe113⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe114⤵
-
\??\c:\vvppd.exec:\vvppd.exe115⤵
-
\??\c:\rxrxrlr.exec:\rxrxrlr.exe116⤵
-
\??\c:\u426888.exec:\u426888.exe117⤵
-
\??\c:\2662648.exec:\2662648.exe118⤵
-
\??\c:\xflfxxx.exec:\xflfxxx.exe119⤵
-
\??\c:\484044.exec:\484044.exe120⤵
-
\??\c:\vvddp.exec:\vvddp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-