Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15/10/2024, 03:51
General
-
Target
2b6e3c1c4bde62efa441de16fedc9988811e3ca0f3fc24728b336ba5986661bcN.exe
-
Size
69KB
-
MD5
5a41971162bd74866ed0cdcea4acb2d0
-
SHA1
47edb1a711bed541854c1898d4544b6678eb6a28
-
SHA256
2b6e3c1c4bde62efa441de16fedc9988811e3ca0f3fc24728b336ba5986661bc
-
SHA512
ac0a0371a325430f7fa02a35efaad70a1374077b86c28aabc9a95c38ac431620309867cb2096493d3e763d93e4034e32e77dc8fab1693778ac6153886341775f
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+Luvdp:ymb3NkkiQ3mdBjF0yMlip
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b6e3c1c4bde62efa441de16fedc9988811e3ca0f3fc24728b336ba5986661bcN.exe"C:\Users\Admin\AppData\Local\Temp\2b6e3c1c4bde62efa441de16fedc9988811e3ca0f3fc24728b336ba5986661bcN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvjd.exec:\7vvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfrllf.exec:\xlfrllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbbt.exec:\thbbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jdjj.exec:\3jdjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpjp.exec:\vdpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxlfx.exec:\frxxlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nbttt.exec:\1nbttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnbb.exec:\bttnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpd.exec:\pdvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvjv.exec:\vpvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ttnnn.exec:\3ttnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvppj.exec:\jvppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrlxxl.exec:\7rrlxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbthh.exec:\nnbthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhhnb.exec:\thhhnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vpvj.exec:\7vpvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllfrrl.exec:\lllfrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtnn.exec:\nhbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpp.exec:\vvvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvj.exec:\vddvj.exe23⤵
- Executes dropped EXE
-
\??\c:\lxfxlll.exec:\lxfxlll.exe24⤵
- Executes dropped EXE
-
\??\c:\lfrrrlf.exec:\lfrrrlf.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nntnnn.exec:\nntnnn.exe26⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe27⤵
- Executes dropped EXE
-
\??\c:\vdvvp.exec:\vdvvp.exe28⤵
- Executes dropped EXE
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe29⤵
- Executes dropped EXE
-
\??\c:\bbbtnn.exec:\bbbtnn.exe30⤵
- Executes dropped EXE
-
\??\c:\nhtbnh.exec:\nhtbnh.exe31⤵
- Executes dropped EXE
-
\??\c:\dvdvj.exec:\dvdvj.exe32⤵
- Executes dropped EXE
-
\??\c:\lllfxxx.exec:\lllfxxx.exe33⤵
- Executes dropped EXE
-
\??\c:\rlrlffx.exec:\rlrlffx.exe34⤵
- Executes dropped EXE
-
\??\c:\thnhtt.exec:\thnhtt.exe35⤵
- Executes dropped EXE
-
\??\c:\jddvj.exec:\jddvj.exe36⤵
- Executes dropped EXE
-
\??\c:\1fffxrx.exec:\1fffxrx.exe37⤵
- Executes dropped EXE
-
\??\c:\htnhbb.exec:\htnhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\tnnnnn.exec:\tnnnnn.exe39⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe40⤵
- Executes dropped EXE
-
\??\c:\jvvpj.exec:\jvvpj.exe41⤵
- Executes dropped EXE
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe42⤵
- Executes dropped EXE
-
\??\c:\xxrrlfl.exec:\xxrrlfl.exe43⤵
- Executes dropped EXE
-
\??\c:\thhbnh.exec:\thhbnh.exe44⤵
- Executes dropped EXE
-
\??\c:\vvpjd.exec:\vvpjd.exe45⤵
- Executes dropped EXE
-
\??\c:\jvpjd.exec:\jvpjd.exe46⤵
- Executes dropped EXE
-
\??\c:\frfxrrl.exec:\frfxrrl.exe47⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe48⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe49⤵
- Executes dropped EXE
-
\??\c:\flxlffr.exec:\flxlffr.exe50⤵
- Executes dropped EXE
-
\??\c:\rlrrllf.exec:\rlrrllf.exe51⤵
- Executes dropped EXE
-
\??\c:\nhbbtt.exec:\nhbbtt.exe52⤵
- Executes dropped EXE
-
\??\c:\dpjdd.exec:\dpjdd.exe53⤵
- Executes dropped EXE
-
\??\c:\flrllll.exec:\flrllll.exe54⤵
- Executes dropped EXE
-
\??\c:\thbtnn.exec:\thbtnn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\bttnhh.exec:\bttnhh.exe56⤵
- Executes dropped EXE
-
\??\c:\nbnhbh.exec:\nbnhbh.exe57⤵
- Executes dropped EXE
-
\??\c:\ffrlffx.exec:\ffrlffx.exe58⤵
- Executes dropped EXE
-
\??\c:\rxlfxrl.exec:\rxlfxrl.exe59⤵
- Executes dropped EXE
-
\??\c:\hbnnhn.exec:\hbnnhn.exe60⤵
- Executes dropped EXE
-
\??\c:\5bhbtb.exec:\5bhbtb.exe61⤵
- Executes dropped EXE
-
\??\c:\jdddp.exec:\jdddp.exe62⤵
- Executes dropped EXE
-
\??\c:\fllfrrr.exec:\fllfrrr.exe63⤵
- Executes dropped EXE
-
\??\c:\rflfxrr.exec:\rflfxrr.exe64⤵
- Executes dropped EXE
-
\??\c:\nhbbtt.exec:\nhbbtt.exe65⤵
- Executes dropped EXE
-
\??\c:\jdpjd.exec:\jdpjd.exe66⤵
-
\??\c:\rlfxllf.exec:\rlfxllf.exe67⤵
-
\??\c:\fxlffff.exec:\fxlffff.exe68⤵
-
\??\c:\tnbnhb.exec:\tnbnhb.exe69⤵
-
\??\c:\bntnhb.exec:\bntnhb.exe70⤵
-
\??\c:\vdvpd.exec:\vdvpd.exe71⤵
-
\??\c:\jddpj.exec:\jddpj.exe72⤵
-
\??\c:\llfxxxf.exec:\llfxxxf.exe73⤵
-
\??\c:\nhhbbn.exec:\nhhbbn.exe74⤵
-
\??\c:\thhtnh.exec:\thhtnh.exe75⤵
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe76⤵
-
\??\c:\ntnttb.exec:\ntnttb.exe77⤵
-
\??\c:\bnhbnt.exec:\bnhbnt.exe78⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe79⤵
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe80⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe81⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe82⤵
-
\??\c:\dvppj.exec:\dvppj.exe83⤵
-
\??\c:\rllfrrl.exec:\rllfrrl.exe84⤵
-
\??\c:\5fxflfx.exec:\5fxflfx.exe85⤵
-
\??\c:\ttbbbb.exec:\ttbbbb.exe86⤵
-
\??\c:\llxrxxx.exec:\llxrxxx.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3bhbbh.exec:\3bhbbh.exe88⤵
-
\??\c:\ppdvv.exec:\ppdvv.exe89⤵
-
\??\c:\lfxfrfx.exec:\lfxfrfx.exe90⤵
-
\??\c:\lxfxrll.exec:\lxfxrll.exe91⤵
-
\??\c:\9vddv.exec:\9vddv.exe92⤵
-
\??\c:\frflxxr.exec:\frflxxr.exe93⤵
-
\??\c:\lffxxxr.exec:\lffxxxr.exe94⤵
-
\??\c:\nbbnhh.exec:\nbbnhh.exe95⤵
-
\??\c:\tbhhtt.exec:\tbhhtt.exe96⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe97⤵
-
\??\c:\djjjv.exec:\djjjv.exe98⤵
-
\??\c:\rlfrfff.exec:\rlfrfff.exe99⤵
-
\??\c:\xlrrllf.exec:\xlrrllf.exe100⤵
-
\??\c:\bhhnhh.exec:\bhhnhh.exe101⤵
-
\??\c:\hhnhbt.exec:\hhnhbt.exe102⤵
-
\??\c:\vvpjv.exec:\vvpjv.exe103⤵
-
\??\c:\rlxxrxx.exec:\rlxxrxx.exe104⤵
-
\??\c:\hhnnnn.exec:\hhnnnn.exe105⤵
-
\??\c:\httnhn.exec:\httnhn.exe106⤵
-
\??\c:\jjddp.exec:\jjddp.exe107⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe108⤵
-
\??\c:\rfxrffx.exec:\rfxrffx.exe109⤵
-
\??\c:\5bhbtt.exec:\5bhbtt.exe110⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe111⤵
-
\??\c:\rrrxxrl.exec:\rrrxxrl.exe112⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe113⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe114⤵
-
\??\c:\1xxrrxr.exec:\1xxrrxr.exe115⤵
-
\??\c:\vppjj.exec:\vppjj.exe116⤵
-
\??\c:\jddpv.exec:\jddpv.exe117⤵
-
\??\c:\ffrffxf.exec:\ffrffxf.exe118⤵
-
\??\c:\bbtbtb.exec:\bbtbtb.exe119⤵
-
\??\c:\hbtnbb.exec:\hbtnbb.exe120⤵
-
\??\c:\pvdvp.exec:\pvdvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-