Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-10-2024 02:57
General
-
Target
765e7940e30473f76c0ed2cb8eb1604447f64ce4cc7528afd5fa19bc5f4091baN.exe
-
Size
83KB
-
MD5
53ba38a37b6381e2ff8d282025783d10
-
SHA1
eeb7079c29be0c453cf6259c5d8c0843276c4921
-
SHA256
765e7940e30473f76c0ed2cb8eb1604447f64ce4cc7528afd5fa19bc5f4091ba
-
SHA512
11f8f1d21cd2e5a1fc3a6a89a09a85e6415178d244d2e942046a20d2fe93ea69996cb4379fee26bab337c5347314bb7717ca0767049be8173a6aef498d138081
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89QF:ymb3NkkiQ3mdBjFIIp9L9QrrA8Q
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\765e7940e30473f76c0ed2cb8eb1604447f64ce4cc7528afd5fa19bc5f4091baN.exe"C:\Users\Admin\AppData\Local\Temp\765e7940e30473f76c0ed2cb8eb1604447f64ce4cc7528afd5fa19bc5f4091baN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrxxff.exec:\lrrxxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tbnbb.exec:\7tbnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppd.exec:\vpppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lfxlrr.exec:\5lfxlrr.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrlff.exec:\lfxrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhbt.exec:\bnhhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvp.exec:\jddvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlfrlx.exec:\rrlfrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntnhh.exec:\5ntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbnb.exec:\nhhbnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjj.exec:\pjpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntttt.exec:\nntttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhtn.exec:\btnhtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjd.exec:\vjpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrlxrr.exec:\rrrlxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdv.exec:\ddjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllxrx.exec:\lfllxrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntttn.exec:\tntttn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpj.exec:\pdvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpj.exec:\dpvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrlff.exec:\lxxrlff.exe23⤵
- Executes dropped EXE
-
\??\c:\hbtnhb.exec:\hbtnhb.exe24⤵
- Executes dropped EXE
-
\??\c:\nhnhhb.exec:\nhnhhb.exe25⤵
- Executes dropped EXE
-
\??\c:\5pjvd.exec:\5pjvd.exe26⤵
- Executes dropped EXE
-
\??\c:\pddpd.exec:\pddpd.exe27⤵
- Executes dropped EXE
-
\??\c:\fllxllf.exec:\fllxllf.exe28⤵
- Executes dropped EXE
-
\??\c:\fxfflxf.exec:\fxfflxf.exe29⤵
- Executes dropped EXE
-
\??\c:\htnhth.exec:\htnhth.exe30⤵
- Executes dropped EXE
-
\??\c:\jjvjd.exec:\jjvjd.exe31⤵
- Executes dropped EXE
-
\??\c:\fflfllf.exec:\fflfllf.exe32⤵
- Executes dropped EXE
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe33⤵
- Executes dropped EXE
-
\??\c:\nttnhn.exec:\nttnhn.exe34⤵
- Executes dropped EXE
-
\??\c:\pjjpv.exec:\pjjpv.exe35⤵
- Executes dropped EXE
-
\??\c:\xrrlffx.exec:\xrrlffx.exe36⤵
- Executes dropped EXE
-
\??\c:\fxrllfx.exec:\fxrllfx.exe37⤵
- Executes dropped EXE
-
\??\c:\7rfxfff.exec:\7rfxfff.exe38⤵
- Executes dropped EXE
-
\??\c:\hnnnnb.exec:\hnnnnb.exe39⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe40⤵
- Executes dropped EXE
-
\??\c:\dddpd.exec:\dddpd.exe41⤵
- Executes dropped EXE
-
\??\c:\5lxlrlf.exec:\5lxlrlf.exe42⤵
- Executes dropped EXE
-
\??\c:\rrrlxll.exec:\rrrlxll.exe43⤵
- Executes dropped EXE
-
\??\c:\5bttbb.exec:\5bttbb.exe44⤵
- Executes dropped EXE
-
\??\c:\3bnhtn.exec:\3bnhtn.exe45⤵
- Executes dropped EXE
-
\??\c:\dppjd.exec:\dppjd.exe46⤵
- Executes dropped EXE
-
\??\c:\flfxrlf.exec:\flfxrlf.exe47⤵
- Executes dropped EXE
-
\??\c:\xllfrrl.exec:\xllfrrl.exe48⤵
- Executes dropped EXE
-
\??\c:\hhbthb.exec:\hhbthb.exe49⤵
- Executes dropped EXE
-
\??\c:\nttnhh.exec:\nttnhh.exe50⤵
- Executes dropped EXE
-
\??\c:\pjpdd.exec:\pjpdd.exe51⤵
- Executes dropped EXE
-
\??\c:\vjdpj.exec:\vjdpj.exe52⤵
- Executes dropped EXE
-
\??\c:\3xrfrrl.exec:\3xrfrrl.exe53⤵
- Executes dropped EXE
-
\??\c:\ffffxxr.exec:\ffffxxr.exe54⤵
- Executes dropped EXE
-
\??\c:\tbtnbt.exec:\tbtnbt.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\htbthb.exec:\htbthb.exe56⤵
- Executes dropped EXE
-
\??\c:\3dvpj.exec:\3dvpj.exe57⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe58⤵
- Executes dropped EXE
-
\??\c:\3xlflll.exec:\3xlflll.exe59⤵
- Executes dropped EXE
-
\??\c:\xrlxllf.exec:\xrlxllf.exe60⤵
- Executes dropped EXE
-
\??\c:\5nhbnh.exec:\5nhbnh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dvvjj.exec:\dvvjj.exe62⤵
- Executes dropped EXE
-
\??\c:\9jjdv.exec:\9jjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\rffrfxl.exec:\rffrfxl.exe64⤵
- Executes dropped EXE
-
\??\c:\tbhbtn.exec:\tbhbtn.exe65⤵
- Executes dropped EXE
-
\??\c:\5hhbnh.exec:\5hhbnh.exe66⤵
-
\??\c:\pvddv.exec:\pvddv.exe67⤵
-
\??\c:\lrlfxxl.exec:\lrlfxxl.exe68⤵
-
\??\c:\fxxrlxf.exec:\fxxrlxf.exe69⤵
-
\??\c:\5bnntb.exec:\5bnntb.exe70⤵
-
\??\c:\thnbnh.exec:\thnbnh.exe71⤵
-
\??\c:\jjpjv.exec:\jjpjv.exe72⤵
-
\??\c:\dvjdp.exec:\dvjdp.exe73⤵
-
\??\c:\fffxlfx.exec:\fffxlfx.exe74⤵
-
\??\c:\ntbnbb.exec:\ntbnbb.exe75⤵
-
\??\c:\hnnnhb.exec:\hnnnhb.exe76⤵
-
\??\c:\vdddp.exec:\vdddp.exe77⤵
-
\??\c:\ddjvj.exec:\ddjvj.exe78⤵
-
\??\c:\5xrfrlx.exec:\5xrfrlx.exe79⤵
-
\??\c:\lxxrfxl.exec:\lxxrfxl.exe80⤵
-
\??\c:\3nnhbb.exec:\3nnhbb.exe81⤵
-
\??\c:\ffxxlxx.exec:\ffxxlxx.exe82⤵
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe83⤵
-
\??\c:\tntntn.exec:\tntntn.exe84⤵
-
\??\c:\nhtnbh.exec:\nhtnbh.exe85⤵
-
\??\c:\ppjdp.exec:\ppjdp.exe86⤵
-
\??\c:\ppvjv.exec:\ppvjv.exe87⤵
-
\??\c:\lxrllll.exec:\lxrllll.exe88⤵
-
\??\c:\bthbtn.exec:\bthbtn.exe89⤵
-
\??\c:\nbhbtt.exec:\nbhbtt.exe90⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe91⤵
-
\??\c:\frfffxr.exec:\frfffxr.exe92⤵
-
\??\c:\ffrxflr.exec:\ffrxflr.exe93⤵
-
\??\c:\thhbtn.exec:\thhbtn.exe94⤵
-
\??\c:\vjdvj.exec:\vjdvj.exe95⤵
-
\??\c:\vpjjj.exec:\vpjjj.exe96⤵
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe97⤵
-
\??\c:\ntnnbn.exec:\ntnnbn.exe98⤵
-
\??\c:\hntnhb.exec:\hntnhb.exe99⤵
-
\??\c:\pdddv.exec:\pdddv.exe100⤵
-
\??\c:\3vjvp.exec:\3vjvp.exe101⤵
-
\??\c:\rflfrff.exec:\rflfrff.exe102⤵
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe103⤵
-
\??\c:\ntnbnh.exec:\ntnbnh.exe104⤵
-
\??\c:\vppdp.exec:\vppdp.exe105⤵
-
\??\c:\jjvpv.exec:\jjvpv.exe106⤵
-
\??\c:\5rrlxxl.exec:\5rrlxxl.exe107⤵
-
\??\c:\rfrlfxl.exec:\rfrlfxl.exe108⤵
-
\??\c:\nbnbtn.exec:\nbnbtn.exe109⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe110⤵
-
\??\c:\lxlxxrr.exec:\lxlxxrr.exe111⤵
-
\??\c:\lxfffff.exec:\lxfffff.exe112⤵
-
\??\c:\bttnnh.exec:\bttnnh.exe113⤵
-
\??\c:\pppdp.exec:\pppdp.exe114⤵
-
\??\c:\dpjvp.exec:\dpjvp.exe115⤵
-
\??\c:\lllfxxf.exec:\lllfxxf.exe116⤵
-
\??\c:\bnnbnn.exec:\bnnbnn.exe117⤵
-
\??\c:\hbttnh.exec:\hbttnh.exe118⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe119⤵
-
\??\c:\1llxllx.exec:\1llxllx.exe120⤵
-
\??\c:\9lflfrl.exec:\9lflfrl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-