Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-11-2024 22:16
General
-
Target
30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe
-
Size
1.9MB
-
MD5
739a4cc33f07c69c7a37b5848967ce9b
-
SHA1
a2aab686705709fa39475da23b327a4c919867d9
-
SHA256
30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747
-
SHA512
886d831ef51a8c5709fc818080f6262f71a1fd9ad954704d49812fd7485af6fe7719c2a676203fb2b04385f0d26627edd7ff25449bf40e8e39e55d8d2a39a564
-
SSDEEP
24576:gC8d36kLBXlnB8j7v5Ta+hLLQ20JmXSeWwa1oWJQjk0svTS/PPsbb1hwR4j:gCOfN6X5tLLQTg20ITS/PPs/1kk
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 63 IoCs
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe"C:\Users\Admin\AppData\Local\Temp\30238636680235647405104d7d771295b462bab8383ab70c596fdc036d707747.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\66624.exec:\66624.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfrxfr.exec:\fxfrxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\88660.exec:\88660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\864848.exec:\864848.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhnhb.exec:\nhhnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthhtt.exec:\nthhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4082884.exec:\4082884.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrllffr.exec:\xrllffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s6240.exec:\s6240.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjd.exec:\vpjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllfffl.exec:\fllfffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1frrrrr.exec:\1frrrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfffll.exec:\llfffll.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\820886.exec:\820886.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2666080.exec:\2666080.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2400882.exec:\2400882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e88884.exec:\e88884.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0680000.exec:\0680000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4826486.exec:\4826486.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06220.exec:\06220.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlrrrx.exec:\xrlrrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26482.exec:\26482.exe23⤵
- Executes dropped EXE
-
\??\c:\22248.exec:\22248.exe24⤵
- Executes dropped EXE
-
\??\c:\ddpvv.exec:\ddpvv.exe25⤵
- Executes dropped EXE
-
\??\c:\802280.exec:\802280.exe26⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\224266.exec:\224266.exe28⤵
- Executes dropped EXE
-
\??\c:\rlrfllx.exec:\rlrfllx.exe29⤵
- Executes dropped EXE
-
\??\c:\22206.exec:\22206.exe30⤵
- Executes dropped EXE
-
\??\c:\204204.exec:\204204.exe31⤵
- Executes dropped EXE
-
\??\c:\9nbtth.exec:\9nbtth.exe32⤵
- Executes dropped EXE
-
\??\c:\bbbnhb.exec:\bbbnhb.exe33⤵
- Executes dropped EXE
-
\??\c:\c224204.exec:\c224204.exe34⤵
- Executes dropped EXE
-
\??\c:\nnbtbn.exec:\nnbtbn.exe35⤵
- Executes dropped EXE
-
\??\c:\422226.exec:\422226.exe36⤵
- Executes dropped EXE
-
\??\c:\ppppv.exec:\ppppv.exe37⤵
- Executes dropped EXE
-
\??\c:\880488.exec:\880488.exe38⤵
- Executes dropped EXE
-
\??\c:\lrrllff.exec:\lrrllff.exe39⤵
- Executes dropped EXE
-
\??\c:\rxllxrr.exec:\rxllxrr.exe40⤵
- Executes dropped EXE
-
\??\c:\rrxflxf.exec:\rrxflxf.exe41⤵
- Executes dropped EXE
-
\??\c:\46286.exec:\46286.exe42⤵
- Executes dropped EXE
-
\??\c:\028684.exec:\028684.exe43⤵
- Executes dropped EXE
-
\??\c:\06464.exec:\06464.exe44⤵
- Executes dropped EXE
-
\??\c:\0244062.exec:\0244062.exe45⤵
- Executes dropped EXE
-
\??\c:\ntnnnt.exec:\ntnnnt.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\btnbnt.exec:\btnbnt.exe47⤵
- Executes dropped EXE
-
\??\c:\bbhbhh.exec:\bbhbhh.exe48⤵
- Executes dropped EXE
-
\??\c:\vdvpp.exec:\vdvpp.exe49⤵
- Executes dropped EXE
-
\??\c:\k48200.exec:\k48200.exe50⤵
- Executes dropped EXE
-
\??\c:\84864.exec:\84864.exe51⤵
- Executes dropped EXE
-
\??\c:\0840066.exec:\0840066.exe52⤵
- Executes dropped EXE
-
\??\c:\086446.exec:\086446.exe53⤵
- Executes dropped EXE
-
\??\c:\486288.exec:\486288.exe54⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe55⤵
- Executes dropped EXE
-
\??\c:\000260.exec:\000260.exe56⤵
- Executes dropped EXE
-
\??\c:\8686684.exec:\8686684.exe57⤵
- Executes dropped EXE
-
\??\c:\ffrfxff.exec:\ffrfxff.exe58⤵
- Executes dropped EXE
-
\??\c:\c602020.exec:\c602020.exe59⤵
- Executes dropped EXE
-
\??\c:\rxfffll.exec:\rxfffll.exe60⤵
- Executes dropped EXE
-
\??\c:\84002.exec:\84002.exe61⤵
- Executes dropped EXE
-
\??\c:\ddjpv.exec:\ddjpv.exe62⤵
- Executes dropped EXE
-
\??\c:\jpddd.exec:\jpddd.exe63⤵
- Executes dropped EXE
-
\??\c:\6222202.exec:\6222202.exe64⤵
- Executes dropped EXE
-
\??\c:\btbhht.exec:\btbhht.exe65⤵
- Executes dropped EXE
-
\??\c:\rlrfflx.exec:\rlrfflx.exe66⤵
-
\??\c:\tnttbh.exec:\tnttbh.exe67⤵
-
\??\c:\9fxxffl.exec:\9fxxffl.exe68⤵
-
\??\c:\k66066.exec:\k66066.exe69⤵
-
\??\c:\828608.exec:\828608.exe70⤵
-
\??\c:\xfrrffr.exec:\xfrrffr.exe71⤵
-
\??\c:\xxxxfll.exec:\xxxxfll.exe72⤵
-
\??\c:\88666.exec:\88666.exe73⤵
-
\??\c:\xlflrfl.exec:\xlflrfl.exe74⤵
-
\??\c:\rlflfff.exec:\rlflfff.exe75⤵
-
\??\c:\8600060.exec:\8600060.exe76⤵
-
\??\c:\rlllflf.exec:\rlllflf.exe77⤵
-
\??\c:\608882.exec:\608882.exe78⤵
-
\??\c:\tnbhnb.exec:\tnbhnb.exe79⤵
-
\??\c:\42668.exec:\42668.exe80⤵
-
\??\c:\nhtthh.exec:\nhtthh.exe81⤵
-
\??\c:\4008464.exec:\4008464.exe82⤵
-
\??\c:\vjppp.exec:\vjppp.exe83⤵
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe84⤵
-
\??\c:\8222648.exec:\8222648.exe85⤵
-
\??\c:\djpdd.exec:\djpdd.exe86⤵
-
\??\c:\4260420.exec:\4260420.exe87⤵
-
\??\c:\hthntb.exec:\hthntb.exe88⤵
-
\??\c:\rxxxfrx.exec:\rxxxfrx.exe89⤵
-
\??\c:\lfxxxxx.exec:\lfxxxxx.exe90⤵
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe91⤵
-
\??\c:\84084.exec:\84084.exe92⤵
-
\??\c:\ppdvj.exec:\ppdvj.exe93⤵
-
\??\c:\04426.exec:\04426.exe94⤵
-
\??\c:\vvddj.exec:\vvddj.exe95⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe96⤵
-
\??\c:\htbttt.exec:\htbttt.exe97⤵
-
\??\c:\00868.exec:\00868.exe98⤵
-
\??\c:\lfrllrr.exec:\lfrllrr.exe99⤵
-
\??\c:\hhnbhh.exec:\hhnbhh.exe100⤵
-
\??\c:\thnbhh.exec:\thnbhh.exe101⤵
-
\??\c:\86822.exec:\86822.exe102⤵
-
\??\c:\hbnhhn.exec:\hbnhhn.exe103⤵
-
\??\c:\82082.exec:\82082.exe104⤵
-
\??\c:\nttbtt.exec:\nttbtt.exe105⤵
-
\??\c:\dvppv.exec:\dvppv.exe106⤵
-
\??\c:\rfflffl.exec:\rfflffl.exe107⤵
-
\??\c:\flffrlf.exec:\flffrlf.exe108⤵
-
\??\c:\dddvp.exec:\dddvp.exe109⤵
-
\??\c:\tbttnh.exec:\tbttnh.exe110⤵
-
\??\c:\xxxxflr.exec:\xxxxflr.exe111⤵
-
\??\c:\fflrxll.exec:\fflrxll.exe112⤵
-
\??\c:\60024.exec:\60024.exe113⤵
-
\??\c:\9rxrfxx.exec:\9rxrfxx.exe114⤵
-
\??\c:\nhhtht.exec:\nhhtht.exe115⤵
-
\??\c:\ntbtbt.exec:\ntbtbt.exe116⤵
-
\??\c:\084060.exec:\084060.exe117⤵
-
\??\c:\xrrrllx.exec:\xrrrllx.exe118⤵
-
\??\c:\24820.exec:\24820.exe119⤵
-
\??\c:\9vdpj.exec:\9vdpj.exe120⤵
-
\??\c:\fxllfll.exec:\fxllfll.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-