Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/11/2024, 09:51
General
-
Target
25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2.exe
-
Size
69KB
-
MD5
5078693d1ed4ac9bb3f9915b123eb2dd
-
SHA1
7c07df0a4f7eaa7024f057765d8a4942d0dca75b
-
SHA256
25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2
-
SHA512
e2d4c19452eafe33a2e44e6525d6148e6c9a9f40382631c1e1093978be9387f8c2494b729b8b38d1d101a3b377999c1fdae359a1c474ea45f356325fdafe0b05
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh1214ar4f:ymb3NkkiQ3mdBjFIFdJmdar4f
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2.exe"C:\Users\Admin\AppData\Local\Temp\25aaf1597342a25b77d8dce1160f70d8254c0f0da8427ecfb8f552e8dc5168f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\668828.exec:\668828.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\888226.exec:\888226.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rr64482.exec:\rr64482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0268686.exec:\0268686.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8444406.exec:\8444406.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\8422240.exec:\8422240.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8246286.exec:\8246286.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\086000.exec:\086000.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3fllffl.exec:\3fllffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4620066.exec:\4620066.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtthn.exec:\bbtthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\062802.exec:\062802.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k64444.exec:\k64444.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rlfrll.exec:\5rlfrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtnt.exec:\tnbtnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80024.exec:\80024.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdj.exec:\ddjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8862200.exec:\8862200.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrffll.exec:\flrffll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlrlx.exec:\lxrlrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxfrr.exec:\lllxfrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02402.exec:\02402.exe23⤵
- Executes dropped EXE
-
\??\c:\lfrrxlr.exec:\lfrrxlr.exe24⤵
- Executes dropped EXE
-
\??\c:\hbnntt.exec:\hbnntt.exe25⤵
- Executes dropped EXE
-
\??\c:\dvvpp.exec:\dvvpp.exe26⤵
- Executes dropped EXE
-
\??\c:\xlrfxxr.exec:\xlrfxxr.exe27⤵
- Executes dropped EXE
-
\??\c:\82686.exec:\82686.exe28⤵
- Executes dropped EXE
-
\??\c:\tttttn.exec:\tttttn.exe29⤵
- Executes dropped EXE
-
\??\c:\jjjvv.exec:\jjjvv.exe30⤵
- Executes dropped EXE
-
\??\c:\0822666.exec:\0822666.exe31⤵
- Executes dropped EXE
-
\??\c:\46246.exec:\46246.exe32⤵
- Executes dropped EXE
-
\??\c:\66864.exec:\66864.exe33⤵
- Executes dropped EXE
-
\??\c:\7pjpv.exec:\7pjpv.exe34⤵
- Executes dropped EXE
-
\??\c:\llxxxff.exec:\llxxxff.exe35⤵
- Executes dropped EXE
-
\??\c:\24222.exec:\24222.exe36⤵
- Executes dropped EXE
-
\??\c:\vvvvd.exec:\vvvvd.exe37⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe38⤵
- Executes dropped EXE
-
\??\c:\262222.exec:\262222.exe39⤵
- Executes dropped EXE
-
\??\c:\048828.exec:\048828.exe40⤵
- Executes dropped EXE
-
\??\c:\o006420.exec:\o006420.exe41⤵
- Executes dropped EXE
-
\??\c:\hhnnnt.exec:\hhnnnt.exe42⤵
- Executes dropped EXE
-
\??\c:\vpvpp.exec:\vpvpp.exe43⤵
- Executes dropped EXE
-
\??\c:\06462.exec:\06462.exe44⤵
- Executes dropped EXE
-
\??\c:\682682.exec:\682682.exe45⤵
- Executes dropped EXE
-
\??\c:\dddpj.exec:\dddpj.exe46⤵
- Executes dropped EXE
-
\??\c:\jjvvv.exec:\jjvvv.exe47⤵
- Executes dropped EXE
-
\??\c:\xrffxff.exec:\xrffxff.exe48⤵
- Executes dropped EXE
-
\??\c:\xlxlxlx.exec:\xlxlxlx.exe49⤵
- Executes dropped EXE
-
\??\c:\dvppp.exec:\dvppp.exe50⤵
- Executes dropped EXE
-
\??\c:\0422404.exec:\0422404.exe51⤵
- Executes dropped EXE
-
\??\c:\vvvjv.exec:\vvvjv.exe52⤵
- Executes dropped EXE
-
\??\c:\206662.exec:\206662.exe53⤵
- Executes dropped EXE
-
\??\c:\e08822.exec:\e08822.exe54⤵
- Executes dropped EXE
-
\??\c:\2806222.exec:\2806222.exe55⤵
- Executes dropped EXE
-
\??\c:\djvpv.exec:\djvpv.exe56⤵
- Executes dropped EXE
-
\??\c:\40246.exec:\40246.exe57⤵
- Executes dropped EXE
-
\??\c:\k26802.exec:\k26802.exe58⤵
- Executes dropped EXE
-
\??\c:\24620.exec:\24620.exe59⤵
- Executes dropped EXE
-
\??\c:\82264.exec:\82264.exe60⤵
- Executes dropped EXE
-
\??\c:\nhhhbh.exec:\nhhhbh.exe61⤵
- Executes dropped EXE
-
\??\c:\4848626.exec:\4848626.exe62⤵
- Executes dropped EXE
-
\??\c:\frrrrrr.exec:\frrrrrr.exe63⤵
- Executes dropped EXE
-
\??\c:\ttttnn.exec:\ttttnn.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\800886.exec:\800886.exe65⤵
- Executes dropped EXE
-
\??\c:\tttttn.exec:\tttttn.exe66⤵
-
\??\c:\804602.exec:\804602.exe67⤵
-
\??\c:\08004.exec:\08004.exe68⤵
-
\??\c:\64006.exec:\64006.exe69⤵
-
\??\c:\066864.exec:\066864.exe70⤵
-
\??\c:\djvpd.exec:\djvpd.exe71⤵
-
\??\c:\vpddd.exec:\vpddd.exe72⤵
-
\??\c:\vjppj.exec:\vjppj.exe73⤵
-
\??\c:\rxffrlx.exec:\rxffrlx.exe74⤵
-
\??\c:\btbntt.exec:\btbntt.exe75⤵
-
\??\c:\6460066.exec:\6460066.exe76⤵
-
\??\c:\bthbbb.exec:\bthbbb.exe77⤵
-
\??\c:\vvddv.exec:\vvddv.exe78⤵
-
\??\c:\ddvjp.exec:\ddvjp.exe79⤵
-
\??\c:\0600642.exec:\0600642.exe80⤵
-
\??\c:\vvvjv.exec:\vvvjv.exe81⤵
-
\??\c:\9jvjv.exec:\9jvjv.exe82⤵
-
\??\c:\622080.exec:\622080.exe83⤵
-
\??\c:\0626022.exec:\0626022.exe84⤵
-
\??\c:\620820.exec:\620820.exe85⤵
-
\??\c:\pddpj.exec:\pddpj.exe86⤵
-
\??\c:\0046484.exec:\0046484.exe87⤵
-
\??\c:\tnnnhn.exec:\tnnnhn.exe88⤵
-
\??\c:\ppppv.exec:\ppppv.exe89⤵
-
\??\c:\22686.exec:\22686.exe90⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe91⤵
-
\??\c:\xxllrxf.exec:\xxllrxf.exe92⤵
-
\??\c:\g6288.exec:\g6288.exe93⤵
-
\??\c:\rxflfll.exec:\rxflfll.exe94⤵
-
\??\c:\lrfxffl.exec:\lrfxffl.exe95⤵
-
\??\c:\vddvv.exec:\vddvv.exe96⤵
-
\??\c:\0480002.exec:\0480002.exe97⤵
-
\??\c:\1nhnhb.exec:\1nhnhb.exe98⤵
-
\??\c:\9jppv.exec:\9jppv.exe99⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe100⤵
-
\??\c:\btnhtn.exec:\btnhtn.exe101⤵
-
\??\c:\vddpd.exec:\vddpd.exe102⤵
-
\??\c:\6882666.exec:\6882666.exe103⤵
-
\??\c:\066600.exec:\066600.exe104⤵
-
\??\c:\826802.exec:\826802.exe105⤵
-
\??\c:\48468.exec:\48468.exe106⤵
-
\??\c:\dvjvv.exec:\dvjvv.exe107⤵
-
\??\c:\488888.exec:\488888.exe108⤵
-
\??\c:\i622266.exec:\i622266.exe109⤵
-
\??\c:\26440.exec:\26440.exe110⤵
-
\??\c:\9bnhnn.exec:\9bnhnn.exe111⤵
-
\??\c:\806606.exec:\806606.exe112⤵
-
\??\c:\48660.exec:\48660.exe113⤵
-
\??\c:\vpppp.exec:\vpppp.exe114⤵
-
\??\c:\82028.exec:\82028.exe115⤵
-
\??\c:\lffxrrl.exec:\lffxrrl.exe116⤵
-
\??\c:\xxffxxr.exec:\xxffxxr.exe117⤵
-
\??\c:\nntbbh.exec:\nntbbh.exe118⤵
-
\??\c:\20846.exec:\20846.exe119⤵
-
\??\c:\3frlxlx.exec:\3frlxlx.exe120⤵
-
\??\c:\dddpv.exec:\dddpv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-