Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 22:35
General
-
Target
3318a8da6ee4ff29b69ceba44a02cb8e1db123a6a866b48a5aa9bb808e97b582.exe
-
Size
334KB
-
MD5
0300135ee0ae4dee9f7e5ce6970d70ef
-
SHA1
4cac0bd04268dd18ed8073616a6412cebaa75185
-
SHA256
3318a8da6ee4ff29b69ceba44a02cb8e1db123a6a866b48a5aa9bb808e97b582
-
SHA512
8936023e21166dff7efa5df699b0db77c551b3c4d7a22d8a22b92850d17a109ec97fed3eedd0668015160e231e194785f6eaefb4063f1aa6a83029b845b043f2
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRi:R4wFHoSHYHUrAwfMp3CDRi
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3318a8da6ee4ff29b69ceba44a02cb8e1db123a6a866b48a5aa9bb808e97b582.exe"C:\Users\Admin\AppData\Local\Temp\3318a8da6ee4ff29b69ceba44a02cb8e1db123a6a866b48a5aa9bb808e97b582.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvvv.exec:\ppvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\262604.exec:\262604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxlfx.exec:\frxxlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfffrxl.exec:\xfffrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\884040.exec:\884040.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpj.exec:\pjvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdd.exec:\vvvdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\028488.exec:\028488.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrllxr.exec:\rlrllxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4428642.exec:\4428642.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\682064.exec:\682064.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8068266.exec:\8068266.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5fxrrlf.exec:\5fxrrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddd.exec:\dvddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00280.exec:\00280.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnhh.exec:\hbtnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxrrl.exec:\rffxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtttt.exec:\tbtttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\220044.exec:\220044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6808086.exec:\6808086.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvd.exec:\pvvvd.exe23⤵
- Executes dropped EXE
-
\??\c:\226600.exec:\226600.exe24⤵
- Executes dropped EXE
-
\??\c:\nnnhbb.exec:\nnnhbb.exe25⤵
- Executes dropped EXE
-
\??\c:\6868086.exec:\6868086.exe26⤵
- Executes dropped EXE
-
\??\c:\g8400.exec:\g8400.exe27⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe28⤵
- Executes dropped EXE
-
\??\c:\hbbtnn.exec:\hbbtnn.exe29⤵
- Executes dropped EXE
-
\??\c:\u288888.exec:\u288888.exe30⤵
- Executes dropped EXE
-
\??\c:\048084.exec:\048084.exe31⤵
- Executes dropped EXE
-
\??\c:\ntthtn.exec:\ntthtn.exe32⤵
- Executes dropped EXE
-
\??\c:\k66442.exec:\k66442.exe33⤵
- Executes dropped EXE
-
\??\c:\bnnbtt.exec:\bnnbtt.exe34⤵
- Executes dropped EXE
-
\??\c:\g8662.exec:\g8662.exe35⤵
- Executes dropped EXE
-
\??\c:\26228.exec:\26228.exe36⤵
- Executes dropped EXE
-
\??\c:\84200.exec:\84200.exe37⤵
- Executes dropped EXE
-
\??\c:\hnhbtt.exec:\hnhbtt.exe38⤵
- Executes dropped EXE
-
\??\c:\8206424.exec:\8206424.exe39⤵
- Executes dropped EXE
-
\??\c:\xlrrlrf.exec:\xlrrlrf.exe40⤵
- Executes dropped EXE
-
\??\c:\g2480.exec:\g2480.exe41⤵
- Executes dropped EXE
-
\??\c:\0404484.exec:\0404484.exe42⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe43⤵
- Executes dropped EXE
-
\??\c:\a0844.exec:\a0844.exe44⤵
- Executes dropped EXE
-
\??\c:\s6408.exec:\s6408.exe45⤵
- Executes dropped EXE
-
\??\c:\bhnnhh.exec:\bhnnhh.exe46⤵
- Executes dropped EXE
-
\??\c:\vvjjv.exec:\vvjjv.exe47⤵
- Executes dropped EXE
-
\??\c:\2824620.exec:\2824620.exe48⤵
- Executes dropped EXE
-
\??\c:\djjvj.exec:\djjvj.exe49⤵
- Executes dropped EXE
-
\??\c:\0644860.exec:\0644860.exe50⤵
- Executes dropped EXE
-
\??\c:\6060606.exec:\6060606.exe51⤵
- Executes dropped EXE
-
\??\c:\c642804.exec:\c642804.exe52⤵
- Executes dropped EXE
-
\??\c:\8400448.exec:\8400448.exe53⤵
- Executes dropped EXE
-
\??\c:\xrffxxr.exec:\xrffxxr.exe54⤵
- Executes dropped EXE
-
\??\c:\vjvpp.exec:\vjvpp.exe55⤵
- Executes dropped EXE
-
\??\c:\tntnnn.exec:\tntnnn.exe56⤵
- Executes dropped EXE
-
\??\c:\6804006.exec:\6804006.exe57⤵
- Executes dropped EXE
-
\??\c:\bhnhhb.exec:\bhnhhb.exe58⤵
- Executes dropped EXE
-
\??\c:\062600.exec:\062600.exe59⤵
- Executes dropped EXE
-
\??\c:\2226666.exec:\2226666.exe60⤵
- Executes dropped EXE
-
\??\c:\9dvpv.exec:\9dvpv.exe61⤵
- Executes dropped EXE
-
\??\c:\hntnhh.exec:\hntnhh.exe62⤵
- Executes dropped EXE
-
\??\c:\vddvv.exec:\vddvv.exe63⤵
- Executes dropped EXE
-
\??\c:\rxlllll.exec:\rxlllll.exe64⤵
- Executes dropped EXE
-
\??\c:\3hnntb.exec:\3hnntb.exe65⤵
- Executes dropped EXE
-
\??\c:\a8006.exec:\a8006.exe66⤵
-
\??\c:\8684882.exec:\8684882.exe67⤵
-
\??\c:\hnhbht.exec:\hnhbht.exe68⤵
-
\??\c:\btbbbh.exec:\btbbbh.exe69⤵
-
\??\c:\i288886.exec:\i288886.exe70⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe71⤵
-
\??\c:\9hhhbb.exec:\9hhhbb.exe72⤵
-
\??\c:\244422.exec:\244422.exe73⤵
-
\??\c:\22426.exec:\22426.exe74⤵
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe75⤵
- System Location Discovery: System Language Discovery
-
\??\c:\06082.exec:\06082.exe76⤵
-
\??\c:\bnhbbb.exec:\bnhbbb.exe77⤵
-
\??\c:\xrxllll.exec:\xrxllll.exe78⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lxffxxr.exec:\lxffxxr.exe79⤵
-
\??\c:\486484.exec:\486484.exe80⤵
-
\??\c:\064004.exec:\064004.exe81⤵
-
\??\c:\s2882.exec:\s2882.exe82⤵
-
\??\c:\bhnntt.exec:\bhnntt.exe83⤵
-
\??\c:\bbtbbh.exec:\bbtbbh.exe84⤵
-
\??\c:\4060448.exec:\4060448.exe85⤵
-
\??\c:\7xxrxxx.exec:\7xxrxxx.exe86⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe87⤵
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe88⤵
-
\??\c:\nhtntb.exec:\nhtntb.exe89⤵
-
\??\c:\rrfxllf.exec:\rrfxllf.exe90⤵
-
\??\c:\vpvjv.exec:\vpvjv.exe91⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe92⤵
-
\??\c:\bbnnhb.exec:\bbnnhb.exe93⤵
-
\??\c:\3ntnhh.exec:\3ntnhh.exe94⤵
-
\??\c:\88284.exec:\88284.exe95⤵
-
\??\c:\lllfxff.exec:\lllfxff.exe96⤵
-
\??\c:\tnhbhh.exec:\tnhbhh.exe97⤵
-
\??\c:\3bthbb.exec:\3bthbb.exe98⤵
-
\??\c:\884484.exec:\884484.exe99⤵
-
\??\c:\lxrlflx.exec:\lxrlflx.exe100⤵
-
\??\c:\5bhhhb.exec:\5bhhhb.exe101⤵
-
\??\c:\204422.exec:\204422.exe102⤵
-
\??\c:\1jdvp.exec:\1jdvp.exe103⤵
-
\??\c:\llxrrff.exec:\llxrrff.exe104⤵
-
\??\c:\02882.exec:\02882.exe105⤵
-
\??\c:\864820.exec:\864820.exe106⤵
-
\??\c:\e60080.exec:\e60080.exe107⤵
-
\??\c:\dvjdp.exec:\dvjdp.exe108⤵
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe109⤵
-
\??\c:\xrflxrr.exec:\xrflxrr.exe110⤵
-
\??\c:\ddjdd.exec:\ddjdd.exe111⤵
-
\??\c:\84226.exec:\84226.exe112⤵
-
\??\c:\80246.exec:\80246.exe113⤵
-
\??\c:\a4620.exec:\a4620.exe114⤵
-
\??\c:\808088.exec:\808088.exe115⤵
-
\??\c:\lrxrrfl.exec:\lrxrrfl.exe116⤵
-
\??\c:\xxlflll.exec:\xxlflll.exe117⤵
-
\??\c:\3bhhhn.exec:\3bhhhn.exe118⤵
-
\??\c:\686244.exec:\686244.exe119⤵
-
\??\c:\htthnh.exec:\htthnh.exe120⤵
-
\??\c:\68000.exec:\68000.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-