Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 12:06
General
-
Target
f3f46d5d76f5ab03b21f514c90b7de29941cc0c245b2afff940b092363b3ec6b.exe
-
Size
279KB
-
MD5
a6338d44d67e6aebf0ee9238d763e373
-
SHA1
61c94865eb4b69743729dd09f3f0c7b98e49cf42
-
SHA256
f3f46d5d76f5ab03b21f514c90b7de29941cc0c245b2afff940b092363b3ec6b
-
SHA512
93fa35a0db5440b5e08bfc1b82afe76090372412ae5c4a051a333934ae79655fee36a6a386401dfac89be3b5effc2c2f2c3495024427285e31518309280563cc
-
SSDEEP
6144:ncm4FmowdHoS6rW3NNTvBu6wo2J4JAgNXkArR/rtXOLtu4J6KvvLp3OKtUuuuTEO:14wFHoSeM/Tpu6w14JAOkIRhOBu4JhvB
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3f46d5d76f5ab03b21f514c90b7de29941cc0c245b2afff940b092363b3ec6b.exe"C:\Users\Admin\AppData\Local\Temp\f3f46d5d76f5ab03b21f514c90b7de29941cc0c245b2afff940b092363b3ec6b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3pjjd.exec:\3pjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbhh.exec:\btbbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpdd.exec:\jjpdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntbtt.exec:\5ntbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvddv.exec:\vvddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvpp.exec:\djvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvp.exec:\dpvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdd.exec:\pvjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnnhh.exec:\bbnnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rflxrx.exec:\7rflxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnnbt.exec:\bnnnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfflrxr.exec:\xfflrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ntnbh.exec:\1ntnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddp.exec:\dvddp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfllfl.exec:\lxfllfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pdvv.exec:\1pdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrrrr.exec:\flrrrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjj.exec:\pjjjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lxrlrl.exec:\5lxrlrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjd.exec:\dppjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnntbh.exec:\hnntbh.exe23⤵
- Executes dropped EXE
-
\??\c:\vppvv.exec:\vppvv.exe24⤵
- Executes dropped EXE
-
\??\c:\llrlrxx.exec:\llrlrxx.exe25⤵
- Executes dropped EXE
-
\??\c:\dvjdd.exec:\dvjdd.exe26⤵
- Executes dropped EXE
-
\??\c:\xllflfr.exec:\xllflfr.exe27⤵
- Executes dropped EXE
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe28⤵
- Executes dropped EXE
-
\??\c:\hhntnn.exec:\hhntnn.exe29⤵
- Executes dropped EXE
-
\??\c:\ntnhbb.exec:\ntnhbb.exe30⤵
- Executes dropped EXE
-
\??\c:\hntttb.exec:\hntttb.exe31⤵
- Executes dropped EXE
-
\??\c:\jpddp.exec:\jpddp.exe32⤵
- Executes dropped EXE
-
\??\c:\vvvdj.exec:\vvvdj.exe33⤵
- Executes dropped EXE
-
\??\c:\ffxxxll.exec:\ffxxxll.exe34⤵
- Executes dropped EXE
-
\??\c:\dvdpp.exec:\dvdpp.exe35⤵
- Executes dropped EXE
-
\??\c:\llxlxrf.exec:\llxlxrf.exe36⤵
- Executes dropped EXE
-
\??\c:\5nhhhh.exec:\5nhhhh.exe37⤵
- Executes dropped EXE
-
\??\c:\tbbbtt.exec:\tbbbtt.exe38⤵
- Executes dropped EXE
-
\??\c:\vvvpv.exec:\vvvpv.exe39⤵
- Executes dropped EXE
-
\??\c:\bntbtb.exec:\bntbtb.exe40⤵
- Executes dropped EXE
-
\??\c:\tttbbt.exec:\tttbbt.exe41⤵
- Executes dropped EXE
-
\??\c:\9ddjj.exec:\9ddjj.exe42⤵
- Executes dropped EXE
-
\??\c:\ffrfxfl.exec:\ffrfxfl.exe43⤵
- Executes dropped EXE
-
\??\c:\dpvvd.exec:\dpvvd.exe44⤵
- Executes dropped EXE
-
\??\c:\lllrxff.exec:\lllrxff.exe45⤵
- Executes dropped EXE
-
\??\c:\3ttnnh.exec:\3ttnnh.exe46⤵
- Executes dropped EXE
-
\??\c:\bnbbtb.exec:\bnbbtb.exe47⤵
- Executes dropped EXE
-
\??\c:\jvdpd.exec:\jvdpd.exe48⤵
- Executes dropped EXE
-
\??\c:\1rxfflr.exec:\1rxfflr.exe49⤵
- Executes dropped EXE
-
\??\c:\thtttb.exec:\thtttb.exe50⤵
- Executes dropped EXE
-
\??\c:\dvvvj.exec:\dvvvj.exe51⤵
- Executes dropped EXE
-
\??\c:\lrlffxf.exec:\lrlffxf.exe52⤵
- Executes dropped EXE
-
\??\c:\hntnth.exec:\hntnth.exe53⤵
- Executes dropped EXE
-
\??\c:\jjdpp.exec:\jjdpp.exe54⤵
- Executes dropped EXE
-
\??\c:\dvvdv.exec:\dvvdv.exe55⤵
- Executes dropped EXE
-
\??\c:\3llrxxx.exec:\3llrxxx.exe56⤵
- Executes dropped EXE
-
\??\c:\tthhnn.exec:\tthhnn.exe57⤵
- Executes dropped EXE
-
\??\c:\jppvv.exec:\jppvv.exe58⤵
- Executes dropped EXE
-
\??\c:\rlfffll.exec:\rlfffll.exe59⤵
- Executes dropped EXE
-
\??\c:\nhhhtn.exec:\nhhhtn.exe60⤵
- Executes dropped EXE
-
\??\c:\pddjj.exec:\pddjj.exe61⤵
- Executes dropped EXE
-
\??\c:\frfllrx.exec:\frfllrx.exe62⤵
- Executes dropped EXE
-
\??\c:\htbbhb.exec:\htbbhb.exe63⤵
- Executes dropped EXE
-
\??\c:\jdjdd.exec:\jdjdd.exe64⤵
- Executes dropped EXE
-
\??\c:\rfxlfrx.exec:\rfxlfrx.exe65⤵
- Executes dropped EXE
-
\??\c:\htnbbn.exec:\htnbbn.exe66⤵
-
\??\c:\vdddd.exec:\vdddd.exe67⤵
-
\??\c:\lrxrlrf.exec:\lrxrlrf.exe68⤵
-
\??\c:\bhhhtb.exec:\bhhhtb.exe69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe70⤵
-
\??\c:\tbhhnt.exec:\tbhhnt.exe71⤵
-
\??\c:\vdppd.exec:\vdppd.exe72⤵
-
\??\c:\hnhtbn.exec:\hnhtbn.exe73⤵
-
\??\c:\djppp.exec:\djppp.exe74⤵
-
\??\c:\9rxfflr.exec:\9rxfflr.exe75⤵
-
\??\c:\tbhnnb.exec:\tbhnnb.exe76⤵
-
\??\c:\djvjv.exec:\djvjv.exe77⤵
-
\??\c:\rrllxlx.exec:\rrllxlx.exe78⤵
-
\??\c:\nntttb.exec:\nntttb.exe79⤵
-
\??\c:\bnbbbh.exec:\bnbbbh.exe80⤵
-
\??\c:\pvjvj.exec:\pvjvj.exe81⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lllrrrl.exec:\lllrrrl.exe82⤵
-
\??\c:\hnntbh.exec:\hnntbh.exe83⤵
-
\??\c:\ppvdp.exec:\ppvdp.exe84⤵
-
\??\c:\dpvdj.exec:\dpvdj.exe85⤵
-
\??\c:\xrxrxfl.exec:\xrxrxfl.exe86⤵
-
\??\c:\hnnhnt.exec:\hnnhnt.exe87⤵
-
\??\c:\7hnnnt.exec:\7hnnnt.exe88⤵
-
\??\c:\jdppd.exec:\jdppd.exe89⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe90⤵
-
\??\c:\xfxffll.exec:\xfxffll.exe91⤵
-
\??\c:\htbnbh.exec:\htbnbh.exe92⤵
-
\??\c:\djpjp.exec:\djpjp.exe93⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe94⤵
-
\??\c:\lfxrlxx.exec:\lfxrlxx.exe95⤵
-
\??\c:\nbnthb.exec:\nbnthb.exe96⤵
-
\??\c:\dpjjv.exec:\dpjjv.exe97⤵
-
\??\c:\lxxfxlx.exec:\lxxfxlx.exe98⤵
-
\??\c:\ttthnn.exec:\ttthnn.exe99⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rfrlfff.exec:\rfrlfff.exe101⤵
-
\??\c:\nnthbt.exec:\nnthbt.exe102⤵
-
\??\c:\vdvpj.exec:\vdvpj.exe103⤵
-
\??\c:\llxrrrr.exec:\llxrrrr.exe104⤵
-
\??\c:\rrfrrll.exec:\rrfrrll.exe105⤵
- System Location Discovery: System Language Discovery
-
\??\c:\1hnttb.exec:\1hnttb.exe106⤵
-
\??\c:\jvjjp.exec:\jvjjp.exe107⤵
-
\??\c:\ffxfffr.exec:\ffxfffr.exe108⤵
-
\??\c:\3vvvj.exec:\3vvvj.exe109⤵
-
\??\c:\bnnnnh.exec:\bnnnnh.exe110⤵
-
\??\c:\llrrlll.exec:\llrrlll.exe111⤵
-
\??\c:\nnhntb.exec:\nnhntb.exe112⤵
-
\??\c:\dpjjv.exec:\dpjjv.exe113⤵
-
\??\c:\rxxxllr.exec:\rxxxllr.exe114⤵
-
\??\c:\lrxrffl.exec:\lrxrffl.exe115⤵
-
\??\c:\bbhhhh.exec:\bbhhhh.exe116⤵
-
\??\c:\1ddvv.exec:\1ddvv.exe117⤵
-
\??\c:\3rxxxff.exec:\3rxxxff.exe118⤵
-
\??\c:\tbnhbh.exec:\tbnhbh.exe119⤵
-
\??\c:\9nbtnb.exec:\9nbtnb.exe120⤵
-
\??\c:\vdpvp.exec:\vdpvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-