Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 11:18
General
-
Target
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe
-
Size
75KB
-
MD5
f0985b9122826e1f02a9b5c048e6eee4
-
SHA1
78296346200467974c34120e7d6ea37842c079c1
-
SHA256
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7
-
SHA512
148b7583855d3c68365ecbd98499f2c6c4fe4959eace5111bb07a2894d81b8e57d2dfade487418bb0abc2fd96a6125556bd2a86273fef7eab01a82a4c76bd51c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmsL:ymb3NkkiQ3mdBjFIvl358nLA89OMFVH1
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\4288462.exec:\4288462.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u686046.exec:\u686046.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\8608688.exec:\8608688.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\840206.exec:\840206.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0668464.exec:\0668464.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntthbh.exec:\ntthbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42608.exec:\42608.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\282024.exec:\282024.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8082222.exec:\8082222.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrrxx.exec:\llrrrxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnnt.exec:\bntnnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\822624.exec:\822624.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdv.exec:\pjvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddj.exec:\vpddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpj.exec:\ddvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxllll.exec:\frxllll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0082482.exec:\0082482.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdp.exec:\dpjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24242.exec:\24242.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxffxf.exec:\rlxffxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtthn.exec:\nbtthn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\008646.exec:\008646.exe23⤵
- Executes dropped EXE
-
\??\c:\3tbnbt.exec:\3tbnbt.exe24⤵
- Executes dropped EXE
-
\??\c:\066604.exec:\066604.exe25⤵
- Executes dropped EXE
-
\??\c:\frrfrlx.exec:\frrfrlx.exe26⤵
- Executes dropped EXE
-
\??\c:\flrlxxl.exec:\flrlxxl.exe27⤵
- Executes dropped EXE
-
\??\c:\pppdv.exec:\pppdv.exe28⤵
- Executes dropped EXE
-
\??\c:\844062.exec:\844062.exe29⤵
- Executes dropped EXE
-
\??\c:\fflflxl.exec:\fflflxl.exe30⤵
- Executes dropped EXE
-
\??\c:\rrrffrr.exec:\rrrffrr.exe31⤵
- Executes dropped EXE
-
\??\c:\lfffxrr.exec:\lfffxrr.exe32⤵
- Executes dropped EXE
-
\??\c:\fflfrrf.exec:\fflfrrf.exe33⤵
- Executes dropped EXE
-
\??\c:\4604260.exec:\4604260.exe34⤵
- Executes dropped EXE
-
\??\c:\862642.exec:\862642.exe35⤵
- Executes dropped EXE
-
\??\c:\820060.exec:\820060.exe36⤵
- Executes dropped EXE
-
\??\c:\tttntt.exec:\tttntt.exe37⤵
- Executes dropped EXE
-
\??\c:\pvppj.exec:\pvppj.exe38⤵
- Executes dropped EXE
-
\??\c:\2664488.exec:\2664488.exe39⤵
- Executes dropped EXE
-
\??\c:\688686.exec:\688686.exe40⤵
- Executes dropped EXE
-
\??\c:\pvvpj.exec:\pvvpj.exe41⤵
- Executes dropped EXE
-
\??\c:\fxrffrf.exec:\fxrffrf.exe42⤵
- Executes dropped EXE
-
\??\c:\bnnhtn.exec:\bnnhtn.exe43⤵
- Executes dropped EXE
-
\??\c:\bttnhb.exec:\bttnhb.exe44⤵
- Executes dropped EXE
-
\??\c:\rlxllrx.exec:\rlxllrx.exe45⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe46⤵
- Executes dropped EXE
-
\??\c:\9hhbnt.exec:\9hhbnt.exe47⤵
- Executes dropped EXE
-
\??\c:\002666.exec:\002666.exe48⤵
- Executes dropped EXE
-
\??\c:\8260442.exec:\8260442.exe49⤵
- Executes dropped EXE
-
\??\c:\a2822.exec:\a2822.exe50⤵
- Executes dropped EXE
-
\??\c:\htbbbh.exec:\htbbbh.exe51⤵
- Executes dropped EXE
-
\??\c:\vvvjp.exec:\vvvjp.exe52⤵
- Executes dropped EXE
-
\??\c:\0404848.exec:\0404848.exe53⤵
- Executes dropped EXE
-
\??\c:\46208.exec:\46208.exe54⤵
- Executes dropped EXE
-
\??\c:\jpvpj.exec:\jpvpj.exe55⤵
- Executes dropped EXE
-
\??\c:\djpdj.exec:\djpdj.exe56⤵
- Executes dropped EXE
-
\??\c:\2448260.exec:\2448260.exe57⤵
- Executes dropped EXE
-
\??\c:\bntnhh.exec:\bntnhh.exe58⤵
- Executes dropped EXE
-
\??\c:\24482.exec:\24482.exe59⤵
- Executes dropped EXE
-
\??\c:\0022066.exec:\0022066.exe60⤵
- Executes dropped EXE
-
\??\c:\jpvpp.exec:\jpvpp.exe61⤵
- Executes dropped EXE
-
\??\c:\hhnhbb.exec:\hhnhbb.exe62⤵
- Executes dropped EXE
-
\??\c:\20222.exec:\20222.exe63⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe64⤵
- Executes dropped EXE
-
\??\c:\60666.exec:\60666.exe65⤵
- Executes dropped EXE
-
\??\c:\tbbnbt.exec:\tbbnbt.exe66⤵
-
\??\c:\xfrllrx.exec:\xfrllrx.exe67⤵
-
\??\c:\rxlxlfl.exec:\rxlxlfl.exe68⤵
-
\??\c:\4800406.exec:\4800406.exe69⤵
-
\??\c:\bbhtnb.exec:\bbhtnb.exe70⤵
-
\??\c:\rlflxrf.exec:\rlflxrf.exe71⤵
-
\??\c:\bhtbht.exec:\bhtbht.exe72⤵
-
\??\c:\xlrxlxl.exec:\xlrxlxl.exe73⤵
-
\??\c:\hhhbnb.exec:\hhhbnb.exe74⤵
-
\??\c:\4604204.exec:\4604204.exe75⤵
-
\??\c:\9hthtn.exec:\9hthtn.exe76⤵
-
\??\c:\ttthbt.exec:\ttthbt.exe77⤵
-
\??\c:\c268686.exec:\c268686.exe78⤵
-
\??\c:\406222.exec:\406222.exe79⤵
-
\??\c:\686020.exec:\686020.exe80⤵
-
\??\c:\8008208.exec:\8008208.exe81⤵
-
\??\c:\rfxrxxr.exec:\rfxrxxr.exe82⤵
-
\??\c:\02824.exec:\02824.exe83⤵
-
\??\c:\5vjdv.exec:\5vjdv.exe84⤵
-
\??\c:\402880.exec:\402880.exe85⤵
-
\??\c:\62204.exec:\62204.exe86⤵
-
\??\c:\040208.exec:\040208.exe87⤵
-
\??\c:\fllxxrl.exec:\fllxxrl.exe88⤵
-
\??\c:\46248.exec:\46248.exe89⤵
-
\??\c:\624660.exec:\624660.exe90⤵
-
\??\c:\2668642.exec:\2668642.exe91⤵
-
\??\c:\bhnhhh.exec:\bhnhhh.exe92⤵
-
\??\c:\7vddv.exec:\7vddv.exe93⤵
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe94⤵
-
\??\c:\2286864.exec:\2286864.exe95⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pppdj.exec:\pppdj.exe96⤵
-
\??\c:\660226.exec:\660226.exe97⤵
-
\??\c:\442684.exec:\442684.exe98⤵
-
\??\c:\tnbttt.exec:\tnbttt.exe99⤵
-
\??\c:\rlrflrr.exec:\rlrflrr.exe100⤵
-
\??\c:\q06684.exec:\q06684.exe101⤵
-
\??\c:\88286.exec:\88286.exe102⤵
-
\??\c:\dvpdv.exec:\dvpdv.exe103⤵
-
\??\c:\fffxlfr.exec:\fffxlfr.exe104⤵
-
\??\c:\60000.exec:\60000.exe105⤵
-
\??\c:\206048.exec:\206048.exe106⤵
-
\??\c:\pvjdp.exec:\pvjdp.exe107⤵
-
\??\c:\2260804.exec:\2260804.exe108⤵
-
\??\c:\9jvvj.exec:\9jvvj.exe109⤵
-
\??\c:\fxllfll.exec:\fxllfll.exe110⤵
-
\??\c:\0080060.exec:\0080060.exe111⤵
-
\??\c:\c406066.exec:\c406066.exe112⤵
-
\??\c:\nthnnt.exec:\nthnnt.exe113⤵
-
\??\c:\02860.exec:\02860.exe114⤵
-
\??\c:\8082822.exec:\8082822.exe115⤵
-
\??\c:\622222.exec:\622222.exe116⤵
-
\??\c:\860640.exec:\860640.exe117⤵
-
\??\c:\0622802.exec:\0622802.exe118⤵
-
\??\c:\3bhbtt.exec:\3bhbtt.exe119⤵
-
\??\c:\2860662.exec:\2860662.exe120⤵
-
\??\c:\xxllrfl.exec:\xxllrfl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-