Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 11:22
General
-
Target
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe
-
Size
75KB
-
MD5
f0985b9122826e1f02a9b5c048e6eee4
-
SHA1
78296346200467974c34120e7d6ea37842c079c1
-
SHA256
ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7
-
SHA512
148b7583855d3c68365ecbd98499f2c6c4fe4959eace5111bb07a2894d81b8e57d2dfade487418bb0abc2fd96a6125556bd2a86273fef7eab01a82a4c76bd51c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmsL:ymb3NkkiQ3mdBjFIvl358nLA89OMFVH1
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"C:\Users\Admin\AppData\Local\Temp\ef9d4d868825ddc61895a1af8d86e3dd638a036e6c4326c6318c0ef5052f0ce7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\s0602.exec:\s0602.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o222004.exec:\o222004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xrrffl.exec:\5xrrffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntttb.exec:\bntttb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4024642.exec:\4024642.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o248282.exec:\o248282.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjd.exec:\jjpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hthtn.exec:\5hthtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddpj.exec:\jddpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6260448.exec:\6260448.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrlfxr.exec:\7rrlfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480826.exec:\480826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhbtt.exec:\hbhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlffxr.exec:\xxlffxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbtt.exec:\tbhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbbbb.exec:\ntbbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\680080.exec:\680080.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0004624.exec:\0004624.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrxllf.exec:\flrxllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhbnn.exec:\7nhbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\822268.exec:\822268.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\460088.exec:\460088.exe23⤵
- Executes dropped EXE
-
\??\c:\ttnntb.exec:\ttnntb.exe24⤵
- Executes dropped EXE
-
\??\c:\024008.exec:\024008.exe25⤵
- Executes dropped EXE
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe26⤵
- Executes dropped EXE
-
\??\c:\22440.exec:\22440.exe27⤵
- Executes dropped EXE
-
\??\c:\xxxlfff.exec:\xxxlfff.exe28⤵
- Executes dropped EXE
-
\??\c:\thnhnh.exec:\thnhnh.exe29⤵
- Executes dropped EXE
-
\??\c:\6644828.exec:\6644828.exe30⤵
- Executes dropped EXE
-
\??\c:\s4606.exec:\s4606.exe31⤵
- Executes dropped EXE
-
\??\c:\2804888.exec:\2804888.exe32⤵
- Executes dropped EXE
-
\??\c:\2202600.exec:\2202600.exe33⤵
- Executes dropped EXE
-
\??\c:\5lfffxl.exec:\5lfffxl.exe34⤵
- Executes dropped EXE
-
\??\c:\04642.exec:\04642.exe35⤵
- Executes dropped EXE
-
\??\c:\thhbtn.exec:\thhbtn.exe36⤵
- Executes dropped EXE
-
\??\c:\rrrrrfr.exec:\rrrrrfr.exe37⤵
- Executes dropped EXE
-
\??\c:\q62604.exec:\q62604.exe38⤵
- Executes dropped EXE
-
\??\c:\848024.exec:\848024.exe39⤵
- Executes dropped EXE
-
\??\c:\ddjvp.exec:\ddjvp.exe40⤵
- Executes dropped EXE
-
\??\c:\606284.exec:\606284.exe41⤵
- Executes dropped EXE
-
\??\c:\nnnnhh.exec:\nnnnhh.exe42⤵
- Executes dropped EXE
-
\??\c:\5hnhbb.exec:\5hnhbb.exe43⤵
- Executes dropped EXE
-
\??\c:\tnbttt.exec:\tnbttt.exe44⤵
- Executes dropped EXE
-
\??\c:\rfrxlrx.exec:\rfrxlrx.exe45⤵
- Executes dropped EXE
-
\??\c:\fflxrlx.exec:\fflxrlx.exe46⤵
- Executes dropped EXE
-
\??\c:\28060.exec:\28060.exe47⤵
- Executes dropped EXE
-
\??\c:\xxxrfff.exec:\xxxrfff.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nhnbhh.exec:\nhnbhh.exe49⤵
- Executes dropped EXE
-
\??\c:\ttnhhh.exec:\ttnhhh.exe50⤵
- Executes dropped EXE
-
\??\c:\64660.exec:\64660.exe51⤵
- Executes dropped EXE
-
\??\c:\ntbbbh.exec:\ntbbbh.exe52⤵
- Executes dropped EXE
-
\??\c:\8248880.exec:\8248880.exe53⤵
- Executes dropped EXE
-
\??\c:\9nnnnn.exec:\9nnnnn.exe54⤵
- Executes dropped EXE
-
\??\c:\m6028.exec:\m6028.exe55⤵
- Executes dropped EXE
-
\??\c:\1xxrrrr.exec:\1xxrrrr.exe56⤵
- Executes dropped EXE
-
\??\c:\vvpjd.exec:\vvpjd.exe57⤵
- Executes dropped EXE
-
\??\c:\w86822.exec:\w86822.exe58⤵
- Executes dropped EXE
-
\??\c:\dvjvp.exec:\dvjvp.exe59⤵
- Executes dropped EXE
-
\??\c:\jddvp.exec:\jddvp.exe60⤵
- Executes dropped EXE
-
\??\c:\488660.exec:\488660.exe61⤵
- Executes dropped EXE
-
\??\c:\8626820.exec:\8626820.exe62⤵
- Executes dropped EXE
-
\??\c:\6244002.exec:\6244002.exe63⤵
- Executes dropped EXE
-
\??\c:\jpppj.exec:\jpppj.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\4820606.exec:\4820606.exe65⤵
- Executes dropped EXE
-
\??\c:\264400.exec:\264400.exe66⤵
-
\??\c:\bhhbtt.exec:\bhhbtt.exe67⤵
-
\??\c:\9ntnhh.exec:\9ntnhh.exe68⤵
-
\??\c:\bntbtt.exec:\bntbtt.exe69⤵
-
\??\c:\nbhnbh.exec:\nbhnbh.exe70⤵
-
\??\c:\jdjdj.exec:\jdjdj.exe71⤵
-
\??\c:\xlxflll.exec:\xlxflll.exe72⤵
-
\??\c:\vddjj.exec:\vddjj.exe73⤵
-
\??\c:\htbhnb.exec:\htbhnb.exe74⤵
-
\??\c:\nhtbhb.exec:\nhtbhb.exe75⤵
-
\??\c:\lfxlrfr.exec:\lfxlrfr.exe76⤵
-
\??\c:\btthtn.exec:\btthtn.exe77⤵
-
\??\c:\4868080.exec:\4868080.exe78⤵
-
\??\c:\flrrlll.exec:\flrrlll.exe79⤵
-
\??\c:\802268.exec:\802268.exe80⤵
-
\??\c:\6060444.exec:\6060444.exe81⤵
-
\??\c:\5ttbtt.exec:\5ttbtt.exe82⤵
-
\??\c:\fxxrllf.exec:\fxxrllf.exe83⤵
-
\??\c:\244488.exec:\244488.exe84⤵
-
\??\c:\48882.exec:\48882.exe85⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe86⤵
-
\??\c:\djpjd.exec:\djpjd.exe87⤵
-
\??\c:\o620604.exec:\o620604.exe88⤵
-
\??\c:\6804882.exec:\6804882.exe89⤵
-
\??\c:\nhnhnh.exec:\nhnhnh.exe90⤵
-
\??\c:\2666442.exec:\2666442.exe91⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe92⤵
-
\??\c:\24648.exec:\24648.exe93⤵
-
\??\c:\4080808.exec:\4080808.exe94⤵
-
\??\c:\86028.exec:\86028.exe95⤵
-
\??\c:\04802.exec:\04802.exe96⤵
-
\??\c:\800620.exec:\800620.exe97⤵
-
\??\c:\g4246.exec:\g4246.exe98⤵
-
\??\c:\60044.exec:\60044.exe99⤵
-
\??\c:\2248660.exec:\2248660.exe100⤵
-
\??\c:\hbnnnn.exec:\hbnnnn.exe101⤵
-
\??\c:\84286.exec:\84286.exe102⤵
-
\??\c:\lffrxrx.exec:\lffrxrx.exe103⤵
-
\??\c:\824484.exec:\824484.exe104⤵
-
\??\c:\404046.exec:\404046.exe105⤵
-
\??\c:\w68822.exec:\w68822.exe106⤵
-
\??\c:\8868028.exec:\8868028.exe107⤵
-
\??\c:\htttth.exec:\htttth.exe108⤵
-
\??\c:\hnnbnn.exec:\hnnbnn.exe109⤵
-
\??\c:\0608084.exec:\0608084.exe110⤵
-
\??\c:\rxlxfrf.exec:\rxlxfrf.exe111⤵
-
\??\c:\06242.exec:\06242.exe112⤵
-
\??\c:\nnbtbh.exec:\nnbtbh.exe113⤵
-
\??\c:\2626404.exec:\2626404.exe114⤵
-
\??\c:\84806.exec:\84806.exe115⤵
-
\??\c:\460824.exec:\460824.exe116⤵
-
\??\c:\088248.exec:\088248.exe117⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe118⤵
-
\??\c:\fxfxlrl.exec:\fxfxlrl.exe119⤵
-
\??\c:\24806.exec:\24806.exe120⤵
-
\??\c:\bhnbnt.exec:\bhnbnt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-