Analysis
-
max time kernel
109s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 19:18
General
-
Target
007444a860cb0c8cf3f21edfd5cf272ddc34f6beafc63ca3f81fb63528c0ceed.exe
-
Size
347KB
-
MD5
b4e5c9ebabf727f2d7bab7cea1d15e69
-
SHA1
a7bccbd9363215628f854dbbfa0cadfd62ef32a4
-
SHA256
007444a860cb0c8cf3f21edfd5cf272ddc34f6beafc63ca3f81fb63528c0ceed
-
SHA512
164d56802d0b1935d5ba2d46a9a62c33e063f95e9ffe0eb66a611215e6b03ebf111a865c7e05177dce4acf66d97a050d94f083c3bc0ee7bfe50b715b38cffc7a
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYA4:l7TcbWXZshJX2VGd4
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\007444a860cb0c8cf3f21edfd5cf272ddc34f6beafc63ca3f81fb63528c0ceed.exe"C:\Users\Admin\AppData\Local\Temp\007444a860cb0c8cf3f21edfd5cf272ddc34f6beafc63ca3f81fb63528c0ceed.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjvp.exec:\ppjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\846000.exec:\846000.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4802280.exec:\4802280.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddv.exec:\jvddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\22604.exec:\22604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppjj.exec:\pppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvd.exec:\ddvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\46260.exec:\46260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxxffl.exec:\flxxffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g6888.exec:\g6888.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxffxxr.exec:\lxffxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8420808.exec:\8420808.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\284826.exec:\284826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\400226.exec:\400226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02682.exec:\02682.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtnh.exec:\tnbtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhhh.exec:\htbhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2065dv.exec:\2065dv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xxlrrx.exec:\9xxlrrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhnn.exec:\hhbhnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddjp.exec:\pddjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6428400.exec:\6428400.exe23⤵
- Executes dropped EXE
-
\??\c:\rrrlfxx.exec:\rrrlfxx.exe24⤵
- Executes dropped EXE
-
\??\c:\a2482.exec:\a2482.exe25⤵
- Executes dropped EXE
-
\??\c:\82622.exec:\82622.exe26⤵
- Executes dropped EXE
-
\??\c:\82044.exec:\82044.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\jppjj.exec:\jppjj.exe28⤵
- Executes dropped EXE
-
\??\c:\1lxxffx.exec:\1lxxffx.exe29⤵
- Executes dropped EXE
-
\??\c:\866600.exec:\866600.exe30⤵
- Executes dropped EXE
-
\??\c:\86860.exec:\86860.exe31⤵
- Executes dropped EXE
-
\??\c:\lfrrffx.exec:\lfrrffx.exe32⤵
- Executes dropped EXE
-
\??\c:\2428400.exec:\2428400.exe33⤵
- Executes dropped EXE
-
\??\c:\hnbttt.exec:\hnbttt.exe34⤵
- Executes dropped EXE
-
\??\c:\8404826.exec:\8404826.exe35⤵
- Executes dropped EXE
-
\??\c:\e20822.exec:\e20822.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\262602.exec:\262602.exe37⤵
- Executes dropped EXE
-
\??\c:\btbbnn.exec:\btbbnn.exe38⤵
- Executes dropped EXE
-
\??\c:\0660448.exec:\0660448.exe39⤵
- Executes dropped EXE
-
\??\c:\8288660.exec:\8288660.exe40⤵
- Executes dropped EXE
-
\??\c:\k44284.exec:\k44284.exe41⤵
- Executes dropped EXE
-
\??\c:\nbtnhb.exec:\nbtnhb.exe42⤵
- Executes dropped EXE
-
\??\c:\4842822.exec:\4842822.exe43⤵
- Executes dropped EXE
-
\??\c:\5pvpj.exec:\5pvpj.exe44⤵
- Executes dropped EXE
-
\??\c:\xflxrxr.exec:\xflxrxr.exe45⤵
- Executes dropped EXE
-
\??\c:\k40426.exec:\k40426.exe46⤵
- Executes dropped EXE
-
\??\c:\dvddv.exec:\dvddv.exe47⤵
- Executes dropped EXE
-
\??\c:\4848046.exec:\4848046.exe48⤵
- Executes dropped EXE
-
\??\c:\604680.exec:\604680.exe49⤵
- Executes dropped EXE
-
\??\c:\662048.exec:\662048.exe50⤵
- Executes dropped EXE
-
\??\c:\nbbnhb.exec:\nbbnhb.exe51⤵
- Executes dropped EXE
-
\??\c:\1jjvp.exec:\1jjvp.exe52⤵
- Executes dropped EXE
-
\??\c:\fxxlxlf.exec:\fxxlxlf.exe53⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe54⤵
- Executes dropped EXE
-
\??\c:\28042.exec:\28042.exe55⤵
- Executes dropped EXE
-
\??\c:\5rxrffx.exec:\5rxrffx.exe56⤵
- Executes dropped EXE
-
\??\c:\206004.exec:\206004.exe57⤵
- Executes dropped EXE
-
\??\c:\0824082.exec:\0824082.exe58⤵
- Executes dropped EXE
-
\??\c:\ddvjp.exec:\ddvjp.exe59⤵
- Executes dropped EXE
-
\??\c:\266048.exec:\266048.exe60⤵
- Executes dropped EXE
-
\??\c:\q08484.exec:\q08484.exe61⤵
- Executes dropped EXE
-
\??\c:\ntnnbh.exec:\ntnnbh.exe62⤵
- Executes dropped EXE
-
\??\c:\5djdp.exec:\5djdp.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\64442.exec:\64442.exe64⤵
- Executes dropped EXE
-
\??\c:\9hnhnn.exec:\9hnhnn.exe65⤵
- Executes dropped EXE
-
\??\c:\280000.exec:\280000.exe66⤵
- System Location Discovery: System Language Discovery
-
\??\c:\i428680.exec:\i428680.exe67⤵
-
\??\c:\2680404.exec:\2680404.exe68⤵
-
\??\c:\66024.exec:\66024.exe69⤵
-
\??\c:\tththh.exec:\tththh.exe70⤵
-
\??\c:\4408260.exec:\4408260.exe71⤵
-
\??\c:\224842.exec:\224842.exe72⤵
-
\??\c:\4060488.exec:\4060488.exe73⤵
-
\??\c:\c226002.exec:\c226002.exe74⤵
-
\??\c:\tnbtnh.exec:\tnbtnh.exe75⤵
-
\??\c:\bhhhhb.exec:\bhhhhb.exe76⤵
-
\??\c:\tnbtnh.exec:\tnbtnh.exe77⤵
-
\??\c:\3jdvj.exec:\3jdvj.exe78⤵
-
\??\c:\llxrlfr.exec:\llxrlfr.exe79⤵
-
\??\c:\hthtnh.exec:\hthtnh.exe80⤵
-
\??\c:\rlfxrrx.exec:\rlfxrrx.exe81⤵
-
\??\c:\2400202.exec:\2400202.exe82⤵
-
\??\c:\rxffxlr.exec:\rxffxlr.exe83⤵
-
\??\c:\62086.exec:\62086.exe84⤵
-
\??\c:\228860.exec:\228860.exe85⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe86⤵
-
\??\c:\w26606.exec:\w26606.exe87⤵
-
\??\c:\xlrrffx.exec:\xlrrffx.exe88⤵
-
\??\c:\vvjdv.exec:\vvjdv.exe89⤵
-
\??\c:\606648.exec:\606648.exe90⤵
-
\??\c:\20426.exec:\20426.exe91⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe92⤵
-
\??\c:\g4204.exec:\g4204.exe93⤵
-
\??\c:\08666.exec:\08666.exe94⤵
-
\??\c:\9jpjd.exec:\9jpjd.exe95⤵
-
\??\c:\2486444.exec:\2486444.exe96⤵
-
\??\c:\4684444.exec:\4684444.exe97⤵
-
\??\c:\c020448.exec:\c020448.exe98⤵
-
\??\c:\80846.exec:\80846.exe99⤵
-
\??\c:\pddpd.exec:\pddpd.exe100⤵
-
\??\c:\262666.exec:\262666.exe101⤵
-
\??\c:\62882.exec:\62882.exe102⤵
-
\??\c:\ddpjj.exec:\ddpjj.exe103⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe104⤵
-
\??\c:\7xfxxrx.exec:\7xfxxrx.exe105⤵
-
\??\c:\9vjdv.exec:\9vjdv.exe106⤵
-
\??\c:\nthtnn.exec:\nthtnn.exe107⤵
-
\??\c:\5ntnhh.exec:\5ntnhh.exe108⤵
-
\??\c:\0282666.exec:\0282666.exe109⤵
-
\??\c:\frxxrrl.exec:\frxxrrl.exe110⤵
-
\??\c:\7lxlfff.exec:\7lxlfff.exe111⤵
-
\??\c:\84044.exec:\84044.exe112⤵
-
\??\c:\o060448.exec:\o060448.exe113⤵
-
\??\c:\1pdpv.exec:\1pdpv.exe114⤵
-
\??\c:\btnhhh.exec:\btnhhh.exe115⤵
-
\??\c:\06404.exec:\06404.exe116⤵
-
\??\c:\e48422.exec:\e48422.exe117⤵
-
\??\c:\2244400.exec:\2244400.exe118⤵
-
\??\c:\0682486.exec:\0682486.exe119⤵
-
\??\c:\0802626.exec:\0802626.exe120⤵
-
\??\c:\88444.exec:\88444.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-