Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 20:22
General
-
Target
1e4e25346db4f4c49c12ef220d57c6d5fce5c4164d396106a2f0cbd44edcd3d7.exe
-
Size
455KB
-
MD5
665c6c57bec5443dd19c09bf26229498
-
SHA1
2efbb80fd11f945211b97a2dc9e4fe147e0d8bf0
-
SHA256
1e4e25346db4f4c49c12ef220d57c6d5fce5c4164d396106a2f0cbd44edcd3d7
-
SHA512
c6337aa319c85ee894bdfa343034236749f55016c9c56a41065b206009c19f657878625bbe37217ef5199479e5190acca199d6a81cebfdfcababf54f78092930
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR4:q7Tc2NYHUrAwfMp3CDR4
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 62 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e4e25346db4f4c49c12ef220d57c6d5fce5c4164d396106a2f0cbd44edcd3d7.exe"C:\Users\Admin\AppData\Local\Temp\1e4e25346db4f4c49c12ef220d57c6d5fce5c4164d396106a2f0cbd44edcd3d7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lflfxxr.exec:\lflfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4882828.exec:\4882828.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02882.exec:\02882.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hbnhb.exec:\1hbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjj.exec:\vppjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o642288.exec:\o642288.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2028884.exec:\2028884.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlllfff.exec:\rlllfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxrlf.exec:\rfxxrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvj.exec:\jdjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpd.exec:\dpvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02882.exec:\02882.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26826.exec:\26826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\242060.exec:\242060.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86260.exec:\86260.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a2000.exec:\a2000.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8422882.exec:\8422882.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\htbtnh.exec:\htbtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpj.exec:\dvvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0222604.exec:\0222604.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbtt.exec:\tbhbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0882624.exec:\0882624.exe23⤵
- Executes dropped EXE
-
\??\c:\nnhhbt.exec:\nnhhbt.exe24⤵
- Executes dropped EXE
-
\??\c:\fxffxrx.exec:\fxffxrx.exe25⤵
- Executes dropped EXE
-
\??\c:\fxfflfl.exec:\fxfflfl.exe26⤵
- Executes dropped EXE
-
\??\c:\22260.exec:\22260.exe27⤵
- Executes dropped EXE
-
\??\c:\u682228.exec:\u682228.exe28⤵
- Executes dropped EXE
-
\??\c:\3pppp.exec:\3pppp.exe29⤵
- Executes dropped EXE
-
\??\c:\lfllffl.exec:\lfllffl.exe30⤵
- Executes dropped EXE
-
\??\c:\lllfrrr.exec:\lllfrrr.exe31⤵
- Executes dropped EXE
-
\??\c:\hnnhbb.exec:\hnnhbb.exe32⤵
- Executes dropped EXE
-
\??\c:\7ttnbn.exec:\7ttnbn.exe33⤵
- Executes dropped EXE
-
\??\c:\rrllrxf.exec:\rrllrxf.exe34⤵
- Executes dropped EXE
-
\??\c:\lxrxrxr.exec:\lxrxrxr.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\8226060.exec:\8226060.exe36⤵
- Executes dropped EXE
-
\??\c:\dvpjv.exec:\dvpjv.exe37⤵
- Executes dropped EXE
-
\??\c:\htbnbb.exec:\htbnbb.exe38⤵
- Executes dropped EXE
-
\??\c:\nhnhbb.exec:\nhnhbb.exe39⤵
- Executes dropped EXE
-
\??\c:\q28282.exec:\q28282.exe40⤵
- Executes dropped EXE
-
\??\c:\htnbnh.exec:\htnbnh.exe41⤵
- Executes dropped EXE
-
\??\c:\btttnn.exec:\btttnn.exe42⤵
- Executes dropped EXE
-
\??\c:\vvjpv.exec:\vvjpv.exe43⤵
- Executes dropped EXE
-
\??\c:\2648602.exec:\2648602.exe44⤵
- Executes dropped EXE
-
\??\c:\bnbhtn.exec:\bnbhtn.exe45⤵
- Executes dropped EXE
-
\??\c:\484204.exec:\484204.exe46⤵
- Executes dropped EXE
-
\??\c:\o286820.exec:\o286820.exe47⤵
- Executes dropped EXE
-
\??\c:\088426.exec:\088426.exe48⤵
- Executes dropped EXE
-
\??\c:\0408260.exec:\0408260.exe49⤵
- Executes dropped EXE
-
\??\c:\426426.exec:\426426.exe50⤵
- Executes dropped EXE
-
\??\c:\jppjv.exec:\jppjv.exe51⤵
- Executes dropped EXE
-
\??\c:\nhnntn.exec:\nhnntn.exe52⤵
- Executes dropped EXE
-
\??\c:\026224.exec:\026224.exe53⤵
- Executes dropped EXE
-
\??\c:\0448222.exec:\0448222.exe54⤵
- Executes dropped EXE
-
\??\c:\jvvpd.exec:\jvvpd.exe55⤵
- Executes dropped EXE
-
\??\c:\g2808.exec:\g2808.exe56⤵
- Executes dropped EXE
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe57⤵
- Executes dropped EXE
-
\??\c:\xllxlfr.exec:\xllxlfr.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3nnbnn.exec:\3nnbnn.exe59⤵
- Executes dropped EXE
-
\??\c:\08482.exec:\08482.exe60⤵
- Executes dropped EXE
-
\??\c:\lffllxl.exec:\lffllxl.exe61⤵
- Executes dropped EXE
-
\??\c:\04000.exec:\04000.exe62⤵
- Executes dropped EXE
-
\??\c:\06488.exec:\06488.exe63⤵
- Executes dropped EXE
-
\??\c:\fxfxlrr.exec:\fxfxlrr.exe64⤵
- Executes dropped EXE
-
\??\c:\a8482.exec:\a8482.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\9nbnbn.exec:\9nbnbn.exe66⤵
-
\??\c:\00226.exec:\00226.exe67⤵
-
\??\c:\dppjd.exec:\dppjd.exe68⤵
-
\??\c:\vddpd.exec:\vddpd.exe69⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe70⤵
-
\??\c:\jdpjv.exec:\jdpjv.exe71⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3rxxfrr.exec:\3rxxfrr.exe72⤵
-
\??\c:\8660482.exec:\8660482.exe73⤵
-
\??\c:\2000826.exec:\2000826.exe74⤵
-
\??\c:\44486.exec:\44486.exe75⤵
-
\??\c:\244422.exec:\244422.exe76⤵
-
\??\c:\fllfxxr.exec:\fllfxxr.exe77⤵
-
\??\c:\6022806.exec:\6022806.exe78⤵
-
\??\c:\028820.exec:\028820.exe79⤵
-
\??\c:\xrlxxlf.exec:\xrlxxlf.exe80⤵
-
\??\c:\vppdp.exec:\vppdp.exe81⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe82⤵
-
\??\c:\64086.exec:\64086.exe83⤵
-
\??\c:\6626488.exec:\6626488.exe84⤵
-
\??\c:\g0642.exec:\g0642.exe85⤵
-
\??\c:\5xlxlfr.exec:\5xlxlfr.exe86⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\k62026.exec:\k62026.exe88⤵
-
\??\c:\0820242.exec:\0820242.exe89⤵
-
\??\c:\4060820.exec:\4060820.exe90⤵
-
\??\c:\224204.exec:\224204.exe91⤵
-
\??\c:\228204.exec:\228204.exe92⤵
-
\??\c:\84086.exec:\84086.exe93⤵
-
\??\c:\64426.exec:\64426.exe94⤵
-
\??\c:\8808640.exec:\8808640.exe95⤵
-
\??\c:\6244884.exec:\6244884.exe96⤵
-
\??\c:\g8026.exec:\g8026.exe97⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe98⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe99⤵
-
\??\c:\7llfffx.exec:\7llfffx.exe100⤵
-
\??\c:\dpddp.exec:\dpddp.exe101⤵
-
\??\c:\hbhhhh.exec:\hbhhhh.exe102⤵
-
\??\c:\2004448.exec:\2004448.exe103⤵
-
\??\c:\228828.exec:\228828.exe104⤵
-
\??\c:\3pvpj.exec:\3pvpj.exe105⤵
-
\??\c:\888604.exec:\888604.exe106⤵
-
\??\c:\lxfxllx.exec:\lxfxllx.exe107⤵
-
\??\c:\8680844.exec:\8680844.exe108⤵
-
\??\c:\200482.exec:\200482.exe109⤵
-
\??\c:\hnbbnt.exec:\hnbbnt.exe110⤵
-
\??\c:\w00204.exec:\w00204.exe111⤵
-
\??\c:\662044.exec:\662044.exe112⤵
-
\??\c:\246028.exec:\246028.exe113⤵
-
\??\c:\jppdp.exec:\jppdp.exe114⤵
-
\??\c:\9nnhhh.exec:\9nnhhh.exe115⤵
-
\??\c:\s4826.exec:\s4826.exe116⤵
-
\??\c:\680204.exec:\680204.exe117⤵
-
\??\c:\nbnnbt.exec:\nbnnbt.exe118⤵
-
\??\c:\lffrlfx.exec:\lffrlfx.exe119⤵
-
\??\c:\822262.exec:\822262.exe120⤵
-
\??\c:\jvpdv.exec:\jvpdv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-