Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 21:28
General
-
Target
34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe
-
Size
105KB
-
MD5
d8b1eb5847774742429d5578ed0e8b57
-
SHA1
8dd1723c339a881b22899a3c9a6f0e7ea743e2f4
-
SHA256
34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7
-
SHA512
2b0eab56c7677175e38e424baa4c23356e52b170dd47ee18d225aa44d078a930b83c6e0df4146d4118a4e8a85e56cc9f8212b762265074e566d98baba506179c
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp99zm+/KZBHq82PCK:n3C9BRo7tvnJ99T/KZE89K
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe"C:\Users\Admin\AppData\Local\Temp\34086b7ad3ef2425bfad0eca29a8b05a71d615115aaaa31498ea4ce9e47ca0e7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdd.exec:\pdjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrrfx.exec:\xrxrrfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhtbt.exec:\nhhtbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvpd.exec:\djvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvpv.exec:\djvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrxlfl.exec:\xrrxlfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbbhn.exec:\nnbbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppjj.exec:\jppjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfffxx.exec:\lrfffxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1frlllf.exec:\1frlllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjpd.exec:\jvjpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpj.exec:\vpvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5fxrfff.exec:\5fxrfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hnhbh.exec:\1hnhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hnbnn.exec:\9hnbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpj.exec:\jpvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfxffl.exec:\lrfxffl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhthh.exec:\tbhthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddj.exec:\dvddj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpv.exec:\jdvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htthbt.exec:\htthbt.exe23⤵
- Executes dropped EXE
-
\??\c:\tntttb.exec:\tntttb.exe24⤵
- Executes dropped EXE
-
\??\c:\hbhhnn.exec:\hbhhnn.exe25⤵
- Executes dropped EXE
-
\??\c:\7pvvj.exec:\7pvvj.exe26⤵
- Executes dropped EXE
-
\??\c:\rfllflf.exec:\rfllflf.exe27⤵
- Executes dropped EXE
-
\??\c:\nbnnnn.exec:\nbnnnn.exe28⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe29⤵
- Executes dropped EXE
-
\??\c:\vvjvv.exec:\vvjvv.exe30⤵
- Executes dropped EXE
-
\??\c:\7lrlxxx.exec:\7lrlxxx.exe31⤵
- Executes dropped EXE
-
\??\c:\tbbbhb.exec:\tbbbhb.exe32⤵
- Executes dropped EXE
-
\??\c:\hbbhbb.exec:\hbbhbb.exe33⤵
- Executes dropped EXE
-
\??\c:\dpjvp.exec:\dpjvp.exe34⤵
- Executes dropped EXE
-
\??\c:\rlrrllr.exec:\rlrrllr.exe35⤵
- Executes dropped EXE
-
\??\c:\3rrlfff.exec:\3rrlfff.exe36⤵
- Executes dropped EXE
-
\??\c:\nbnttt.exec:\nbnttt.exe37⤵
- Executes dropped EXE
-
\??\c:\djppv.exec:\djppv.exe38⤵
- Executes dropped EXE
-
\??\c:\rlxrffr.exec:\rlxrffr.exe39⤵
- Executes dropped EXE
-
\??\c:\bbttbb.exec:\bbttbb.exe40⤵
- Executes dropped EXE
-
\??\c:\nbhbtt.exec:\nbhbtt.exe41⤵
- Executes dropped EXE
-
\??\c:\pvjpp.exec:\pvjpp.exe42⤵
- Executes dropped EXE
-
\??\c:\pjddv.exec:\pjddv.exe43⤵
- Executes dropped EXE
-
\??\c:\jddjd.exec:\jddjd.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhnttt.exec:\hhnttt.exe45⤵
- Executes dropped EXE
-
\??\c:\thtnhb.exec:\thtnhb.exe46⤵
- Executes dropped EXE
-
\??\c:\vpdjd.exec:\vpdjd.exe47⤵
- Executes dropped EXE
-
\??\c:\5ddpd.exec:\5ddpd.exe48⤵
- Executes dropped EXE
-
\??\c:\3jvvv.exec:\3jvvv.exe49⤵
- Executes dropped EXE
-
\??\c:\rfflxxl.exec:\rfflxxl.exe50⤵
- Executes dropped EXE
-
\??\c:\9hhttn.exec:\9hhttn.exe51⤵
- Executes dropped EXE
-
\??\c:\hntthh.exec:\hntthh.exe52⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe53⤵
- Executes dropped EXE
-
\??\c:\lfrllrr.exec:\lfrllrr.exe54⤵
- Executes dropped EXE
-
\??\c:\lfllfff.exec:\lfllfff.exe55⤵
- Executes dropped EXE
-
\??\c:\tnnnhh.exec:\tnnnhh.exe56⤵
- Executes dropped EXE
-
\??\c:\btbbtn.exec:\btbbtn.exe57⤵
- Executes dropped EXE
-
\??\c:\7jpjd.exec:\7jpjd.exe58⤵
- Executes dropped EXE
-
\??\c:\dpvvj.exec:\dpvvj.exe59⤵
- Executes dropped EXE
-
\??\c:\lxxlrrf.exec:\lxxlrrf.exe60⤵
- Executes dropped EXE
-
\??\c:\3nhhbb.exec:\3nhhbb.exe61⤵
- Executes dropped EXE
-
\??\c:\hbbbtt.exec:\hbbbtt.exe62⤵
- Executes dropped EXE
-
\??\c:\ppdjv.exec:\ppdjv.exe63⤵
- Executes dropped EXE
-
\??\c:\pjjdp.exec:\pjjdp.exe64⤵
- Executes dropped EXE
-
\??\c:\1frxrrr.exec:\1frxrrr.exe65⤵
- Executes dropped EXE
-
\??\c:\lxffllf.exec:\lxffllf.exe66⤵
-
\??\c:\5hhbbt.exec:\5hhbbt.exe67⤵
-
\??\c:\jdvvp.exec:\jdvvp.exe68⤵
-
\??\c:\vppjj.exec:\vppjj.exe69⤵
-
\??\c:\rfrfffl.exec:\rfrfffl.exe70⤵
-
\??\c:\lflffxr.exec:\lflffxr.exe71⤵
-
\??\c:\1thtbb.exec:\1thtbb.exe72⤵
-
\??\c:\pppvj.exec:\pppvj.exe73⤵
-
\??\c:\1pppp.exec:\1pppp.exe74⤵
-
\??\c:\3xrxrff.exec:\3xrxrff.exe75⤵
-
\??\c:\rlllflf.exec:\rlllflf.exe76⤵
-
\??\c:\1lrrrrl.exec:\1lrrrrl.exe77⤵
-
\??\c:\5xfxrrl.exec:\5xfxrrl.exe78⤵
-
\??\c:\9thntt.exec:\9thntt.exe79⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe80⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe81⤵
-
\??\c:\dvpjj.exec:\dvpjj.exe82⤵
-
\??\c:\xlrrlff.exec:\xlrrlff.exe83⤵
-
\??\c:\nhttnh.exec:\nhttnh.exe84⤵
-
\??\c:\nhttnt.exec:\nhttnt.exe85⤵
-
\??\c:\7tbttt.exec:\7tbttt.exe86⤵
-
\??\c:\ddjdd.exec:\ddjdd.exe87⤵
-
\??\c:\rrrxxrr.exec:\rrrxxrr.exe88⤵
-
\??\c:\rrrrllr.exec:\rrrrllr.exe89⤵
-
\??\c:\tnbhtn.exec:\tnbhtn.exe90⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe91⤵
-
\??\c:\ddjdd.exec:\ddjdd.exe92⤵
-
\??\c:\7pjdd.exec:\7pjdd.exe93⤵
-
\??\c:\rrrllll.exec:\rrrllll.exe94⤵
-
\??\c:\nbtnnt.exec:\nbtnnt.exe95⤵
-
\??\c:\jjjjd.exec:\jjjjd.exe96⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe97⤵
-
\??\c:\vdjvp.exec:\vdjvp.exe98⤵
-
\??\c:\fxxrxxx.exec:\fxxrxxx.exe99⤵
-
\??\c:\thnnbb.exec:\thnnbb.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nbtntn.exec:\nbtntn.exe101⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe102⤵
-
\??\c:\5jppj.exec:\5jppj.exe103⤵
-
\??\c:\xxrllxf.exec:\xxrllxf.exe104⤵
-
\??\c:\nbbntn.exec:\nbbntn.exe105⤵
- System Location Discovery: System Language Discovery
-
\??\c:\jjdvj.exec:\jjdvj.exe106⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe107⤵
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe108⤵
-
\??\c:\5xfxxxr.exec:\5xfxxxr.exe109⤵
-
\??\c:\1thhhn.exec:\1thhhn.exe110⤵
-
\??\c:\hnbbbh.exec:\hnbbbh.exe111⤵
-
\??\c:\9vvvj.exec:\9vvvj.exe112⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe113⤵
-
\??\c:\xllxxxx.exec:\xllxxxx.exe114⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe115⤵
-
\??\c:\tbnhbh.exec:\tbnhbh.exe116⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe117⤵
-
\??\c:\9jpjd.exec:\9jpjd.exe118⤵
-
\??\c:\fxlfffl.exec:\fxlfffl.exe119⤵
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe120⤵
-
\??\c:\nhhbbb.exec:\nhhbbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-