Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 22:50
General
-
Target
fa3093a22c61d8d47fc4edcfe379a354444ddb840cb1d4101dc20333ce66f394.exe
-
Size
72KB
-
MD5
9b505f1dcf02dab70d5bfbcd3ddba70e
-
SHA1
437694a0e4a803b48e19716b00713a22f097970c
-
SHA256
fa3093a22c61d8d47fc4edcfe379a354444ddb840cb1d4101dc20333ce66f394
-
SHA512
72a81776859465374cc6c6ed1b2ccc7a375dac80beb03f17447b615c5e985fc14680860cf97dd116ba69367824b6c9c22cb7e16ae7e9b9f3cf87e54b6e72aa76
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfUcicP/fG:ymb3NkkiQ3mdBjFI4V4ci2/fG
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa3093a22c61d8d47fc4edcfe379a354444ddb840cb1d4101dc20333ce66f394.exe"C:\Users\Admin\AppData\Local\Temp\fa3093a22c61d8d47fc4edcfe379a354444ddb840cb1d4101dc20333ce66f394.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lllrlrl.exec:\lllrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnhbt.exec:\htnhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdd.exec:\pdjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrlffx.exec:\ffrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbnhh.exec:\htbnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjv.exec:\pjjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxllx.exec:\xlfxllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbtt.exec:\tnhbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnnn.exec:\nnnnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjd.exec:\vdjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rxrllf.exec:\3rxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbtb.exec:\tnnbtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbthh.exec:\bbbthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdv.exec:\dvjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlxxl.exec:\xrrlxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflfxlf.exec:\lflfxlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvpjd.exec:\pvpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxffrxr.exec:\rxffrxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffxrrl.exec:\xffxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhbtn.exec:\hbhbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvj.exec:\pjdvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfrrf.exec:\rflfrrf.exe23⤵
- Executes dropped EXE
-
\??\c:\tnnnhh.exec:\tnnnhh.exe24⤵
- Executes dropped EXE
-
\??\c:\5rrlxxr.exec:\5rrlxxr.exe25⤵
- Executes dropped EXE
-
\??\c:\xllfxrl.exec:\xllfxrl.exe26⤵
- Executes dropped EXE
-
\??\c:\nbnnhh.exec:\nbnnhh.exe27⤵
- Executes dropped EXE
-
\??\c:\3jjpd.exec:\3jjpd.exe28⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe29⤵
- Executes dropped EXE
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe30⤵
- Executes dropped EXE
-
\??\c:\lflfxff.exec:\lflfxff.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nbbhtt.exec:\nbbhtt.exe32⤵
- Executes dropped EXE
-
\??\c:\pdvpd.exec:\pdvpd.exe33⤵
- Executes dropped EXE
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe34⤵
- Executes dropped EXE
-
\??\c:\1hnhhh.exec:\1hnhhh.exe35⤵
- Executes dropped EXE
-
\??\c:\bnntnn.exec:\bnntnn.exe36⤵
- Executes dropped EXE
-
\??\c:\3vvpd.exec:\3vvpd.exe37⤵
- Executes dropped EXE
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe38⤵
- Executes dropped EXE
-
\??\c:\tbnnhb.exec:\tbnnhb.exe39⤵
- Executes dropped EXE
-
\??\c:\frxrlll.exec:\frxrlll.exe40⤵
- Executes dropped EXE
-
\??\c:\xxflrlf.exec:\xxflrlf.exe41⤵
- Executes dropped EXE
-
\??\c:\bbnbnh.exec:\bbnbnh.exe42⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe43⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe44⤵
- Executes dropped EXE
-
\??\c:\lxrlxrx.exec:\lxrlxrx.exe45⤵
- Executes dropped EXE
-
\??\c:\ttnhbn.exec:\ttnhbn.exe46⤵
- Executes dropped EXE
-
\??\c:\jppjv.exec:\jppjv.exe47⤵
- Executes dropped EXE
-
\??\c:\hhbnht.exec:\hhbnht.exe48⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe49⤵
- Executes dropped EXE
-
\??\c:\xllxfxr.exec:\xllxfxr.exe50⤵
- Executes dropped EXE
-
\??\c:\bnthth.exec:\bnthth.exe51⤵
- Executes dropped EXE
-
\??\c:\nttbhb.exec:\nttbhb.exe52⤵
- Executes dropped EXE
-
\??\c:\3ddvj.exec:\3ddvj.exe53⤵
- Executes dropped EXE
-
\??\c:\rxrxrfr.exec:\rxrxrfr.exe54⤵
- Executes dropped EXE
-
\??\c:\xxrlrrx.exec:\xxrlrrx.exe55⤵
- Executes dropped EXE
-
\??\c:\1hhhbt.exec:\1hhhbt.exe56⤵
- Executes dropped EXE
-
\??\c:\htnhhb.exec:\htnhhb.exe57⤵
- Executes dropped EXE
-
\??\c:\vddvp.exec:\vddvp.exe58⤵
- Executes dropped EXE
-
\??\c:\ppvjp.exec:\ppvjp.exe59⤵
- Executes dropped EXE
-
\??\c:\lfrlrrf.exec:\lfrlrrf.exe60⤵
- Executes dropped EXE
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe61⤵
- Executes dropped EXE
-
\??\c:\tnbnbt.exec:\tnbnbt.exe62⤵
- Executes dropped EXE
-
\??\c:\3jjdp.exec:\3jjdp.exe63⤵
- Executes dropped EXE
-
\??\c:\ffflxrf.exec:\ffflxrf.exe64⤵
- Executes dropped EXE
-
\??\c:\rflfxxl.exec:\rflfxxl.exe65⤵
- Executes dropped EXE
-
\??\c:\tnhtnh.exec:\tnhtnh.exe66⤵
-
\??\c:\9lxrxxf.exec:\9lxrxxf.exe67⤵
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe68⤵
-
\??\c:\hbnhbt.exec:\hbnhbt.exe69⤵
-
\??\c:\7htnbt.exec:\7htnbt.exe70⤵
-
\??\c:\9ththn.exec:\9ththn.exe71⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe72⤵
-
\??\c:\flfrlfr.exec:\flfrlfr.exe73⤵
-
\??\c:\5rfxffx.exec:\5rfxffx.exe74⤵
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe75⤵
-
\??\c:\nbbttn.exec:\nbbttn.exe76⤵
-
\??\c:\3jdpd.exec:\3jdpd.exe77⤵
-
\??\c:\djjdp.exec:\djjdp.exe78⤵
-
\??\c:\7lrlxrf.exec:\7lrlxrf.exe79⤵
-
\??\c:\lfxrllf.exec:\lfxrllf.exe80⤵
-
\??\c:\7tbttn.exec:\7tbttn.exe81⤵
-
\??\c:\hbbthh.exec:\hbbthh.exe82⤵
-
\??\c:\pddvj.exec:\pddvj.exe83⤵
-
\??\c:\ffxlffx.exec:\ffxlffx.exe84⤵
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe85⤵
-
\??\c:\nhhbtn.exec:\nhhbtn.exe86⤵
-
\??\c:\hnbbtb.exec:\hnbbtb.exe87⤵
-
\??\c:\vpvdp.exec:\vpvdp.exe88⤵
-
\??\c:\dppjd.exec:\dppjd.exe89⤵
-
\??\c:\fllxlfr.exec:\fllxlfr.exe90⤵
-
\??\c:\9rlfrlf.exec:\9rlfrlf.exe91⤵
-
\??\c:\htthhh.exec:\htthhh.exe92⤵
-
\??\c:\jvdvv.exec:\jvdvv.exe93⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe94⤵
-
\??\c:\5xxrxrf.exec:\5xxrxrf.exe95⤵
-
\??\c:\5llllll.exec:\5llllll.exe96⤵
-
\??\c:\tnnnnn.exec:\tnnnnn.exe97⤵
-
\??\c:\hbtntt.exec:\hbtntt.exe98⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe99⤵
-
\??\c:\djjdv.exec:\djjdv.exe100⤵
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe101⤵
-
\??\c:\xlxrrrl.exec:\xlxrrrl.exe102⤵
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe103⤵
-
\??\c:\nhbtnh.exec:\nhbtnh.exe104⤵
-
\??\c:\nbhbnb.exec:\nbhbnb.exe105⤵
-
\??\c:\vpdpj.exec:\vpdpj.exe106⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe107⤵
-
\??\c:\rlrlfff.exec:\rlrlfff.exe108⤵
-
\??\c:\llffxxl.exec:\llffxxl.exe109⤵
-
\??\c:\fllfrlf.exec:\fllfrlf.exe110⤵
-
\??\c:\bhnttt.exec:\bhnttt.exe111⤵
-
\??\c:\hntthn.exec:\hntthn.exe112⤵
-
\??\c:\djvpp.exec:\djvpp.exe113⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe114⤵
-
\??\c:\7flfxxr.exec:\7flfxxr.exe115⤵
-
\??\c:\nbnhbh.exec:\nbnhbh.exe116⤵
-
\??\c:\5nthtt.exec:\5nthtt.exe117⤵
-
\??\c:\vjdvj.exec:\vjdvj.exe118⤵
-
\??\c:\jddvd.exec:\jddvd.exe119⤵
-
\??\c:\3rxrlll.exec:\3rxrlll.exe120⤵
-
\??\c:\hbbbbt.exec:\hbbbbt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-