Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 00:23
General
-
Target
642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe
-
Size
453KB
-
MD5
43329281f879a335bbbfb81dae3dcc5f
-
SHA1
67ea86f7a992c3c7754e850ee448c66d57ad4d1f
-
SHA256
642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61
-
SHA512
4fe6cd4b4a93fcba6581035773876557a4d9818845809fd0b8c77d22859fccc92e487e7656c017efc04f2396f7a0f47211a31cf38e3b76d6ab43c9e91f02491f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 62 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe"C:\Users\Admin\AppData\Local\Temp\642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fllrfxl.exec:\fllrfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvdp.exec:\jjvdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5flxlfl.exec:\5flxlfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrlff.exec:\xrxrlff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdj.exec:\jjjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntttb.exec:\hntttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnhh.exec:\httnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hbbhh.exec:\5hbbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hhttn.exec:\5hhttn.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpv.exec:\vvjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnhtt.exec:\1tnhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrllf.exec:\rffrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvjv.exec:\9vvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvp.exec:\ddpvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3flxrlx.exec:\3flxrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhhbb.exec:\7nhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrfxr.exec:\xrxrfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpdj.exec:\dvpdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xxrfxr.exec:\1xxrfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhtnh.exec:\hhhtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlxrxr.exec:\xxlxrxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrlxxx.exec:\rfrlxxx.exe23⤵
- Executes dropped EXE
-
\??\c:\rrrrlll.exec:\rrrrlll.exe24⤵
- Executes dropped EXE
-
\??\c:\3bhhhn.exec:\3bhhhn.exe25⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe26⤵
- Executes dropped EXE
-
\??\c:\fllrfrf.exec:\fllrfrf.exe27⤵
- Executes dropped EXE
-
\??\c:\3jppj.exec:\3jppj.exe28⤵
- Executes dropped EXE
-
\??\c:\bnbhhh.exec:\bnbhhh.exe29⤵
- Executes dropped EXE
-
\??\c:\3nnhhh.exec:\3nnhhh.exe30⤵
- Executes dropped EXE
-
\??\c:\lllxlfr.exec:\lllxlfr.exe31⤵
- Executes dropped EXE
-
\??\c:\dddvp.exec:\dddvp.exe32⤵
- Executes dropped EXE
-
\??\c:\ffffxxr.exec:\ffffxxr.exe33⤵
- Executes dropped EXE
-
\??\c:\jvddv.exec:\jvddv.exe34⤵
- Executes dropped EXE
-
\??\c:\1rxlfrl.exec:\1rxlfrl.exe35⤵
- Executes dropped EXE
-
\??\c:\9bhbbb.exec:\9bhbbb.exe36⤵
- Executes dropped EXE
-
\??\c:\5pjdd.exec:\5pjdd.exe37⤵
- Executes dropped EXE
-
\??\c:\7llxllr.exec:\7llxllr.exe38⤵
- Executes dropped EXE
-
\??\c:\nthbnb.exec:\nthbnb.exe39⤵
- Executes dropped EXE
-
\??\c:\5vjvp.exec:\5vjvp.exe40⤵
- Executes dropped EXE
-
\??\c:\jdjvd.exec:\jdjvd.exe41⤵
- Executes dropped EXE
-
\??\c:\rlrrrlf.exec:\rlrrrlf.exe42⤵
- Executes dropped EXE
-
\??\c:\1hbtnh.exec:\1hbtnh.exe43⤵
- Executes dropped EXE
-
\??\c:\jjvdd.exec:\jjvdd.exe44⤵
- Executes dropped EXE
-
\??\c:\xrrlffx.exec:\xrrlffx.exe45⤵
- Executes dropped EXE
-
\??\c:\xlrlffx.exec:\xlrlffx.exe46⤵
- Executes dropped EXE
-
\??\c:\9ttnht.exec:\9ttnht.exe47⤵
- Executes dropped EXE
-
\??\c:\vvjjv.exec:\vvjjv.exe48⤵
- Executes dropped EXE
-
\??\c:\rlxlrfx.exec:\rlxlrfx.exe49⤵
- Executes dropped EXE
-
\??\c:\bthhbb.exec:\bthhbb.exe50⤵
- Executes dropped EXE
-
\??\c:\jddvd.exec:\jddvd.exe51⤵
- Executes dropped EXE
-
\??\c:\flrlxrl.exec:\flrlxrl.exe52⤵
- Executes dropped EXE
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe53⤵
- Executes dropped EXE
-
\??\c:\htbthh.exec:\htbthh.exe54⤵
- Executes dropped EXE
-
\??\c:\jvvpj.exec:\jvvpj.exe55⤵
- Executes dropped EXE
-
\??\c:\llrflfl.exec:\llrflfl.exe56⤵
- Executes dropped EXE
-
\??\c:\bhnnhb.exec:\bhnnhb.exe57⤵
- Executes dropped EXE
-
\??\c:\djvpd.exec:\djvpd.exe58⤵
- Executes dropped EXE
-
\??\c:\jjppd.exec:\jjppd.exe59⤵
- Executes dropped EXE
-
\??\c:\7xrlxxx.exec:\7xrlxxx.exe60⤵
- Executes dropped EXE
-
\??\c:\tbhhhb.exec:\tbhhhb.exe61⤵
- Executes dropped EXE
-
\??\c:\5ppjj.exec:\5ppjj.exe62⤵
- Executes dropped EXE
-
\??\c:\dpjdv.exec:\dpjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\xxfxrxr.exec:\xxfxrxr.exe64⤵
- Executes dropped EXE
-
\??\c:\htbttn.exec:\htbttn.exe65⤵
- Executes dropped EXE
-
\??\c:\dvvvp.exec:\dvvvp.exe66⤵
-
\??\c:\xxfxrlf.exec:\xxfxrlf.exe67⤵
-
\??\c:\9htnbb.exec:\9htnbb.exe68⤵
-
\??\c:\vppjd.exec:\vppjd.exe69⤵
-
\??\c:\xxxrxrf.exec:\xxxrxrf.exe70⤵
-
\??\c:\lrfrlfx.exec:\lrfrlfx.exe71⤵
-
\??\c:\httnnn.exec:\httnnn.exe72⤵
-
\??\c:\dvvdv.exec:\dvvdv.exe73⤵
-
\??\c:\lfxlxrf.exec:\lfxlxrf.exe74⤵
-
\??\c:\9bbhbb.exec:\9bbhbb.exe75⤵
-
\??\c:\vdpvp.exec:\vdpvp.exe76⤵
-
\??\c:\fllfxrl.exec:\fllfxrl.exe77⤵
-
\??\c:\9xlfxrl.exec:\9xlfxrl.exe78⤵
-
\??\c:\tnhthb.exec:\tnhthb.exe79⤵
-
\??\c:\jpvpv.exec:\jpvpv.exe80⤵
-
\??\c:\1xrxrlx.exec:\1xrxrlx.exe81⤵
-
\??\c:\9ffxlrl.exec:\9ffxlrl.exe82⤵
-
\??\c:\nnhbnh.exec:\nnhbnh.exe83⤵
-
\??\c:\hhhtnn.exec:\hhhtnn.exe84⤵
-
\??\c:\1vjdv.exec:\1vjdv.exe85⤵
-
\??\c:\9rfrfrf.exec:\9rfrfrf.exe86⤵
-
\??\c:\5bttbt.exec:\5bttbt.exe87⤵
-
\??\c:\3djdp.exec:\3djdp.exe88⤵
-
\??\c:\dddvp.exec:\dddvp.exe89⤵
-
\??\c:\1rxrflf.exec:\1rxrflf.exe90⤵
-
\??\c:\nnnhtn.exec:\nnnhtn.exe91⤵
-
\??\c:\pjjpj.exec:\pjjpj.exe92⤵
-
\??\c:\vppvd.exec:\vppvd.exe93⤵
-
\??\c:\1rllxrf.exec:\1rllxrf.exe94⤵
-
\??\c:\tttnnn.exec:\tttnnn.exe95⤵
-
\??\c:\pvvjv.exec:\pvvjv.exe96⤵
-
\??\c:\rxxxfrf.exec:\rxxxfrf.exe97⤵
-
\??\c:\rllflfx.exec:\rllflfx.exe98⤵
-
\??\c:\nhhbtn.exec:\nhhbtn.exe99⤵
-
\??\c:\9vjdp.exec:\9vjdp.exe100⤵
-
\??\c:\fffxrrl.exec:\fffxrrl.exe101⤵
-
\??\c:\xffxrfx.exec:\xffxrfx.exe102⤵
-
\??\c:\9bnhtt.exec:\9bnhtt.exe103⤵
-
\??\c:\7ddvj.exec:\7ddvj.exe104⤵
-
\??\c:\llrlxxx.exec:\llrlxxx.exe105⤵
-
\??\c:\5fxrffx.exec:\5fxrffx.exe106⤵
-
\??\c:\bbhbhb.exec:\bbhbhb.exe107⤵
-
\??\c:\vdvjd.exec:\vdvjd.exe108⤵
-
\??\c:\rllfrlf.exec:\rllfrlf.exe109⤵
-
\??\c:\rxrlxrl.exec:\rxrlxrl.exe110⤵
-
\??\c:\1hbtnh.exec:\1hbtnh.exe111⤵
-
\??\c:\5tnbnh.exec:\5tnbnh.exe112⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe113⤵
-
\??\c:\frxxrlf.exec:\frxxrlf.exe114⤵
-
\??\c:\7nhhbb.exec:\7nhhbb.exe115⤵
-
\??\c:\nnhbtt.exec:\nnhbtt.exe116⤵
-
\??\c:\vjjvp.exec:\vjjvp.exe117⤵
-
\??\c:\5rlxlfr.exec:\5rlxlfr.exe118⤵
-
\??\c:\nnthtn.exec:\nnthtn.exe119⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pdpdp.exec:\pdpdp.exe120⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-