Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 02:07
General
-
Target
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe
-
Size
455KB
-
MD5
d0246ea9665f16b301cd37508b7c8b78
-
SHA1
597a09e53cdcf69b04e1ee1bac61489a8fadbb18
-
SHA256
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3
-
SHA512
44ced969ddbc215c50b8931f606dd0646bf62ec1cfedc72b8099b63bd1d8b99b8baef3bc1dcb90f808c47196c75a3e9f720acb5620d9fc27e34c75613ea2d6ee
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRd:q7Tc2NYHUrAwfMp3CDRd
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe"C:\Users\Admin\AppData\Local\Temp\94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\28826.exec:\28826.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhtht.exec:\tbhtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08446.exec:\08446.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvjd.exec:\djvjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxrxf.exec:\xrfxrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrfrlf.exec:\frrfrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a2046.exec:\a2046.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60082.exec:\60082.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42200.exec:\42200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djdj.exec:\5djdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvdp.exec:\vvvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k40404.exec:\k40404.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\444860.exec:\444860.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a4426.exec:\a4426.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjdj.exec:\vdjdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\226604.exec:\226604.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdpj.exec:\dpdpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s4004.exec:\s4004.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhhnt.exec:\thhhnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\062082.exec:\062082.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpv.exec:\jjvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffxrrl.exec:\xffxrrl.exe23⤵
- Executes dropped EXE
-
\??\c:\802228.exec:\802228.exe24⤵
- Executes dropped EXE
-
\??\c:\080488.exec:\080488.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3fffxff.exec:\3fffxff.exe26⤵
- Executes dropped EXE
-
\??\c:\tnnnht.exec:\tnnnht.exe27⤵
- Executes dropped EXE
-
\??\c:\xxxxfxl.exec:\xxxxfxl.exe28⤵
- Executes dropped EXE
-
\??\c:\hbhthh.exec:\hbhthh.exe29⤵
- Executes dropped EXE
-
\??\c:\0680448.exec:\0680448.exe30⤵
- Executes dropped EXE
-
\??\c:\m8882.exec:\m8882.exe31⤵
- Executes dropped EXE
-
\??\c:\2460448.exec:\2460448.exe32⤵
- Executes dropped EXE
-
\??\c:\46266.exec:\46266.exe33⤵
- Executes dropped EXE
-
\??\c:\3vjjp.exec:\3vjjp.exe34⤵
- Executes dropped EXE
-
\??\c:\86604.exec:\86604.exe35⤵
- Executes dropped EXE
-
\??\c:\vvdvj.exec:\vvdvj.exe36⤵
- Executes dropped EXE
-
\??\c:\0460820.exec:\0460820.exe37⤵
- Executes dropped EXE
-
\??\c:\pddvv.exec:\pddvv.exe38⤵
- Executes dropped EXE
-
\??\c:\88864.exec:\88864.exe39⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe40⤵
- Executes dropped EXE
-
\??\c:\btnhhb.exec:\btnhhb.exe41⤵
- Executes dropped EXE
-
\??\c:\1nhthb.exec:\1nhthb.exe42⤵
- Executes dropped EXE
-
\??\c:\6048660.exec:\6048660.exe43⤵
- Executes dropped EXE
-
\??\c:\9btnbt.exec:\9btnbt.exe44⤵
- Executes dropped EXE
-
\??\c:\nttnhn.exec:\nttnhn.exe45⤵
- Executes dropped EXE
-
\??\c:\jjjjp.exec:\jjjjp.exe46⤵
- Executes dropped EXE
-
\??\c:\600426.exec:\600426.exe47⤵
- Executes dropped EXE
-
\??\c:\66048.exec:\66048.exe48⤵
- Executes dropped EXE
-
\??\c:\fxfxffr.exec:\fxfxffr.exe49⤵
- Executes dropped EXE
-
\??\c:\482266.exec:\482266.exe50⤵
- Executes dropped EXE
-
\??\c:\jddjv.exec:\jddjv.exe51⤵
- Executes dropped EXE
-
\??\c:\e80048.exec:\e80048.exe52⤵
- Executes dropped EXE
-
\??\c:\ntttbb.exec:\ntttbb.exe53⤵
- Executes dropped EXE
-
\??\c:\vjjvp.exec:\vjjvp.exe54⤵
- Executes dropped EXE
-
\??\c:\6664042.exec:\6664042.exe55⤵
- Executes dropped EXE
-
\??\c:\08486.exec:\08486.exe56⤵
- Executes dropped EXE
-
\??\c:\ddpjj.exec:\ddpjj.exe57⤵
- Executes dropped EXE
-
\??\c:\48220.exec:\48220.exe58⤵
- Executes dropped EXE
-
\??\c:\nhbttn.exec:\nhbttn.exe59⤵
- Executes dropped EXE
-
\??\c:\vppvp.exec:\vppvp.exe60⤵
- Executes dropped EXE
-
\??\c:\hnnbtn.exec:\hnnbtn.exe61⤵
- Executes dropped EXE
-
\??\c:\rxllxxx.exec:\rxllxxx.exe62⤵
- Executes dropped EXE
-
\??\c:\lxlfffx.exec:\lxlfffx.exe63⤵
- Executes dropped EXE
-
\??\c:\7btbnn.exec:\7btbnn.exe64⤵
- Executes dropped EXE
-
\??\c:\bhttbh.exec:\bhttbh.exe65⤵
- Executes dropped EXE
-
\??\c:\4620060.exec:\4620060.exe66⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe67⤵
-
\??\c:\088860.exec:\088860.exe68⤵
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe69⤵
-
\??\c:\q46604.exec:\q46604.exe70⤵
-
\??\c:\6626048.exec:\6626048.exe71⤵
-
\??\c:\xlllllr.exec:\xlllllr.exe72⤵
-
\??\c:\9lxrllf.exec:\9lxrllf.exe73⤵
-
\??\c:\hbnnhh.exec:\hbnnhh.exe74⤵
-
\??\c:\nbhbtt.exec:\nbhbtt.exe75⤵
-
\??\c:\8282648.exec:\8282648.exe76⤵
-
\??\c:\rxrffrx.exec:\rxrffrx.exe77⤵
-
\??\c:\m6404.exec:\m6404.exe78⤵
-
\??\c:\1lfxrlf.exec:\1lfxrlf.exe79⤵
-
\??\c:\rfxlfrx.exec:\rfxlfrx.exe80⤵
-
\??\c:\08428.exec:\08428.exe81⤵
-
\??\c:\7jdvj.exec:\7jdvj.exe82⤵
-
\??\c:\xfxlxrf.exec:\xfxlxrf.exe83⤵
-
\??\c:\2008608.exec:\2008608.exe84⤵
-
\??\c:\444200.exec:\444200.exe85⤵
-
\??\c:\9pjpj.exec:\9pjpj.exe86⤵
-
\??\c:\42822.exec:\42822.exe87⤵
-
\??\c:\frrxlfr.exec:\frrxlfr.exe88⤵
-
\??\c:\ddjdp.exec:\ddjdp.exe89⤵
-
\??\c:\jppjv.exec:\jppjv.exe90⤵
-
\??\c:\s8824.exec:\s8824.exe91⤵
-
\??\c:\9llxrrf.exec:\9llxrrf.exe92⤵
-
\??\c:\rffrfxr.exec:\rffrfxr.exe93⤵
-
\??\c:\o884260.exec:\o884260.exe94⤵
-
\??\c:\o864260.exec:\o864260.exe95⤵
-
\??\c:\q86082.exec:\q86082.exe96⤵
-
\??\c:\0664264.exec:\0664264.exe97⤵
-
\??\c:\644260.exec:\644260.exe98⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vppjd.exec:\vppjd.exe99⤵
-
\??\c:\lflfxfx.exec:\lflfxfx.exe100⤵
-
\??\c:\048266.exec:\048266.exe101⤵
-
\??\c:\w00648.exec:\w00648.exe102⤵
-
\??\c:\82664.exec:\82664.exe103⤵
-
\??\c:\2004866.exec:\2004866.exe104⤵
-
\??\c:\880048.exec:\880048.exe105⤵
-
\??\c:\htthtn.exec:\htthtn.exe106⤵
-
\??\c:\vdvdp.exec:\vdvdp.exe107⤵
-
\??\c:\nnhbnn.exec:\nnhbnn.exe108⤵
-
\??\c:\httnbt.exec:\httnbt.exe109⤵
-
\??\c:\8626822.exec:\8626822.exe110⤵
-
\??\c:\nnnhhb.exec:\nnnhhb.exe111⤵
-
\??\c:\xfxxrrf.exec:\xfxxrrf.exe112⤵
-
\??\c:\frrfxrl.exec:\frrfxrl.exe113⤵
-
\??\c:\rrrxlxf.exec:\rrrxlxf.exe114⤵
-
\??\c:\u686444.exec:\u686444.exe115⤵
-
\??\c:\nhbthb.exec:\nhbthb.exe116⤵
-
\??\c:\282082.exec:\282082.exe117⤵
-
\??\c:\ddvjv.exec:\ddvjv.exe118⤵
-
\??\c:\08040.exec:\08040.exe119⤵
-
\??\c:\i660822.exec:\i660822.exe120⤵
-
\??\c:\w40406.exec:\w40406.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-