Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22/11/2024, 05:04
General
-
Target
e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb.exe
-
Size
82KB
-
MD5
e3a9a82f7c138c77e2b1716a5a6164b3
-
SHA1
c78a2245fb1d97d0cbfd5fdd415fe467e623a900
-
SHA256
e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb
-
SHA512
0456800a2a89493e2db62f3d3c6f1f2e13a00af64190f2d12cf17e6cad0d7ff9daf44a507e3aea221cef0dab6fbac6e9d6b70beba9ce8407e6fd1d7a830a6fae
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73tgygQwKjiawEmB5Gt9:ymb3NkkiQ3mdBjFo73thgQ/wEkc
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb.exe"C:\Users\Admin\AppData\Local\Temp\e30b03c0caf290608292b13d88bf3aab69418785706912a376327ac14ff0b3eb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjdv.exec:\jpjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\420004.exec:\420004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\024828.exec:\024828.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\806006.exec:\806006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpjd.exec:\djpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffflr.exec:\lfffflr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlrrrx.exec:\lxlrrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnbtb.exec:\ttnbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k26024.exec:\k26024.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0222882.exec:\0222882.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\44624.exec:\44624.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02048.exec:\02048.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48882.exec:\48882.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6688608.exec:\6688608.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpp.exec:\dpvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htntbt.exec:\htntbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24860.exec:\24860.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdd.exec:\dvjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e06004.exec:\e06004.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86664.exec:\86664.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrllf.exec:\lrxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfffrr.exec:\llfffrr.exe23⤵
- Executes dropped EXE
-
\??\c:\20622.exec:\20622.exe24⤵
- Executes dropped EXE
-
\??\c:\o860062.exec:\o860062.exe25⤵
- Executes dropped EXE
-
\??\c:\bbhhnb.exec:\bbhhnb.exe26⤵
- Executes dropped EXE
-
\??\c:\26028.exec:\26028.exe27⤵
- Executes dropped EXE
-
\??\c:\040662.exec:\040662.exe28⤵
- Executes dropped EXE
-
\??\c:\4686044.exec:\4686044.exe29⤵
- Executes dropped EXE
-
\??\c:\jdjpp.exec:\jdjpp.exe30⤵
- Executes dropped EXE
-
\??\c:\rrlflrf.exec:\rrlflrf.exe31⤵
- Executes dropped EXE
-
\??\c:\4026662.exec:\4026662.exe32⤵
- Executes dropped EXE
-
\??\c:\3jppd.exec:\3jppd.exe33⤵
- Executes dropped EXE
-
\??\c:\hbhbbt.exec:\hbhbbt.exe34⤵
- Executes dropped EXE
-
\??\c:\60828.exec:\60828.exe35⤵
- Executes dropped EXE
-
\??\c:\nbhhhh.exec:\nbhhhh.exe36⤵
- Executes dropped EXE
-
\??\c:\xlrlffl.exec:\xlrlffl.exe37⤵
- Executes dropped EXE
-
\??\c:\bnnnnb.exec:\bnnnnb.exe38⤵
- Executes dropped EXE
-
\??\c:\002244.exec:\002244.exe39⤵
- Executes dropped EXE
-
\??\c:\1nbbtn.exec:\1nbbtn.exe40⤵
- Executes dropped EXE
-
\??\c:\040822.exec:\040822.exe41⤵
- Executes dropped EXE
-
\??\c:\04620.exec:\04620.exe42⤵
- Executes dropped EXE
-
\??\c:\6200444.exec:\6200444.exe43⤵
- Executes dropped EXE
-
\??\c:\frrlfff.exec:\frrlfff.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\88664.exec:\88664.exe45⤵
- Executes dropped EXE
-
\??\c:\0880444.exec:\0880444.exe46⤵
- Executes dropped EXE
-
\??\c:\k88444.exec:\k88444.exe47⤵
- Executes dropped EXE
-
\??\c:\xrrrxxl.exec:\xrrrxxl.exe48⤵
- Executes dropped EXE
-
\??\c:\446622.exec:\446622.exe49⤵
- Executes dropped EXE
-
\??\c:\62266.exec:\62266.exe50⤵
- Executes dropped EXE
-
\??\c:\8206600.exec:\8206600.exe51⤵
- Executes dropped EXE
-
\??\c:\886088.exec:\886088.exe52⤵
- Executes dropped EXE
-
\??\c:\lxxrllf.exec:\lxxrllf.exe53⤵
- Executes dropped EXE
-
\??\c:\ppjvj.exec:\ppjvj.exe54⤵
- Executes dropped EXE
-
\??\c:\6404006.exec:\6404006.exe55⤵
- Executes dropped EXE
-
\??\c:\684448.exec:\684448.exe56⤵
- Executes dropped EXE
-
\??\c:\lfxrxxr.exec:\lfxrxxr.exe57⤵
- Executes dropped EXE
-
\??\c:\2642826.exec:\2642826.exe58⤵
- Executes dropped EXE
-
\??\c:\08864.exec:\08864.exe59⤵
- Executes dropped EXE
-
\??\c:\600460.exec:\600460.exe60⤵
- Executes dropped EXE
-
\??\c:\066482.exec:\066482.exe61⤵
- Executes dropped EXE
-
\??\c:\4886224.exec:\4886224.exe62⤵
- Executes dropped EXE
-
\??\c:\66266.exec:\66266.exe63⤵
- Executes dropped EXE
-
\??\c:\088408.exec:\088408.exe64⤵
- Executes dropped EXE
-
\??\c:\hbbtnn.exec:\hbbtnn.exe65⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe66⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pdppp.exec:\pdppp.exe67⤵
-
\??\c:\c828028.exec:\c828028.exe68⤵
-
\??\c:\rrrrlrf.exec:\rrrrlrf.exe69⤵
-
\??\c:\642200.exec:\642200.exe70⤵
-
\??\c:\640860.exec:\640860.exe71⤵
-
\??\c:\frrfxrl.exec:\frrfxrl.exe72⤵
-
\??\c:\3ntnbb.exec:\3ntnbb.exe73⤵
-
\??\c:\tnnbhn.exec:\tnnbhn.exe74⤵
-
\??\c:\k20600.exec:\k20600.exe75⤵
-
\??\c:\ffxxxll.exec:\ffxxxll.exe76⤵
-
\??\c:\jvjvv.exec:\jvjvv.exe77⤵
-
\??\c:\820228.exec:\820228.exe78⤵
-
\??\c:\jvjpd.exec:\jvjpd.exe79⤵
-
\??\c:\4000226.exec:\4000226.exe80⤵
-
\??\c:\44608.exec:\44608.exe81⤵
-
\??\c:\k66426.exec:\k66426.exe82⤵
-
\??\c:\6222644.exec:\6222644.exe83⤵
-
\??\c:\lxxxxll.exec:\lxxxxll.exe84⤵
-
\??\c:\xrlffff.exec:\xrlffff.exe85⤵
-
\??\c:\006600.exec:\006600.exe86⤵
-
\??\c:\0266882.exec:\0266882.exe87⤵
-
\??\c:\8400860.exec:\8400860.exe88⤵
-
\??\c:\httttt.exec:\httttt.exe89⤵
-
\??\c:\6802826.exec:\6802826.exe90⤵
-
\??\c:\0286622.exec:\0286622.exe91⤵
-
\??\c:\04680.exec:\04680.exe92⤵
-
\??\c:\nhbnht.exec:\nhbnht.exe93⤵
-
\??\c:\thhhtn.exec:\thhhtn.exe94⤵
-
\??\c:\44424.exec:\44424.exe95⤵
-
\??\c:\pppjv.exec:\pppjv.exe96⤵
-
\??\c:\46866.exec:\46866.exe97⤵
-
\??\c:\2284888.exec:\2284888.exe98⤵
-
\??\c:\s4048.exec:\s4048.exe99⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rrrrfff.exec:\rrrrfff.exe100⤵
-
\??\c:\4404040.exec:\4404040.exe101⤵
-
\??\c:\3vdpd.exec:\3vdpd.exe102⤵
-
\??\c:\bhhthb.exec:\bhhthb.exe103⤵
-
\??\c:\w06426.exec:\w06426.exe104⤵
-
\??\c:\5hnhbt.exec:\5hnhbt.exe105⤵
-
\??\c:\66606.exec:\66606.exe106⤵
-
\??\c:\3pjpd.exec:\3pjpd.exe107⤵
-
\??\c:\60222.exec:\60222.exe108⤵
-
\??\c:\dppjp.exec:\dppjp.exe109⤵
-
\??\c:\8004424.exec:\8004424.exe110⤵
-
\??\c:\1ffffff.exec:\1ffffff.exe111⤵
-
\??\c:\286260.exec:\286260.exe112⤵
-
\??\c:\62482.exec:\62482.exe113⤵
-
\??\c:\frllfff.exec:\frllfff.exe114⤵
-
\??\c:\1djjp.exec:\1djjp.exe115⤵
-
\??\c:\vjjjp.exec:\vjjjp.exe116⤵
-
\??\c:\062466.exec:\062466.exe117⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe118⤵
-
\??\c:\1tttnt.exec:\1tttnt.exe119⤵
-
\??\c:\2800004.exec:\2800004.exe120⤵
-
\??\c:\fxrrxxx.exec:\fxrrxxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-