Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 15:33
General
-
Target
e34caa9af060bd19e7d5f86e1dbd41795695d240840437ac7e9fc9d4c6a97126.exe
-
Size
127KB
-
MD5
0eb828ff2d44a68e0310dc9f42792e0f
-
SHA1
b263de6d8eb3076b7676d3d01802e8cf9d7ccd6f
-
SHA256
e34caa9af060bd19e7d5f86e1dbd41795695d240840437ac7e9fc9d4c6a97126
-
SHA512
6d205e297295475085c4b4e44df2a54934bcbc27f545d74d6840099f43f2f79aa063f9a785e93acaf7b5a67e3795270d70f73a1f43119d700d788499b13731b1
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp99zD+WVb+PoGSSTeV:n3C9BRo7tvnJ99mQb+PouG
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e34caa9af060bd19e7d5f86e1dbd41795695d240840437ac7e9fc9d4c6a97126.exe"C:\Users\Admin\AppData\Local\Temp\e34caa9af060bd19e7d5f86e1dbd41795695d240840437ac7e9fc9d4c6a97126.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbbbb.exec:\nbbbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjj.exec:\ppjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxrrll.exec:\rfxrrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jpjj.exec:\1jpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllxrrf.exec:\xllxrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbbh.exec:\hhbbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5fxxrxr.exec:\5fxxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tttbb.exec:\1tttbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdddd.exec:\vdddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhntnt.exec:\bhntnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnhh.exec:\bttnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrrrrf.exec:\rlrrrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbthtt.exec:\tbthtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dddd.exec:\7dddd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhhh.exec:\bthhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpjj.exec:\ddpjj.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvp.exec:\ddvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbthn.exec:\hhbthn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppj.exec:\ppppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxxxx.exec:\lffxxxx.exe23⤵
- Executes dropped EXE
-
\??\c:\bnnttb.exec:\bnnttb.exe24⤵
- Executes dropped EXE
-
\??\c:\dvvjd.exec:\dvvjd.exe25⤵
- Executes dropped EXE
-
\??\c:\rfxxrrl.exec:\rfxxrrl.exe26⤵
- Executes dropped EXE
-
\??\c:\ntttnn.exec:\ntttnn.exe27⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe28⤵
- Executes dropped EXE
-
\??\c:\tbbbhn.exec:\tbbbhn.exe29⤵
- Executes dropped EXE
-
\??\c:\bbbttt.exec:\bbbttt.exe30⤵
- Executes dropped EXE
-
\??\c:\djddj.exec:\djddj.exe31⤵
- Executes dropped EXE
-
\??\c:\rrlffff.exec:\rrlffff.exe32⤵
- Executes dropped EXE
-
\??\c:\7bhbhh.exec:\7bhbhh.exe33⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe34⤵
- Executes dropped EXE
-
\??\c:\fxlxrfr.exec:\fxlxrfr.exe35⤵
- Executes dropped EXE
-
\??\c:\bnnbbt.exec:\bnnbbt.exe36⤵
- Executes dropped EXE
-
\??\c:\thnnhn.exec:\thnnhn.exe37⤵
- Executes dropped EXE
-
\??\c:\tnhttn.exec:\tnhttn.exe38⤵
- Executes dropped EXE
-
\??\c:\ddjjd.exec:\ddjjd.exe39⤵
- Executes dropped EXE
-
\??\c:\xfxxrrf.exec:\xfxxrrf.exe40⤵
- Executes dropped EXE
-
\??\c:\llfxfff.exec:\llfxfff.exe41⤵
- Executes dropped EXE
-
\??\c:\9thbhb.exec:\9thbhb.exe42⤵
- Executes dropped EXE
-
\??\c:\1jppj.exec:\1jppj.exe43⤵
- Executes dropped EXE
-
\??\c:\xrrrlll.exec:\xrrrlll.exe44⤵
- Executes dropped EXE
-
\??\c:\httttn.exec:\httttn.exe45⤵
- Executes dropped EXE
-
\??\c:\pjjjd.exec:\pjjjd.exe46⤵
- Executes dropped EXE
-
\??\c:\lrrlflf.exec:\lrrlflf.exe47⤵
- Executes dropped EXE
-
\??\c:\hthhht.exec:\hthhht.exe48⤵
- Executes dropped EXE
-
\??\c:\7jddd.exec:\7jddd.exe49⤵
- Executes dropped EXE
-
\??\c:\xlrfxlf.exec:\xlrfxlf.exe50⤵
- Executes dropped EXE
-
\??\c:\bthhbn.exec:\bthhbn.exe51⤵
- Executes dropped EXE
-
\??\c:\rflrffl.exec:\rflrffl.exe52⤵
- Executes dropped EXE
-
\??\c:\jjjjj.exec:\jjjjj.exe53⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe54⤵
- Executes dropped EXE
-
\??\c:\rxfxffx.exec:\rxfxffx.exe55⤵
- Executes dropped EXE
-
\??\c:\1thbtt.exec:\1thbtt.exe56⤵
- Executes dropped EXE
-
\??\c:\djjjj.exec:\djjjj.exe57⤵
- Executes dropped EXE
-
\??\c:\fxrfxfl.exec:\fxrfxfl.exe58⤵
- Executes dropped EXE
-
\??\c:\bnnbbt.exec:\bnnbbt.exe59⤵
- Executes dropped EXE
-
\??\c:\3btnnt.exec:\3btnnt.exe60⤵
- Executes dropped EXE
-
\??\c:\xlflflf.exec:\xlflflf.exe61⤵
- Executes dropped EXE
-
\??\c:\xfxxrxl.exec:\xfxxrxl.exe62⤵
- Executes dropped EXE
-
\??\c:\hbbtht.exec:\hbbtht.exe63⤵
- Executes dropped EXE
-
\??\c:\djjpd.exec:\djjpd.exe64⤵
- Executes dropped EXE
-
\??\c:\xfrxfrl.exec:\xfrxfrl.exe65⤵
- Executes dropped EXE
-
\??\c:\tntttn.exec:\tntttn.exe66⤵
-
\??\c:\1bhhnn.exec:\1bhhnn.exe67⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vdpdv.exec:\vdpdv.exe68⤵
-
\??\c:\lflfxfx.exec:\lflfxfx.exe69⤵
-
\??\c:\bbtttt.exec:\bbtttt.exe70⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe71⤵
-
\??\c:\dvjpv.exec:\dvjpv.exe72⤵
-
\??\c:\lxrrffr.exec:\lxrrffr.exe73⤵
-
\??\c:\tntttt.exec:\tntttt.exe74⤵
-
\??\c:\vvjjv.exec:\vvjjv.exe75⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe76⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xxffrxl.exec:\xxffrxl.exe77⤵
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe78⤵
-
\??\c:\thbbbb.exec:\thbbbb.exe79⤵
-
\??\c:\ddjjj.exec:\ddjjj.exe80⤵
-
\??\c:\jpdvp.exec:\jpdvp.exe81⤵
-
\??\c:\3xffxxr.exec:\3xffxxr.exe82⤵
-
\??\c:\hhbbbn.exec:\hhbbbn.exe83⤵
-
\??\c:\nbtnhb.exec:\nbtnhb.exe84⤵
-
\??\c:\5pjvv.exec:\5pjvv.exe85⤵
-
\??\c:\lrrrrrr.exec:\lrrrrrr.exe86⤵
-
\??\c:\ntbbtn.exec:\ntbbtn.exe87⤵
-
\??\c:\bntttn.exec:\bntttn.exe88⤵
-
\??\c:\nbhnnt.exec:\nbhnnt.exe89⤵
-
\??\c:\hhhhbh.exec:\hhhhbh.exe90⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pjvvp.exec:\pjvvp.exe91⤵
-
\??\c:\fllfffx.exec:\fllfffx.exe92⤵
-
\??\c:\nhhnbh.exec:\nhhnbh.exe93⤵
-
\??\c:\nnttbn.exec:\nnttbn.exe94⤵
-
\??\c:\vdppd.exec:\vdppd.exe95⤵
-
\??\c:\lxflflf.exec:\lxflflf.exe96⤵
-
\??\c:\fllllrr.exec:\fllllrr.exe97⤵
-
\??\c:\tbtthh.exec:\tbtthh.exe98⤵
-
\??\c:\jpjpj.exec:\jpjpj.exe99⤵
-
\??\c:\ddvdd.exec:\ddvdd.exe100⤵
-
\??\c:\rffffll.exec:\rffffll.exe101⤵
-
\??\c:\xfxxlrr.exec:\xfxxlrr.exe102⤵
-
\??\c:\htntbb.exec:\htntbb.exe103⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe104⤵
-
\??\c:\vdvjd.exec:\vdvjd.exe105⤵
-
\??\c:\fxfffff.exec:\fxfffff.exe106⤵
-
\??\c:\rfllrrr.exec:\rfllrrr.exe107⤵
-
\??\c:\7btttb.exec:\7btttb.exe108⤵
-
\??\c:\hnnnhn.exec:\hnnnhn.exe109⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe110⤵
-
\??\c:\xxfffll.exec:\xxfffll.exe111⤵
-
\??\c:\bnbbbh.exec:\bnbbbh.exe112⤵
-
\??\c:\hhhhhn.exec:\hhhhhn.exe113⤵
-
\??\c:\jpvjp.exec:\jpvjp.exe114⤵
-
\??\c:\9rxxxff.exec:\9rxxxff.exe115⤵
-
\??\c:\bttnnh.exec:\bttnnh.exe116⤵
-
\??\c:\jjpvd.exec:\jjpvd.exe117⤵
-
\??\c:\rxxrrrl.exec:\rxxrrrl.exe118⤵
-
\??\c:\nbnbhb.exec:\nbnbhb.exe119⤵
-
\??\c:\pppvv.exec:\pppvv.exe120⤵
-
\??\c:\xfllfll.exec:\xfllfll.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-