Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 19:43
General
-
Target
0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181.exe
-
Size
331KB
-
MD5
0338c99c86b68b6963301fb49170f14c
-
SHA1
a18f6c295f1aeb0c77bb5439d6c4a954fd73957e
-
SHA256
0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181
-
SHA512
13a1732b6fe58436abff3366cb369686f37150ffd3c0749a788376c2c6a29860c9217c4bda2cde90ccd4a8c85e6d2c966f808a219b84e9ea300ff6abfb3b0641
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tI:94wFHoStJdSjylh2b77BoTMA9gX59sTg
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 63 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181.exe"C:\Users\Admin\AppData\Local\Temp\0caee27f352a68f9eaaea874441415300bf888984803f0a65117db25cac4c181.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\6408660.exec:\6408660.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnhh.exec:\tntnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o688402.exec:\o688402.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\442260.exec:\442260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvjd.exec:\vjvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06060.exec:\06060.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\426020.exec:\426020.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4226482.exec:\4226482.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0244444.exec:\0244444.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08668.exec:\08668.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnnnt.exec:\hnnnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80400.exec:\80400.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u088228.exec:\u088228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhhh.exec:\btnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80666.exec:\80666.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhnnn.exec:\nbhnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddv.exec:\jdddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\68422.exec:\68422.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvp.exec:\pjvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\88886.exec:\88886.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjppj.exec:\jjppj.exe23⤵
- Executes dropped EXE
-
\??\c:\0620882.exec:\0620882.exe24⤵
- Executes dropped EXE
-
\??\c:\lrrrxfx.exec:\lrrrxfx.exe25⤵
- Executes dropped EXE
-
\??\c:\2626000.exec:\2626000.exe26⤵
- Executes dropped EXE
-
\??\c:\pvvpj.exec:\pvvpj.exe27⤵
- Executes dropped EXE
-
\??\c:\nnnhtt.exec:\nnnhtt.exe28⤵
- Executes dropped EXE
-
\??\c:\862664.exec:\862664.exe29⤵
- Executes dropped EXE
-
\??\c:\888260.exec:\888260.exe30⤵
- Executes dropped EXE
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe31⤵
- Executes dropped EXE
-
\??\c:\26264.exec:\26264.exe32⤵
- Executes dropped EXE
-
\??\c:\bbbnhb.exec:\bbbnhb.exe33⤵
- Executes dropped EXE
-
\??\c:\8204000.exec:\8204000.exe34⤵
- Executes dropped EXE
-
\??\c:\6682660.exec:\6682660.exe35⤵
- Executes dropped EXE
-
\??\c:\00604.exec:\00604.exe36⤵
- Executes dropped EXE
-
\??\c:\628264.exec:\628264.exe37⤵
- Executes dropped EXE
-
\??\c:\886044.exec:\886044.exe38⤵
- Executes dropped EXE
-
\??\c:\062600.exec:\062600.exe39⤵
- Executes dropped EXE
-
\??\c:\thhnhn.exec:\thhnhn.exe40⤵
- Executes dropped EXE
-
\??\c:\606000.exec:\606000.exe41⤵
- Executes dropped EXE
-
\??\c:\28044.exec:\28044.exe42⤵
- Executes dropped EXE
-
\??\c:\i020224.exec:\i020224.exe43⤵
- Executes dropped EXE
-
\??\c:\60604.exec:\60604.exe44⤵
- Executes dropped EXE
-
\??\c:\hhnhnn.exec:\hhnhnn.exe45⤵
- Executes dropped EXE
-
\??\c:\6404826.exec:\6404826.exe46⤵
- Executes dropped EXE
-
\??\c:\thnhbb.exec:\thnhbb.exe47⤵
- Executes dropped EXE
-
\??\c:\048682.exec:\048682.exe48⤵
- Executes dropped EXE
-
\??\c:\006682.exec:\006682.exe49⤵
- Executes dropped EXE
-
\??\c:\lllfxll.exec:\lllfxll.exe50⤵
- Executes dropped EXE
-
\??\c:\88602.exec:\88602.exe51⤵
- Executes dropped EXE
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe52⤵
- Executes dropped EXE
-
\??\c:\hbbnhb.exec:\hbbnhb.exe53⤵
- Executes dropped EXE
-
\??\c:\rflxrfx.exec:\rflxrfx.exe54⤵
- Executes dropped EXE
-
\??\c:\664400.exec:\664400.exe55⤵
- Executes dropped EXE
-
\??\c:\42262.exec:\42262.exe56⤵
- Executes dropped EXE
-
\??\c:\06488.exec:\06488.exe57⤵
- Executes dropped EXE
-
\??\c:\4404822.exec:\4404822.exe58⤵
- Executes dropped EXE
-
\??\c:\66440.exec:\66440.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\880060.exec:\880060.exe60⤵
- Executes dropped EXE
-
\??\c:\8842866.exec:\8842866.exe61⤵
- Executes dropped EXE
-
\??\c:\6226880.exec:\6226880.exe62⤵
- Executes dropped EXE
-
\??\c:\hbhhtt.exec:\hbhhtt.exe63⤵
- Executes dropped EXE
-
\??\c:\02882.exec:\02882.exe64⤵
- Executes dropped EXE
-
\??\c:\ntbtnn.exec:\ntbtnn.exe65⤵
- Executes dropped EXE
-
\??\c:\80888.exec:\80888.exe66⤵
-
\??\c:\884426.exec:\884426.exe67⤵
-
\??\c:\ppjdv.exec:\ppjdv.exe68⤵
-
\??\c:\lfrfxrr.exec:\lfrfxrr.exe69⤵
-
\??\c:\a2822.exec:\a2822.exe70⤵
-
\??\c:\4006628.exec:\4006628.exe71⤵
-
\??\c:\a6828.exec:\a6828.exe72⤵
-
\??\c:\7nnhbt.exec:\7nnhbt.exe73⤵
-
\??\c:\3bhbhh.exec:\3bhbhh.exe74⤵
-
\??\c:\5rrlxxr.exec:\5rrlxxr.exe75⤵
-
\??\c:\08620.exec:\08620.exe76⤵
-
\??\c:\86484.exec:\86484.exe77⤵
-
\??\c:\hhbttt.exec:\hhbttt.exe78⤵
-
\??\c:\thttbh.exec:\thttbh.exe79⤵
-
\??\c:\fxflfrl.exec:\fxflfrl.exe80⤵
-
\??\c:\q68820.exec:\q68820.exe81⤵
-
\??\c:\628842.exec:\628842.exe82⤵
-
\??\c:\2402622.exec:\2402622.exe83⤵
-
\??\c:\4286640.exec:\4286640.exe84⤵
-
\??\c:\ffxlrrf.exec:\ffxlrrf.exe85⤵
-
\??\c:\8288284.exec:\8288284.exe86⤵
-
\??\c:\3nbthb.exec:\3nbthb.exe87⤵
-
\??\c:\w06648.exec:\w06648.exe88⤵
-
\??\c:\fxrllff.exec:\fxrllff.exe89⤵
-
\??\c:\6202242.exec:\6202242.exe90⤵
-
\??\c:\e82260.exec:\e82260.exe91⤵
-
\??\c:\4260848.exec:\4260848.exe92⤵
-
\??\c:\86260.exec:\86260.exe93⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe94⤵
-
\??\c:\00604.exec:\00604.exe95⤵
-
\??\c:\206048.exec:\206048.exe96⤵
-
\??\c:\c066848.exec:\c066848.exe97⤵
-
\??\c:\3rxrllf.exec:\3rxrllf.exe98⤵
-
\??\c:\e84264.exec:\e84264.exe99⤵
-
\??\c:\3hnhtt.exec:\3hnhtt.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe101⤵
-
\??\c:\q66488.exec:\q66488.exe102⤵
-
\??\c:\22448.exec:\22448.exe103⤵
-
\??\c:\8682666.exec:\8682666.exe104⤵
-
\??\c:\00600.exec:\00600.exe105⤵
-
\??\c:\fxxlxfr.exec:\fxxlxfr.exe106⤵
-
\??\c:\lxfrrll.exec:\lxfrrll.exe107⤵
-
\??\c:\24048.exec:\24048.exe108⤵
-
\??\c:\5ppjv.exec:\5ppjv.exe109⤵
-
\??\c:\5xllllf.exec:\5xllllf.exe110⤵
-
\??\c:\4026000.exec:\4026000.exe111⤵
-
\??\c:\66842.exec:\66842.exe112⤵
-
\??\c:\2868644.exec:\2868644.exe113⤵
-
\??\c:\1pvpp.exec:\1pvpp.exe114⤵
-
\??\c:\jvddj.exec:\jvddj.exe115⤵
- System Location Discovery: System Language Discovery
-
\??\c:\0260488.exec:\0260488.exe116⤵
-
\??\c:\lxrxffr.exec:\lxrxffr.exe117⤵
-
\??\c:\4226482.exec:\4226482.exe118⤵
-
\??\c:\hbnhhb.exec:\hbnhhb.exe119⤵
-
\??\c:\662660.exec:\662660.exe120⤵
-
\??\c:\4620222.exec:\4620222.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-