Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 21:12
General
-
Target
30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe
-
Size
332KB
-
MD5
c627dddffa7434e42384fbb2b307622c
-
SHA1
526fd0d28ae693bd9813ebbed46a5bfe297efac1
-
SHA256
30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0
-
SHA512
3eb5903d056bddfdaf2e1dc693137b1b17bdd7401f0df856da09403aeb19ded80cd3aaa145369e3f7bb0a193d608cd58d70508cfd7c2eabc2e902a32dab720f6
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhP:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTf
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe"C:\Users\Admin\AppData\Local\Temp\30e9c6b33b971b438c0b3db5ea0964fc7d1cab9c2131294e18591b5540b38aa0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjj.exec:\jjpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjdv.exec:\jpjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbnnh.exec:\ntbnnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppp.exec:\vjppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxxrxl.exec:\llxxrxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdpj.exec:\pjdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbntb.exec:\thbntb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvp.exec:\dvvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflllll.exec:\lflllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvv.exec:\pvvvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxxrl.exec:\frxxxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbnhb.exec:\btbnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrrlf.exec:\xrxrrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdvp.exec:\ppdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtthh.exec:\nhtthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnbt.exec:\tntnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtntt.exec:\hhtntt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddv.exec:\dvddv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfxxxr.exec:\xxfxxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppvp.exec:\vppvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfrfx.exec:\rxlfrfx.exe23⤵
- Executes dropped EXE
-
\??\c:\djvjd.exec:\djvjd.exe24⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe25⤵
- Executes dropped EXE
-
\??\c:\rrrrlrl.exec:\rrrrlrl.exe26⤵
- Executes dropped EXE
-
\??\c:\xllrrxl.exec:\xllrrxl.exe27⤵
- Executes dropped EXE
-
\??\c:\nbbbbt.exec:\nbbbbt.exe28⤵
- Executes dropped EXE
-
\??\c:\nbhhtn.exec:\nbhhtn.exe29⤵
- Executes dropped EXE
-
\??\c:\bhtnhh.exec:\bhtnhh.exe30⤵
- Executes dropped EXE
-
\??\c:\xlrrlrl.exec:\xlrrlrl.exe31⤵
- Executes dropped EXE
-
\??\c:\hbhhht.exec:\hbhhht.exe32⤵
- Executes dropped EXE
-
\??\c:\frxfxxl.exec:\frxfxxl.exe33⤵
- Executes dropped EXE
-
\??\c:\frrllfl.exec:\frrllfl.exe34⤵
- Executes dropped EXE
-
\??\c:\ttbttn.exec:\ttbttn.exe35⤵
- Executes dropped EXE
-
\??\c:\9vdjj.exec:\9vdjj.exe36⤵
- Executes dropped EXE
-
\??\c:\hbbbnn.exec:\hbbbnn.exe37⤵
- Executes dropped EXE
-
\??\c:\jvdvp.exec:\jvdvp.exe38⤵
- Executes dropped EXE
-
\??\c:\ffxrflr.exec:\ffxrflr.exe39⤵
- Executes dropped EXE
-
\??\c:\nnthhh.exec:\nnthhh.exe40⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe41⤵
- Executes dropped EXE
-
\??\c:\7ntthn.exec:\7ntthn.exe42⤵
- Executes dropped EXE
-
\??\c:\tnbttt.exec:\tnbttt.exe43⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe44⤵
- Executes dropped EXE
-
\??\c:\lrlxfxl.exec:\lrlxfxl.exe45⤵
- Executes dropped EXE
-
\??\c:\nbhnbh.exec:\nbhnbh.exe46⤵
- Executes dropped EXE
-
\??\c:\3dpjp.exec:\3dpjp.exe47⤵
- Executes dropped EXE
-
\??\c:\5dvjp.exec:\5dvjp.exe48⤵
- Executes dropped EXE
-
\??\c:\1llfxll.exec:\1llfxll.exe49⤵
- Executes dropped EXE
-
\??\c:\thnhbh.exec:\thnhbh.exe50⤵
- Executes dropped EXE
-
\??\c:\fllrrfx.exec:\fllrrfx.exe51⤵
- Executes dropped EXE
-
\??\c:\hbhhhn.exec:\hbhhhn.exe52⤵
- Executes dropped EXE
-
\??\c:\dvddv.exec:\dvddv.exe53⤵
- Executes dropped EXE
-
\??\c:\1vjdd.exec:\1vjdd.exe54⤵
- Executes dropped EXE
-
\??\c:\llffllx.exec:\llffllx.exe55⤵
- Executes dropped EXE
-
\??\c:\3hbhbh.exec:\3hbhbh.exe56⤵
- Executes dropped EXE
-
\??\c:\vjjdd.exec:\vjjdd.exe57⤵
- Executes dropped EXE
-
\??\c:\ddjjv.exec:\ddjjv.exe58⤵
- Executes dropped EXE
-
\??\c:\7fxlflf.exec:\7fxlflf.exe59⤵
- Executes dropped EXE
-
\??\c:\hnbbbb.exec:\hnbbbb.exe60⤵
- Executes dropped EXE
-
\??\c:\5dvpp.exec:\5dvpp.exe61⤵
- Executes dropped EXE
-
\??\c:\pjpvv.exec:\pjpvv.exe62⤵
- Executes dropped EXE
-
\??\c:\nbtttb.exec:\nbtttb.exe63⤵
- Executes dropped EXE
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe64⤵
- Executes dropped EXE
-
\??\c:\bttnnn.exec:\bttnnn.exe65⤵
- Executes dropped EXE
-
\??\c:\bnbbbh.exec:\bnbbbh.exe66⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe67⤵
-
\??\c:\fffxlxx.exec:\fffxlxx.exe68⤵
-
\??\c:\vjjdd.exec:\vjjdd.exe69⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe70⤵
-
\??\c:\5tbbtt.exec:\5tbbtt.exe71⤵
-
\??\c:\tbhbtt.exec:\tbhbtt.exe72⤵
-
\??\c:\jddvj.exec:\jddvj.exe73⤵
-
\??\c:\5xllffx.exec:\5xllffx.exe74⤵
-
\??\c:\tnhnnb.exec:\tnhnnb.exe75⤵
-
\??\c:\vvppp.exec:\vvppp.exe76⤵
-
\??\c:\ffrllxx.exec:\ffrllxx.exe77⤵
-
\??\c:\bnhbth.exec:\bnhbth.exe78⤵
-
\??\c:\dpdvv.exec:\dpdvv.exe79⤵
-
\??\c:\rxfxllf.exec:\rxfxllf.exe80⤵
-
\??\c:\hhhhbh.exec:\hhhhbh.exe81⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe82⤵
-
\??\c:\3ppvp.exec:\3ppvp.exe83⤵
-
\??\c:\7rxrflr.exec:\7rxrflr.exe84⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nbhbtt.exec:\nbhbtt.exe85⤵
-
\??\c:\ddjjv.exec:\ddjjv.exe86⤵
-
\??\c:\rrllrrr.exec:\rrllrrr.exe87⤵
-
\??\c:\fffxrrx.exec:\fffxrrx.exe88⤵
-
\??\c:\9nnbtb.exec:\9nnbtb.exe89⤵
-
\??\c:\vpddv.exec:\vpddv.exe90⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe91⤵
-
\??\c:\xrfxxll.exec:\xrfxxll.exe92⤵
-
\??\c:\xrflrrf.exec:\xrflrrf.exe93⤵
-
\??\c:\bhtthn.exec:\bhtthn.exe94⤵
-
\??\c:\9ppjj.exec:\9ppjj.exe95⤵
-
\??\c:\llrrrll.exec:\llrrrll.exe96⤵
-
\??\c:\hhtnnn.exec:\hhtnnn.exe97⤵
-
\??\c:\pjddv.exec:\pjddv.exe98⤵
-
\??\c:\5rrxrrr.exec:\5rrxrrr.exe99⤵
-
\??\c:\flxrlff.exec:\flxrlff.exe100⤵
-
\??\c:\9vddd.exec:\9vddd.exe101⤵
-
\??\c:\9lllfxx.exec:\9lllfxx.exe102⤵
-
\??\c:\hnbbbb.exec:\hnbbbb.exe103⤵
-
\??\c:\jvpjd.exec:\jvpjd.exe104⤵
-
\??\c:\xllffff.exec:\xllffff.exe105⤵
-
\??\c:\7nhbtt.exec:\7nhbtt.exe106⤵
-
\??\c:\vjjvv.exec:\vjjvv.exe107⤵
-
\??\c:\xrfffxf.exec:\xrfffxf.exe108⤵
-
\??\c:\pdddd.exec:\pdddd.exe109⤵
-
\??\c:\pppjj.exec:\pppjj.exe110⤵
-
\??\c:\rxlffll.exec:\rxlffll.exe111⤵
-
\??\c:\hhbbhh.exec:\hhbbhh.exe112⤵
-
\??\c:\bbhbtt.exec:\bbhbtt.exe113⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe114⤵
-
\??\c:\rrfxrrf.exec:\rrfxrrf.exe115⤵
-
\??\c:\nnnhbb.exec:\nnnhbb.exe116⤵
-
\??\c:\jpvvv.exec:\jpvvv.exe117⤵
-
\??\c:\ffrlffx.exec:\ffrlffx.exe118⤵
-
\??\c:\hntnbt.exec:\hntnbt.exe119⤵
-
\??\c:\btbtnn.exec:\btbtnn.exe120⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-