Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 05:23
General
-
Target
f503baa8d038a0e3f50857a860b9991e799bec6f245916ec7d7da46c63a18145.exe
-
Size
347KB
-
MD5
f93203be77bac24876c9f4c8728185ef
-
SHA1
1b09931ba39a455617d851b90ecfc41ca7161e7d
-
SHA256
f503baa8d038a0e3f50857a860b9991e799bec6f245916ec7d7da46c63a18145
-
SHA512
53d3a4096dad3107db699ee0cd9982d1fe28af0dad10a73728cd0fb55e72633e231cb7e1a00a16ddbd99183e552bf43283dc5f7ef6ca0c91077be53bb23580b4
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAn:l7TcbWXZshJX2VGdn
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f503baa8d038a0e3f50857a860b9991e799bec6f245916ec7d7da46c63a18145.exe"C:\Users\Admin\AppData\Local\Temp\f503baa8d038a0e3f50857a860b9991e799bec6f245916ec7d7da46c63a18145.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\thhhbb.exec:\thhhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjvp.exec:\vdjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbtb.exec:\thbbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfrrrr.exec:\xxfrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbhh.exec:\btbbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfxxf.exec:\xrlfxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxxrrx.exec:\xxxxrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httbnb.exec:\httbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffxrrl.exec:\xffxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhtt.exec:\tnnhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbttn.exec:\btbttn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpv.exec:\vjvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrfrlf.exec:\llrfrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjd.exec:\jjpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ttbnn.exec:\5ttbnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbthb.exec:\nbbthb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddp.exec:\vpddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rflfxr.exec:\3rflfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnbn.exec:\hbtnbn.exe23⤵
- Executes dropped EXE
-
\??\c:\vjjvp.exec:\vjjvp.exe24⤵
- Executes dropped EXE
-
\??\c:\rlxlxrf.exec:\rlxlxrf.exe25⤵
- Executes dropped EXE
-
\??\c:\nbnhbb.exec:\nbnhbb.exe26⤵
- Executes dropped EXE
-
\??\c:\xllflll.exec:\xllflll.exe27⤵
- Executes dropped EXE
-
\??\c:\3xrfrlf.exec:\3xrfrlf.exe28⤵
- Executes dropped EXE
-
\??\c:\tnnhbt.exec:\tnnhbt.exe29⤵
- Executes dropped EXE
-
\??\c:\xlrllfx.exec:\xlrllfx.exe30⤵
- Executes dropped EXE
-
\??\c:\vdppd.exec:\vdppd.exe31⤵
- Executes dropped EXE
-
\??\c:\ffrllfl.exec:\ffrllfl.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\bbttnh.exec:\bbttnh.exe33⤵
- Executes dropped EXE
-
\??\c:\lflfxxr.exec:\lflfxxr.exe34⤵
- Executes dropped EXE
-
\??\c:\tnnhbb.exec:\tnnhbb.exe35⤵
- Executes dropped EXE
-
\??\c:\nhhbnn.exec:\nhhbnn.exe36⤵
- Executes dropped EXE
-
\??\c:\7jpjj.exec:\7jpjj.exe37⤵
- Executes dropped EXE
-
\??\c:\rrxrfff.exec:\rrxrfff.exe38⤵
- Executes dropped EXE
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe39⤵
- Executes dropped EXE
-
\??\c:\hhhhbt.exec:\hhhhbt.exe40⤵
- Executes dropped EXE
-
\??\c:\pjpjp.exec:\pjpjp.exe41⤵
- Executes dropped EXE
-
\??\c:\djpjp.exec:\djpjp.exe42⤵
- Executes dropped EXE
-
\??\c:\rrfxfrl.exec:\rrfxfrl.exe43⤵
- Executes dropped EXE
-
\??\c:\bnnhbt.exec:\bnnhbt.exe44⤵
- Executes dropped EXE
-
\??\c:\dppdp.exec:\dppdp.exe45⤵
- Executes dropped EXE
-
\??\c:\rllffxr.exec:\rllffxr.exe46⤵
- Executes dropped EXE
-
\??\c:\bnhhbh.exec:\bnhhbh.exe47⤵
- Executes dropped EXE
-
\??\c:\5hhbtt.exec:\5hhbtt.exe48⤵
- Executes dropped EXE
-
\??\c:\vvvjd.exec:\vvvjd.exe49⤵
- Executes dropped EXE
-
\??\c:\3jdpd.exec:\3jdpd.exe50⤵
- Executes dropped EXE
-
\??\c:\frxrllf.exec:\frxrllf.exe51⤵
- Executes dropped EXE
-
\??\c:\hhbnhb.exec:\hhbnhb.exe52⤵
- Executes dropped EXE
-
\??\c:\9vpdv.exec:\9vpdv.exe53⤵
- Executes dropped EXE
-
\??\c:\7lfxlfx.exec:\7lfxlfx.exe54⤵
- Executes dropped EXE
-
\??\c:\llrlxxr.exec:\llrlxxr.exe55⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe56⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe57⤵
- Executes dropped EXE
-
\??\c:\5dvpd.exec:\5dvpd.exe58⤵
- Executes dropped EXE
-
\??\c:\thbbnn.exec:\thbbnn.exe59⤵
- Executes dropped EXE
-
\??\c:\vdvpj.exec:\vdvpj.exe60⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe61⤵
- Executes dropped EXE
-
\??\c:\5rrrlfr.exec:\5rrrlfr.exe62⤵
- Executes dropped EXE
-
\??\c:\bhnbtn.exec:\bhnbtn.exe63⤵
- Executes dropped EXE
-
\??\c:\pdpdp.exec:\pdpdp.exe64⤵
- Executes dropped EXE
-
\??\c:\xrlxxrx.exec:\xrlxxrx.exe65⤵
- Executes dropped EXE
-
\??\c:\xrxxrxr.exec:\xrxxrxr.exe66⤵
-
\??\c:\nttnhb.exec:\nttnhb.exe67⤵
-
\??\c:\jvppj.exec:\jvppj.exe68⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe69⤵
-
\??\c:\fllfrxr.exec:\fllfrxr.exe70⤵
-
\??\c:\5bhtnh.exec:\5bhtnh.exe71⤵
-
\??\c:\bnbthh.exec:\bnbthh.exe72⤵
-
\??\c:\vjpdp.exec:\vjpdp.exe73⤵
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe74⤵
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe75⤵
-
\??\c:\thnbnh.exec:\thnbnh.exe76⤵
-
\??\c:\hhhthh.exec:\hhhthh.exe77⤵
-
\??\c:\vvpdj.exec:\vvpdj.exe78⤵
-
\??\c:\xfxlfrl.exec:\xfxlfrl.exe79⤵
-
\??\c:\fllxrfx.exec:\fllxrfx.exe80⤵
-
\??\c:\thhhhh.exec:\thhhhh.exe81⤵
-
\??\c:\jpvjv.exec:\jpvjv.exe82⤵
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe83⤵
-
\??\c:\ttthbn.exec:\ttthbn.exe84⤵
-
\??\c:\bhhthb.exec:\bhhthb.exe85⤵
-
\??\c:\jdpjv.exec:\jdpjv.exe86⤵
-
\??\c:\llxlxlr.exec:\llxlxlr.exe87⤵
-
\??\c:\bnnhnh.exec:\bnnhnh.exe88⤵
-
\??\c:\tttnhb.exec:\tttnhb.exe89⤵
-
\??\c:\9vpdv.exec:\9vpdv.exe90⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe91⤵
-
\??\c:\hbhttn.exec:\hbhttn.exe92⤵
-
\??\c:\jdvpd.exec:\jdvpd.exe93⤵
-
\??\c:\7dvjv.exec:\7dvjv.exe94⤵
-
\??\c:\llxlrlf.exec:\llxlrlf.exe95⤵
-
\??\c:\9hbhbb.exec:\9hbhbb.exe96⤵
-
\??\c:\dpdvv.exec:\dpdvv.exe97⤵
-
\??\c:\jvvjd.exec:\jvvjd.exe98⤵
-
\??\c:\lffxrlf.exec:\lffxrlf.exe99⤵
-
\??\c:\thnhhh.exec:\thnhhh.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vpdvd.exec:\vpdvd.exe101⤵
-
\??\c:\rxxrffx.exec:\rxxrffx.exe102⤵
-
\??\c:\rxfxllf.exec:\rxfxllf.exe103⤵
-
\??\c:\bbhbtn.exec:\bbhbtn.exe104⤵
-
\??\c:\nhnhbt.exec:\nhnhbt.exe105⤵
-
\??\c:\pdjjv.exec:\pdjjv.exe106⤵
-
\??\c:\5rlffff.exec:\5rlffff.exe107⤵
-
\??\c:\thhtnh.exec:\thhtnh.exe108⤵
-
\??\c:\tbhbtt.exec:\tbhbtt.exe109⤵
-
\??\c:\ppddv.exec:\ppddv.exe110⤵
-
\??\c:\dvpdv.exec:\dvpdv.exe111⤵
-
\??\c:\lflfxxr.exec:\lflfxxr.exe112⤵
-
\??\c:\3xxxrfx.exec:\3xxxrfx.exe113⤵
-
\??\c:\nbbhbb.exec:\nbbhbb.exe114⤵
-
\??\c:\3jjpj.exec:\3jjpj.exe115⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\llxllrx.exec:\llxllrx.exe117⤵
-
\??\c:\tnhtbn.exec:\tnhtbn.exe118⤵
-
\??\c:\jddvp.exec:\jddvp.exe119⤵
-
\??\c:\lfxrffx.exec:\lfxrffx.exe120⤵
-
\??\c:\bnthtn.exec:\bnthtn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-