Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 11:44
General
-
Target
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe
-
Size
86KB
-
MD5
299858b8db7ae1ab751673b4953185ac
-
SHA1
8630935ba7c234df2fbd6c458e16e25973cd2ad7
-
SHA256
e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd
-
SHA512
d5fc972c2907dae8265aea95887d0747350a2f9367d6169043c8871aa671bf181e4aa3b2998a3b4ad7e311ac0961612c027df0a5cb1c9374dd3b5dfb8e3c4d8d
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADSNVQfKPgqA22GU:9hOmTsF93UYfwC6GIoutyaVszyKd+XYg
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 63 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"C:\Users\Admin\AppData\Local\Temp\e0be8170a3234c32bbceefcf5d6dce800b0c40bcaea87240ea7db8ab9d4dd7cd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhbbb.exec:\hbhbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnnnb.exec:\bbnnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bthnn.exec:\7bthnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w48204.exec:\w48204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrlrlf.exec:\rfrlrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbthb.exec:\hhbthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\246422.exec:\246422.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhtht.exec:\tnhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhthb.exec:\hnhthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8686600.exec:\8686600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\444868.exec:\444868.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\86888.exec:\86888.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbnbt.exec:\tbbnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlxrlf.exec:\frlxrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrlxrl.exec:\rfrlxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbnn.exec:\bthbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxlrrf.exec:\ffxlrrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\86248.exec:\86248.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhhbt.exec:\hnhhbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbbnh.exec:\nnbbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfxlrl.exec:\llfxlrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08264.exec:\08264.exe23⤵
- Executes dropped EXE
-
\??\c:\08824.exec:\08824.exe24⤵
- Executes dropped EXE
-
\??\c:\7dvpv.exec:\7dvpv.exe25⤵
- Executes dropped EXE
-
\??\c:\xllffll.exec:\xllffll.exe26⤵
- Executes dropped EXE
-
\??\c:\440426.exec:\440426.exe27⤵
- Executes dropped EXE
-
\??\c:\022648.exec:\022648.exe28⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe29⤵
- Executes dropped EXE
-
\??\c:\662808.exec:\662808.exe30⤵
- Executes dropped EXE
-
\??\c:\bbhbbb.exec:\bbhbbb.exe31⤵
- Executes dropped EXE
-
\??\c:\426648.exec:\426648.exe32⤵
- Executes dropped EXE
-
\??\c:\206600.exec:\206600.exe33⤵
- Executes dropped EXE
-
\??\c:\5pppd.exec:\5pppd.exe34⤵
- Executes dropped EXE
-
\??\c:\848620.exec:\848620.exe35⤵
- Executes dropped EXE
-
\??\c:\2466404.exec:\2466404.exe36⤵
- Executes dropped EXE
-
\??\c:\244822.exec:\244822.exe37⤵
- Executes dropped EXE
-
\??\c:\3lfxxrr.exec:\3lfxxrr.exe38⤵
- Executes dropped EXE
-
\??\c:\2060826.exec:\2060826.exe39⤵
- Executes dropped EXE
-
\??\c:\nhthnn.exec:\nhthnn.exe40⤵
- Executes dropped EXE
-
\??\c:\9xxrxff.exec:\9xxrxff.exe41⤵
- Executes dropped EXE
-
\??\c:\htttnh.exec:\htttnh.exe42⤵
- Executes dropped EXE
-
\??\c:\nbnbtn.exec:\nbnbtn.exe43⤵
- Executes dropped EXE
-
\??\c:\680022.exec:\680022.exe44⤵
- Executes dropped EXE
-
\??\c:\488822.exec:\488822.exe45⤵
- Executes dropped EXE
-
\??\c:\vjjdd.exec:\vjjdd.exe46⤵
- Executes dropped EXE
-
\??\c:\tbtttt.exec:\tbtttt.exe47⤵
- Executes dropped EXE
-
\??\c:\6060042.exec:\6060042.exe48⤵
- Executes dropped EXE
-
\??\c:\g0608.exec:\g0608.exe49⤵
- Executes dropped EXE
-
\??\c:\u448042.exec:\u448042.exe50⤵
- Executes dropped EXE
-
\??\c:\djjjj.exec:\djjjj.exe51⤵
- Executes dropped EXE
-
\??\c:\m0002.exec:\m0002.exe52⤵
- Executes dropped EXE
-
\??\c:\nbbtnh.exec:\nbbtnh.exe53⤵
- Executes dropped EXE
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe54⤵
- Executes dropped EXE
-
\??\c:\0488888.exec:\0488888.exe55⤵
- Executes dropped EXE
-
\??\c:\tbthhh.exec:\tbthhh.exe56⤵
- Executes dropped EXE
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe57⤵
- Executes dropped EXE
-
\??\c:\nbnbnb.exec:\nbnbnb.exe58⤵
- Executes dropped EXE
-
\??\c:\pddvv.exec:\pddvv.exe59⤵
- Executes dropped EXE
-
\??\c:\tnbthn.exec:\tnbthn.exe60⤵
- Executes dropped EXE
-
\??\c:\424444.exec:\424444.exe61⤵
- Executes dropped EXE
-
\??\c:\o222666.exec:\o222666.exe62⤵
- Executes dropped EXE
-
\??\c:\rxlrxlx.exec:\rxlrxlx.exe63⤵
- Executes dropped EXE
-
\??\c:\6244882.exec:\6244882.exe64⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe65⤵
- Executes dropped EXE
-
\??\c:\btbtbt.exec:\btbtbt.exe66⤵
-
\??\c:\vppvv.exec:\vppvv.exe67⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe68⤵
-
\??\c:\086224.exec:\086224.exe69⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe70⤵
-
\??\c:\026026.exec:\026026.exe71⤵
-
\??\c:\224488.exec:\224488.exe72⤵
-
\??\c:\26800.exec:\26800.exe73⤵
-
\??\c:\vppjv.exec:\vppjv.exe74⤵
-
\??\c:\s4086.exec:\s4086.exe75⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe76⤵
-
\??\c:\0866268.exec:\0866268.exe77⤵
-
\??\c:\26288.exec:\26288.exe78⤵
-
\??\c:\86282.exec:\86282.exe79⤵
-
\??\c:\m8604.exec:\m8604.exe80⤵
-
\??\c:\5thhnn.exec:\5thhnn.exe81⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe82⤵
-
\??\c:\602604.exec:\602604.exe83⤵
-
\??\c:\4840000.exec:\4840000.exe84⤵
-
\??\c:\pjdjd.exec:\pjdjd.exe85⤵
-
\??\c:\o482660.exec:\o482660.exe86⤵
-
\??\c:\bbbttt.exec:\bbbttt.exe87⤵
-
\??\c:\vpjdp.exec:\vpjdp.exe88⤵
-
\??\c:\c066626.exec:\c066626.exe89⤵
-
\??\c:\3ppjd.exec:\3ppjd.exe90⤵
-
\??\c:\2222000.exec:\2222000.exe91⤵
-
\??\c:\bntnhn.exec:\bntnhn.exe92⤵
-
\??\c:\04004.exec:\04004.exe93⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe94⤵
-
\??\c:\flxrllf.exec:\flxrllf.exe95⤵
-
\??\c:\040266.exec:\040266.exe96⤵
-
\??\c:\9hhnhn.exec:\9hhnhn.exe97⤵
-
\??\c:\8062666.exec:\8062666.exe98⤵
-
\??\c:\6622464.exec:\6622464.exe99⤵
-
\??\c:\828822.exec:\828822.exe100⤵
-
\??\c:\a2880.exec:\a2880.exe101⤵
-
\??\c:\9dvpj.exec:\9dvpj.exe102⤵
-
\??\c:\htttnn.exec:\htttnn.exe103⤵
-
\??\c:\2028004.exec:\2028004.exe104⤵
-
\??\c:\lffflrx.exec:\lffflrx.exe105⤵
-
\??\c:\266600.exec:\266600.exe106⤵
-
\??\c:\rflxxfl.exec:\rflxxfl.exe107⤵
-
\??\c:\hhhnbt.exec:\hhhnbt.exe108⤵
-
\??\c:\1rxrrrx.exec:\1rxrrrx.exe109⤵
-
\??\c:\lflxffl.exec:\lflxffl.exe110⤵
-
\??\c:\424400.exec:\424400.exe111⤵
-
\??\c:\8866662.exec:\8866662.exe112⤵
-
\??\c:\fflffrf.exec:\fflffrf.exe113⤵
-
\??\c:\640488.exec:\640488.exe114⤵
-
\??\c:\fxfffff.exec:\fxfffff.exe115⤵
-
\??\c:\jvjjj.exec:\jvjjj.exe116⤵
-
\??\c:\thhbtn.exec:\thhbtn.exe117⤵
-
\??\c:\w28822.exec:\w28822.exe118⤵
-
\??\c:\0428444.exec:\0428444.exe119⤵
-
\??\c:\xlflffx.exec:\xlflffx.exe120⤵
-
\??\c:\6022880.exec:\6022880.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-