Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 16:25
General
-
Target
ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3.exe
-
Size
245KB
-
MD5
bf2695c48bf77c994421e0592f2d2953
-
SHA1
71abe1c2be83a5402a3bdeb9f13c12475ac3f903
-
SHA256
ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3
-
SHA512
b5c8d482dda726c8dee89bf8d14f975d6b046019684acc38870fab911a83451257027b239efc3bba22c18221cc8074933c63f9135deb13682818e41d9f741dc8
-
SSDEEP
6144:n3C9BRo7tvnJ9oEz2Eu9XgcVyDOoZU0wGiv/U:n3C9ytvnV2NQAo20wGivs
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 40 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3.exe"C:\Users\Admin\AppData\Local\Temp\ee2cd552202dfeaf289b4135085782adab6e332c195284c32543f16a762a4ff3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxrlxr.exec:\rfxrlxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjvd.exec:\pvjvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppdv.exec:\jppdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1llfxfx.exec:\1llfxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfrrlr.exec:\rlfrrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vvdv.exec:\3vvdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xxrlrl.exec:\1xxrlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jjdv.exec:\3jjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrrll.exec:\xrfrrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdvv.exec:\jpdvv.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\5lxrlxl.exec:\5lxrlxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhbn.exec:\nhnhbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfrlrl.exec:\fxfrlrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttntn.exec:\nttntn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjvp.exec:\ppjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lxxlrl.exec:\9lxxlrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bnhth.exec:\7bnhth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djdpp.exec:\djdpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xfrxxr.exec:\9xfrxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhnbh.exec:\7nhnbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrrlr.exec:\fxxrrlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxrlf.exec:\rfxxrlf.exe23⤵
- Executes dropped EXE
-
\??\c:\bthbnh.exec:\bthbnh.exe24⤵
- Executes dropped EXE
-
\??\c:\pjpjp.exec:\pjpjp.exe25⤵
- Executes dropped EXE
-
\??\c:\xflfllr.exec:\xflfllr.exe26⤵
- Executes dropped EXE
-
\??\c:\1btnhb.exec:\1btnhb.exe27⤵
- Executes dropped EXE
-
\??\c:\lflfxxx.exec:\lflfxxx.exe28⤵
- Executes dropped EXE
-
\??\c:\flrrlfx.exec:\flrrlfx.exe29⤵
- Executes dropped EXE
-
\??\c:\dvppj.exec:\dvppj.exe30⤵
- Executes dropped EXE
-
\??\c:\rffxrlf.exec:\rffxrlf.exe31⤵
- Executes dropped EXE
-
\??\c:\thbbth.exec:\thbbth.exe32⤵
- Executes dropped EXE
-
\??\c:\ppdpv.exec:\ppdpv.exe33⤵
- Executes dropped EXE
-
\??\c:\1lfxlfx.exec:\1lfxlfx.exe34⤵
- Executes dropped EXE
-
\??\c:\hbbnbt.exec:\hbbnbt.exe35⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe36⤵
- Executes dropped EXE
-
\??\c:\jdvdp.exec:\jdvdp.exe37⤵
- Executes dropped EXE
-
\??\c:\3xrfrrf.exec:\3xrfrrf.exe38⤵
- Executes dropped EXE
-
\??\c:\5nthbh.exec:\5nthbh.exe39⤵
- Executes dropped EXE
-
\??\c:\5htnhh.exec:\5htnhh.exe40⤵
- Executes dropped EXE
-
\??\c:\5jvjv.exec:\5jvjv.exe41⤵
- Executes dropped EXE
-
\??\c:\xlfrlfr.exec:\xlfrlfr.exe42⤵
- Executes dropped EXE
-
\??\c:\btnhtn.exec:\btnhtn.exe43⤵
- Executes dropped EXE
-
\??\c:\thbnhb.exec:\thbnhb.exe44⤵
- Executes dropped EXE
-
\??\c:\5jjjd.exec:\5jjjd.exe45⤵
- Executes dropped EXE
-
\??\c:\llxrrlf.exec:\llxrrlf.exe46⤵
- Executes dropped EXE
-
\??\c:\fxxfxxl.exec:\fxxfxxl.exe47⤵
- Executes dropped EXE
-
\??\c:\htbbbt.exec:\htbbbt.exe48⤵
- Executes dropped EXE
-
\??\c:\9jdpd.exec:\9jdpd.exe49⤵
- Executes dropped EXE
-
\??\c:\rfxflfx.exec:\rfxflfx.exe50⤵
- Executes dropped EXE
-
\??\c:\ntbbtt.exec:\ntbbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\hhbtnt.exec:\hhbtnt.exe52⤵
- Executes dropped EXE
-
\??\c:\jddpj.exec:\jddpj.exe53⤵
- Executes dropped EXE
-
\??\c:\nbnhtn.exec:\nbnhtn.exe54⤵
- Executes dropped EXE
-
\??\c:\vjvjd.exec:\vjvjd.exe55⤵
- Executes dropped EXE
-
\??\c:\1jpjj.exec:\1jpjj.exe56⤵
- Executes dropped EXE
-
\??\c:\rrrfrrr.exec:\rrrfrrr.exe57⤵
- Executes dropped EXE
-
\??\c:\nnntnh.exec:\nnntnh.exe58⤵
- Executes dropped EXE
-
\??\c:\5vpdv.exec:\5vpdv.exe59⤵
- Executes dropped EXE
-
\??\c:\5xxrlxf.exec:\5xxrlxf.exe60⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe61⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe62⤵
- Executes dropped EXE
-
\??\c:\lfxxffx.exec:\lfxxffx.exe63⤵
- Executes dropped EXE
-
\??\c:\flrrlfx.exec:\flrrlfx.exe64⤵
- Executes dropped EXE
-
\??\c:\hntnbb.exec:\hntnbb.exe65⤵
- Executes dropped EXE
-
\??\c:\ddjdd.exec:\ddjdd.exe66⤵
-
\??\c:\1vddd.exec:\1vddd.exe67⤵
-
\??\c:\3xrlllr.exec:\3xrlllr.exe68⤵
-
\??\c:\hnhbhh.exec:\hnhbhh.exe69⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe70⤵
-
\??\c:\rllxxrl.exec:\rllxxrl.exe71⤵
-
\??\c:\1rrfxfx.exec:\1rrfxfx.exe72⤵
-
\??\c:\bhhbnh.exec:\bhhbnh.exe73⤵
-
\??\c:\ppjjd.exec:\ppjjd.exe74⤵
-
\??\c:\pvjdp.exec:\pvjdp.exe75⤵
-
\??\c:\7rxxlrx.exec:\7rxxlrx.exe76⤵
-
\??\c:\5hhnhh.exec:\5hhnhh.exe77⤵
-
\??\c:\3hhbbh.exec:\3hhbbh.exe78⤵
-
\??\c:\3pppp.exec:\3pppp.exe79⤵
-
\??\c:\lffxxrl.exec:\lffxxrl.exe80⤵
-
\??\c:\1lxxxfx.exec:\1lxxxfx.exe81⤵
-
\??\c:\thnhbh.exec:\thnhbh.exe82⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe83⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fxfrlfl.exec:\fxfrlfl.exe84⤵
-
\??\c:\nbttnt.exec:\nbttnt.exe85⤵
-
\??\c:\hbhbbb.exec:\hbhbbb.exe86⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe87⤵
-
\??\c:\1rfxllx.exec:\1rfxllx.exe88⤵
-
\??\c:\rrrrllx.exec:\rrrrllx.exe89⤵
-
\??\c:\hbbtnh.exec:\hbbtnh.exe90⤵
-
\??\c:\jdvpj.exec:\jdvpj.exe91⤵
-
\??\c:\xlrrllf.exec:\xlrrllf.exe92⤵
-
\??\c:\bbnnbb.exec:\bbnnbb.exe93⤵
-
\??\c:\jpjdv.exec:\jpjdv.exe94⤵
-
\??\c:\dppjd.exec:\dppjd.exe95⤵
-
\??\c:\lllfxxl.exec:\lllfxxl.exe96⤵
-
\??\c:\rlflxxr.exec:\rlflxxr.exe97⤵
-
\??\c:\bbbtnh.exec:\bbbtnh.exe98⤵
-
\??\c:\vvpjv.exec:\vvpjv.exe99⤵
-
\??\c:\llfxrlf.exec:\llfxrlf.exe100⤵
-
\??\c:\lffrlxr.exec:\lffrlxr.exe101⤵
-
\??\c:\thnnth.exec:\thnnth.exe102⤵
-
\??\c:\jvpjv.exec:\jvpjv.exe103⤵
-
\??\c:\ppjjv.exec:\ppjjv.exe104⤵
-
\??\c:\rllxfxr.exec:\rllxfxr.exe105⤵
-
\??\c:\lfffxlx.exec:\lfffxlx.exe106⤵
-
\??\c:\ththht.exec:\ththht.exe107⤵
-
\??\c:\nbthnn.exec:\nbthnn.exe108⤵
-
\??\c:\vjpjp.exec:\vjpjp.exe109⤵
-
\??\c:\xllxxrl.exec:\xllxxrl.exe110⤵
-
\??\c:\flxxllf.exec:\flxxllf.exe111⤵
-
\??\c:\hntbnn.exec:\hntbnn.exe112⤵
-
\??\c:\nttttn.exec:\nttttn.exe113⤵
-
\??\c:\pvvjd.exec:\pvvjd.exe114⤵
-
\??\c:\3rfxrxr.exec:\3rfxrxr.exe115⤵
-
\??\c:\5bhttn.exec:\5bhttn.exe116⤵
-
\??\c:\tthbth.exec:\tthbth.exe117⤵
-
\??\c:\9jpdp.exec:\9jpdp.exe118⤵
-
\??\c:\vjppv.exec:\vjppv.exe119⤵
-
\??\c:\3flfxrl.exec:\3flfxrl.exe120⤵
-
\??\c:\5nnnbb.exec:\5nnnbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-