Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 01:48
General
-
Target
c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7N.exe
-
Size
81KB
-
MD5
b6cf6aadf7676a92e6bda3f5a15aba80
-
SHA1
a328464a4187e48dad5e28121068ae690fd4c872
-
SHA256
c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7
-
SHA512
b3492d1cc071908d5af85951d90d79b775495f2542f87dcedb74abc2682a2f5ffa41a775e772a94391bad219b0fe6f172cda46fa04eebc05e2347855d13ea8d0
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeqx:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu41
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7N.exe"C:\Users\Admin\AppData\Local\Temp\c81a98664ccc133419938b9cf45b3cacfef17d1532cf2268d9781234d77795e7N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppp.exec:\vvppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvp.exec:\jpvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rxrlll.exec:\5rxrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjjd.exec:\jvjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrrxx.exec:\fxxrrxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnhbn.exec:\hnnhbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjdv.exec:\1pjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxxff.exec:\rxfxxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbnhh.exec:\htbnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djdv.exec:\5djdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrllff.exec:\fxrllff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nhnnb.exec:\5nhnnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhbhh.exec:\hbhbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdjv.exec:\jvdjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlxrlx.exec:\xrlxrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbnbt.exec:\btbnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddpj.exec:\dddpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrffr.exec:\fxxrffr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnhn.exec:\bthnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvv.exec:\dpvvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflrrll.exec:\xflrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btttnn.exec:\btttnn.exe23⤵
- Executes dropped EXE
-
\??\c:\ntnhth.exec:\ntnhth.exe24⤵
- Executes dropped EXE
-
\??\c:\dpvpj.exec:\dpvpj.exe25⤵
- Executes dropped EXE
-
\??\c:\xrrllxr.exec:\xrrllxr.exe26⤵
- Executes dropped EXE
-
\??\c:\ttbbtb.exec:\ttbbtb.exe27⤵
- Executes dropped EXE
-
\??\c:\dpjjj.exec:\dpjjj.exe28⤵
- Executes dropped EXE
-
\??\c:\fxxfffx.exec:\fxxfffx.exe29⤵
- Executes dropped EXE
-
\??\c:\bbbntn.exec:\bbbntn.exe30⤵
- Executes dropped EXE
-
\??\c:\7pvdv.exec:\7pvdv.exe31⤵
- Executes dropped EXE
-
\??\c:\bnnhbb.exec:\bnnhbb.exe32⤵
- Executes dropped EXE
-
\??\c:\lxrlfrf.exec:\lxrlfrf.exe33⤵
- Executes dropped EXE
-
\??\c:\7jvpj.exec:\7jvpj.exe34⤵
- Executes dropped EXE
-
\??\c:\xlrllxx.exec:\xlrllxx.exe35⤵
- Executes dropped EXE
-
\??\c:\hhhnnt.exec:\hhhnnt.exe36⤵
- Executes dropped EXE
-
\??\c:\nhtbtt.exec:\nhtbtt.exe37⤵
- Executes dropped EXE
-
\??\c:\djvvj.exec:\djvvj.exe38⤵
- Executes dropped EXE
-
\??\c:\9bntbb.exec:\9bntbb.exe39⤵
- Executes dropped EXE
-
\??\c:\hthntb.exec:\hthntb.exe40⤵
- Executes dropped EXE
-
\??\c:\ddjjv.exec:\ddjjv.exe41⤵
- Executes dropped EXE
-
\??\c:\lxrlxxx.exec:\lxrlxxx.exe42⤵
- Executes dropped EXE
-
\??\c:\bbbbbb.exec:\bbbbbb.exe43⤵
- Executes dropped EXE
-
\??\c:\vjppd.exec:\vjppd.exe44⤵
- Executes dropped EXE
-
\??\c:\nhbbtt.exec:\nhbbtt.exe45⤵
- Executes dropped EXE
-
\??\c:\ntttnb.exec:\ntttnb.exe46⤵
- Executes dropped EXE
-
\??\c:\vvddp.exec:\vvddp.exe47⤵
- Executes dropped EXE
-
\??\c:\rlffrxx.exec:\rlffrxx.exe48⤵
- Executes dropped EXE
-
\??\c:\fxrfxrl.exec:\fxrfxrl.exe49⤵
- Executes dropped EXE
-
\??\c:\nhnhbt.exec:\nhnhbt.exe50⤵
- Executes dropped EXE
-
\??\c:\3jvjj.exec:\3jvjj.exe51⤵
- Executes dropped EXE
-
\??\c:\7jvpj.exec:\7jvpj.exe52⤵
- Executes dropped EXE
-
\??\c:\rrrxffr.exec:\rrrxffr.exe53⤵
- Executes dropped EXE
-
\??\c:\jdjvv.exec:\jdjvv.exe54⤵
- Executes dropped EXE
-
\??\c:\vpppj.exec:\vpppj.exe55⤵
- Executes dropped EXE
-
\??\c:\fxxrlrf.exec:\fxxrlrf.exe56⤵
- Executes dropped EXE
-
\??\c:\lrxrlrr.exec:\lrxrlrr.exe57⤵
- Executes dropped EXE
-
\??\c:\bhntht.exec:\bhntht.exe58⤵
- Executes dropped EXE
-
\??\c:\hbnttb.exec:\hbnttb.exe59⤵
- Executes dropped EXE
-
\??\c:\pdjpj.exec:\pdjpj.exe60⤵
- Executes dropped EXE
-
\??\c:\frfxlrx.exec:\frfxlrx.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xlrfxfl.exec:\xlrfxfl.exe62⤵
- Executes dropped EXE
-
\??\c:\hbbtnh.exec:\hbbtnh.exe63⤵
- Executes dropped EXE
-
\??\c:\hbhhhh.exec:\hbhhhh.exe64⤵
- Executes dropped EXE
-
\??\c:\vjpjd.exec:\vjpjd.exe65⤵
- Executes dropped EXE
-
\??\c:\1llfxxx.exec:\1llfxxx.exe66⤵
-
\??\c:\hhhhhb.exec:\hhhhhb.exe67⤵
-
\??\c:\5vjjj.exec:\5vjjj.exe68⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rrlrrrf.exec:\rrlrrrf.exe70⤵
-
\??\c:\bnnnnb.exec:\bnnnnb.exe71⤵
-
\??\c:\1nbtnt.exec:\1nbtnt.exe72⤵
-
\??\c:\djddj.exec:\djddj.exe73⤵
-
\??\c:\vpvvj.exec:\vpvvj.exe74⤵
-
\??\c:\rfllxfx.exec:\rfllxfx.exe75⤵
-
\??\c:\9xfffll.exec:\9xfffll.exe76⤵
-
\??\c:\3vvpd.exec:\3vvpd.exe77⤵
-
\??\c:\ppppj.exec:\ppppj.exe78⤵
-
\??\c:\fxxlfrr.exec:\fxxlfrr.exe79⤵
-
\??\c:\hbtntb.exec:\hbtntb.exe80⤵
-
\??\c:\nhhbhn.exec:\nhhbhn.exe81⤵
-
\??\c:\vdvjd.exec:\vdvjd.exe82⤵
-
\??\c:\xlrlflx.exec:\xlrlflx.exe83⤵
-
\??\c:\5bbttt.exec:\5bbttt.exe84⤵
-
\??\c:\3dpjd.exec:\3dpjd.exe85⤵
-
\??\c:\pppjj.exec:\pppjj.exe86⤵
-
\??\c:\9lflfxf.exec:\9lflfxf.exe87⤵
-
\??\c:\btnhhb.exec:\btnhhb.exe88⤵
-
\??\c:\ttbbnn.exec:\ttbbnn.exe89⤵
-
\??\c:\djpjd.exec:\djpjd.exe90⤵
-
\??\c:\rfrlflf.exec:\rfrlflf.exe91⤵
-
\??\c:\7rxxrrr.exec:\7rxxrrr.exe92⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe93⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe94⤵
-
\??\c:\1flffff.exec:\1flffff.exe95⤵
-
\??\c:\rffxxxx.exec:\rffxxxx.exe96⤵
-
\??\c:\xffflxr.exec:\xffflxr.exe97⤵
-
\??\c:\1rxrllf.exec:\1rxrllf.exe98⤵
-
\??\c:\9dpjj.exec:\9dpjj.exe99⤵
-
\??\c:\djdvd.exec:\djdvd.exe100⤵
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe101⤵
-
\??\c:\lrrrllf.exec:\lrrrllf.exe102⤵
-
\??\c:\hhthhh.exec:\hhthhh.exe103⤵
-
\??\c:\5pppj.exec:\5pppj.exe104⤵
-
\??\c:\5lxxrxx.exec:\5lxxrxx.exe105⤵
-
\??\c:\3rrxrll.exec:\3rrxrll.exe106⤵
-
\??\c:\ntbthh.exec:\ntbthh.exe107⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe108⤵
-
\??\c:\xlllfxx.exec:\xlllfxx.exe109⤵
-
\??\c:\rrxfxfx.exec:\rrxfxfx.exe110⤵
-
\??\c:\7nnnnt.exec:\7nnnnt.exe111⤵
-
\??\c:\3btntn.exec:\3btntn.exe112⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe113⤵
-
\??\c:\1vvjd.exec:\1vvjd.exe114⤵
-
\??\c:\xffxxrr.exec:\xffxxrr.exe115⤵
-
\??\c:\7tnnhb.exec:\7tnnhb.exe116⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hbthbt.exec:\hbthbt.exe117⤵
-
\??\c:\rfxffrf.exec:\rfxffrf.exe118⤵
-
\??\c:\9lfffff.exec:\9lfffff.exe119⤵
-
\??\c:\5pdvv.exec:\5pdvv.exe120⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-