Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 01:21
General
-
Target
988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ecN.exe
-
Size
229KB
-
MD5
c5e7534975529f51823f5fd4190ede40
-
SHA1
ec7522020a699a8273ac8a81bcfe21bf1341ef1c
-
SHA256
988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ec
-
SHA512
99a9daf063e56f950e6aa884f3679d1df16e29fcb8b978dac2eecc5f6203cdb62a4bc9da27be6dcc63d4110b8ae5767964fd1e698d2be0a5fb9aa47bd9cd8b74
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLjBeGdQ:n3C9BRo7MlrWKo+lxKU
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ecN.exe"C:\Users\Admin\AppData\Local\Temp\988b7520d682dbac0ceef153b106c1efaf2411751ec61cbde3587c6b39f016ecN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfxrxx.exec:\xxfxrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vjjd.exec:\7vjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbth.exec:\htbbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhnn.exec:\tthhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppj.exec:\vjppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlfrrx.exec:\fxlfrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppdj.exec:\dppdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtntb.exec:\bhtntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhhh.exec:\nhbhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjp.exec:\vdjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrfrxl.exec:\ffrfrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnntt.exec:\5tnntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbbh.exec:\nbhbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvpj.exec:\vdvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrllfl.exec:\llrllfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrfflf.exec:\rlrfflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhnbn.exec:\nbhnbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbttt.exec:\ntbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvv.exec:\vddvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxrlx.exec:\lffxrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrllf.exec:\xrrrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbtb.exec:\nnhbtb.exe23⤵
- Executes dropped EXE
-
\??\c:\dvdvv.exec:\dvdvv.exe24⤵
- Executes dropped EXE
-
\??\c:\vjjdj.exec:\vjjdj.exe25⤵
- Executes dropped EXE
-
\??\c:\9xxrlfr.exec:\9xxrlfr.exe26⤵
- Executes dropped EXE
-
\??\c:\nbbbbt.exec:\nbbbbt.exe27⤵
- Executes dropped EXE
-
\??\c:\pdpdv.exec:\pdpdv.exe28⤵
- Executes dropped EXE
-
\??\c:\rxrrlxr.exec:\rxrrlxr.exe29⤵
- Executes dropped EXE
-
\??\c:\lxfrrlr.exec:\lxfrrlr.exe30⤵
- Executes dropped EXE
-
\??\c:\nhhhnt.exec:\nhhhnt.exe31⤵
- Executes dropped EXE
-
\??\c:\ppdpj.exec:\ppdpj.exe32⤵
- Executes dropped EXE
-
\??\c:\frrrffx.exec:\frrrffx.exe33⤵
- Executes dropped EXE
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe34⤵
- Executes dropped EXE
-
\??\c:\hhnnht.exec:\hhnnht.exe35⤵
- Executes dropped EXE
-
\??\c:\1vvpj.exec:\1vvpj.exe36⤵
- Executes dropped EXE
-
\??\c:\llrfrlf.exec:\llrfrlf.exe37⤵
- Executes dropped EXE
-
\??\c:\lrffllf.exec:\lrffllf.exe38⤵
- Executes dropped EXE
-
\??\c:\nhnnbn.exec:\nhnnbn.exe39⤵
- Executes dropped EXE
-
\??\c:\djjpj.exec:\djjpj.exe40⤵
- Executes dropped EXE
-
\??\c:\xfffffl.exec:\xfffffl.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\tbhhtt.exec:\tbhhtt.exe42⤵
- Executes dropped EXE
-
\??\c:\tnhnnh.exec:\tnhnnh.exe43⤵
- Executes dropped EXE
-
\??\c:\pvdpv.exec:\pvdpv.exe44⤵
- Executes dropped EXE
-
\??\c:\fxrrxff.exec:\fxrrxff.exe45⤵
- Executes dropped EXE
-
\??\c:\hbbhnb.exec:\hbbhnb.exe46⤵
- Executes dropped EXE
-
\??\c:\dvjdv.exec:\dvjdv.exe47⤵
- Executes dropped EXE
-
\??\c:\dvdvv.exec:\dvdvv.exe48⤵
- Executes dropped EXE
-
\??\c:\fflrfxx.exec:\fflrfxx.exe49⤵
- Executes dropped EXE
-
\??\c:\nbbhtb.exec:\nbbhtb.exe50⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe51⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe52⤵
- Executes dropped EXE
-
\??\c:\fxrxffx.exec:\fxrxffx.exe53⤵
- Executes dropped EXE
-
\??\c:\hthbbb.exec:\hthbbb.exe54⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe55⤵
- Executes dropped EXE
-
\??\c:\xrlfxxl.exec:\xrlfxxl.exe56⤵
- Executes dropped EXE
-
\??\c:\9hhhnh.exec:\9hhhnh.exe57⤵
- Executes dropped EXE
-
\??\c:\hnthnt.exec:\hnthnt.exe58⤵
- Executes dropped EXE
-
\??\c:\djjjj.exec:\djjjj.exe59⤵
- Executes dropped EXE
-
\??\c:\llfxrrx.exec:\llfxrrx.exe60⤵
- Executes dropped EXE
-
\??\c:\vpppp.exec:\vpppp.exe61⤵
- Executes dropped EXE
-
\??\c:\rrfxllr.exec:\rrfxllr.exe62⤵
- Executes dropped EXE
-
\??\c:\5tbhbh.exec:\5tbhbh.exe63⤵
- Executes dropped EXE
-
\??\c:\djdvd.exec:\djdvd.exe64⤵
- Executes dropped EXE
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe65⤵
- Executes dropped EXE
-
\??\c:\rrxlffl.exec:\rrxlffl.exe66⤵
-
\??\c:\thntbn.exec:\thntbn.exe67⤵
-
\??\c:\lfrlxrf.exec:\lfrlxrf.exe68⤵
-
\??\c:\dpddd.exec:\dpddd.exe69⤵
-
\??\c:\pppvv.exec:\pppvv.exe70⤵
-
\??\c:\rlllxfx.exec:\rlllxfx.exe71⤵
-
\??\c:\bhnhbb.exec:\bhnhbb.exe72⤵
-
\??\c:\7ffxrff.exec:\7ffxrff.exe73⤵
-
\??\c:\tbhbbb.exec:\tbhbbb.exe74⤵
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe75⤵
-
\??\c:\1ttnhn.exec:\1ttnhn.exe76⤵
-
\??\c:\7djdv.exec:\7djdv.exe77⤵
-
\??\c:\flrrrrr.exec:\flrrrrr.exe78⤵
-
\??\c:\djdvp.exec:\djdvp.exe79⤵
-
\??\c:\nhnttt.exec:\nhnttt.exe80⤵
-
\??\c:\xlllfrr.exec:\xlllfrr.exe81⤵
-
\??\c:\hnbttn.exec:\hnbttn.exe82⤵
-
\??\c:\vjjvj.exec:\vjjvj.exe83⤵
-
\??\c:\lrfrrrl.exec:\lrfrrrl.exe84⤵
-
\??\c:\tntttn.exec:\tntttn.exe85⤵
-
\??\c:\pvjjd.exec:\pvjjd.exe86⤵
-
\??\c:\dvvdv.exec:\dvvdv.exe87⤵
-
\??\c:\5rllffx.exec:\5rllffx.exe88⤵
- System Location Discovery: System Language Discovery
-
\??\c:\thnhht.exec:\thnhht.exe89⤵
-
\??\c:\pvdpp.exec:\pvdpp.exe90⤵
-
\??\c:\pdpvp.exec:\pdpvp.exe91⤵
-
\??\c:\rlrrxxr.exec:\rlrrxxr.exe92⤵
-
\??\c:\htnhnb.exec:\htnhnb.exe93⤵
-
\??\c:\jddvp.exec:\jddvp.exe94⤵
-
\??\c:\llllllf.exec:\llllllf.exe95⤵
-
\??\c:\5nbtnn.exec:\5nbtnn.exe96⤵
-
\??\c:\5btnhh.exec:\5btnhh.exe97⤵
-
\??\c:\fxxlflr.exec:\fxxlflr.exe98⤵
-
\??\c:\btnnhn.exec:\btnnhn.exe99⤵
-
\??\c:\vvjjp.exec:\vvjjp.exe100⤵
-
\??\c:\rxlffxf.exec:\rxlffxf.exe101⤵
-
\??\c:\bhthhn.exec:\bhthhn.exe102⤵
-
\??\c:\nhntnh.exec:\nhntnh.exe103⤵
-
\??\c:\nhbttn.exec:\nhbttn.exe104⤵
-
\??\c:\ttbthn.exec:\ttbthn.exe105⤵
-
\??\c:\ddjdd.exec:\ddjdd.exe106⤵
-
\??\c:\nbnnnh.exec:\nbnnnh.exe107⤵
-
\??\c:\bbnhhn.exec:\bbnhhn.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ppddv.exec:\ppddv.exe109⤵
-
\??\c:\9bntnn.exec:\9bntnn.exe110⤵
-
\??\c:\djdvv.exec:\djdvv.exe111⤵
-
\??\c:\lfllffx.exec:\lfllffx.exe112⤵
-
\??\c:\btbbht.exec:\btbbht.exe113⤵
-
\??\c:\tbbbtb.exec:\tbbbtb.exe114⤵
-
\??\c:\ddpjd.exec:\ddpjd.exe115⤵
-
\??\c:\pvpjp.exec:\pvpjp.exe116⤵
-
\??\c:\xxxfrrl.exec:\xxxfrrl.exe117⤵
-
\??\c:\bbnthh.exec:\bbnthh.exe118⤵
-
\??\c:\djpjj.exec:\djpjj.exe119⤵
-
\??\c:\ffxfrfr.exec:\ffxfrfr.exe120⤵
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-