Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 03:07
General
-
Target
c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346.exe
-
Size
96KB
-
MD5
78df64c258f26ecec4361c803b9934a8
-
SHA1
de84e215db2887f2c0b15110f814df1a67bda402
-
SHA256
c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346
-
SHA512
a7fdebceb0f20f9d01d66cb04be1b6f64b4c0843fb73dc8f26fe798fac1bf629e331173b1682d7e4dcdde7a0c76fb6938e3114428ed263625e560e9d62f86b69
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLuePjDYlZMzcLI:ymb3NkkiQ3mdBjFoLucjD7cM
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346.exe"C:\Users\Admin\AppData\Local\Temp\c4e8ca21bb6882fccd0e899a6d93aa473b859e60423db6eca0645c9316169346.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\48888.exec:\48888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e80040.exec:\e80040.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m0226.exec:\m0226.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthtnn.exec:\hthtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8204888.exec:\8204888.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0844824.exec:\0844824.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64044.exec:\64044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\828822.exec:\828822.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\604264.exec:\604264.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxlllx.exec:\lxxlllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w06066.exec:\w06066.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttntht.exec:\ttntht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnhbb.exec:\thnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\028262.exec:\028262.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c660444.exec:\c660444.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u464460.exec:\u464460.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhhh.exec:\bnhhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btthh.exec:\3btthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnnn.exec:\bntnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbbb.exec:\tnnbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24260.exec:\24260.exe23⤵
- Executes dropped EXE
-
\??\c:\bhtnhb.exec:\bhtnhb.exe24⤵
- Executes dropped EXE
-
\??\c:\0282000.exec:\0282000.exe25⤵
- Executes dropped EXE
-
\??\c:\46848.exec:\46848.exe26⤵
- Executes dropped EXE
-
\??\c:\1djdv.exec:\1djdv.exe27⤵
- Executes dropped EXE
-
\??\c:\086804.exec:\086804.exe28⤵
- Executes dropped EXE
-
\??\c:\3flfrrl.exec:\3flfrrl.exe29⤵
- Executes dropped EXE
-
\??\c:\xrxllxx.exec:\xrxllxx.exe30⤵
- Executes dropped EXE
-
\??\c:\882082.exec:\882082.exe31⤵
- Executes dropped EXE
-
\??\c:\0266000.exec:\0266000.exe32⤵
- Executes dropped EXE
-
\??\c:\c460000.exec:\c460000.exe33⤵
- Executes dropped EXE
-
\??\c:\ttbbbb.exec:\ttbbbb.exe34⤵
- Executes dropped EXE
-
\??\c:\flffxrf.exec:\flffxrf.exe35⤵
- Executes dropped EXE
-
\??\c:\fflxrlf.exec:\fflxrlf.exe36⤵
- Executes dropped EXE
-
\??\c:\ttbtnh.exec:\ttbtnh.exe37⤵
- Executes dropped EXE
-
\??\c:\42440.exec:\42440.exe38⤵
- Executes dropped EXE
-
\??\c:\lllrlll.exec:\lllrlll.exe39⤵
- Executes dropped EXE
-
\??\c:\3xrlffx.exec:\3xrlffx.exe40⤵
- Executes dropped EXE
-
\??\c:\w66822.exec:\w66822.exe41⤵
- Executes dropped EXE
-
\??\c:\k40426.exec:\k40426.exe42⤵
- Executes dropped EXE
-
\??\c:\4282226.exec:\4282226.exe43⤵
- Executes dropped EXE
-
\??\c:\6406662.exec:\6406662.exe44⤵
- Executes dropped EXE
-
\??\c:\40066.exec:\40066.exe45⤵
- Executes dropped EXE
-
\??\c:\ppddd.exec:\ppddd.exe46⤵
- Executes dropped EXE
-
\??\c:\nttnbb.exec:\nttnbb.exe47⤵
- Executes dropped EXE
-
\??\c:\ttttbt.exec:\ttttbt.exe48⤵
- Executes dropped EXE
-
\??\c:\e46088.exec:\e46088.exe49⤵
- Executes dropped EXE
-
\??\c:\20882.exec:\20882.exe50⤵
- Executes dropped EXE
-
\??\c:\2406448.exec:\2406448.exe51⤵
- Executes dropped EXE
-
\??\c:\24004.exec:\24004.exe52⤵
- Executes dropped EXE
-
\??\c:\c060484.exec:\c060484.exe53⤵
- Executes dropped EXE
-
\??\c:\u242660.exec:\u242660.exe54⤵
- Executes dropped EXE
-
\??\c:\hnbtnn.exec:\hnbtnn.exe55⤵
- Executes dropped EXE
-
\??\c:\42882.exec:\42882.exe56⤵
- Executes dropped EXE
-
\??\c:\llrxrlf.exec:\llrxrlf.exe57⤵
- Executes dropped EXE
-
\??\c:\hbbtnn.exec:\hbbtnn.exe58⤵
- Executes dropped EXE
-
\??\c:\2066828.exec:\2066828.exe59⤵
- Executes dropped EXE
-
\??\c:\e46600.exec:\e46600.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\04004.exec:\04004.exe61⤵
- Executes dropped EXE
-
\??\c:\044868.exec:\044868.exe62⤵
- Executes dropped EXE
-
\??\c:\84660.exec:\84660.exe63⤵
- Executes dropped EXE
-
\??\c:\djvvj.exec:\djvvj.exe64⤵
- Executes dropped EXE
-
\??\c:\xlrfrrr.exec:\xlrfrrr.exe65⤵
- Executes dropped EXE
-
\??\c:\dpvvd.exec:\dpvvd.exe66⤵
-
\??\c:\xxlffff.exec:\xxlffff.exe67⤵
-
\??\c:\640444.exec:\640444.exe68⤵
-
\??\c:\vjvpv.exec:\vjvpv.exe69⤵
-
\??\c:\80604.exec:\80604.exe70⤵
-
\??\c:\886000.exec:\886000.exe71⤵
-
\??\c:\8282884.exec:\8282884.exe72⤵
-
\??\c:\xrrxffl.exec:\xrrxffl.exe73⤵
-
\??\c:\8448826.exec:\8448826.exe74⤵
-
\??\c:\48488.exec:\48488.exe75⤵
-
\??\c:\bthbht.exec:\bthbht.exe76⤵
-
\??\c:\602860.exec:\602860.exe77⤵
-
\??\c:\w02600.exec:\w02600.exe78⤵
-
\??\c:\tttnht.exec:\tttnht.exe79⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe80⤵
-
\??\c:\bnnhbb.exec:\bnnhbb.exe81⤵
-
\??\c:\xrfxrlf.exec:\xrfxrlf.exe82⤵
-
\??\c:\xllfrlf.exec:\xllfrlf.exe83⤵
-
\??\c:\xrrlrlr.exec:\xrrlrlr.exe84⤵
-
\??\c:\bhbbnn.exec:\bhbbnn.exe85⤵
-
\??\c:\0468024.exec:\0468024.exe86⤵
-
\??\c:\2622444.exec:\2622444.exe87⤵
-
\??\c:\frlrllf.exec:\frlrllf.exe88⤵
-
\??\c:\084202.exec:\084202.exe89⤵
-
\??\c:\868266.exec:\868266.exe90⤵
-
\??\c:\k46840.exec:\k46840.exe91⤵
-
\??\c:\g2884.exec:\g2884.exe92⤵
-
\??\c:\0882048.exec:\0882048.exe93⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe94⤵
-
\??\c:\vppjv.exec:\vppjv.exe95⤵
-
\??\c:\5ntnhb.exec:\5ntnhb.exe96⤵
-
\??\c:\bnnhtn.exec:\bnnhtn.exe97⤵
-
\??\c:\w24826.exec:\w24826.exe98⤵
-
\??\c:\3jjpj.exec:\3jjpj.exe99⤵
-
\??\c:\88844.exec:\88844.exe100⤵
-
\??\c:\rlfxlfr.exec:\rlfxlfr.exe101⤵
-
\??\c:\8404882.exec:\8404882.exe102⤵
-
\??\c:\0064828.exec:\0064828.exe103⤵
-
\??\c:\bnbtbb.exec:\bnbtbb.exe104⤵
-
\??\c:\g0082.exec:\g0082.exe105⤵
-
\??\c:\28480.exec:\28480.exe106⤵
-
\??\c:\i004204.exec:\i004204.exe107⤵
-
\??\c:\pddjj.exec:\pddjj.exe108⤵
-
\??\c:\vppdv.exec:\vppdv.exe109⤵
-
\??\c:\dppjv.exec:\dppjv.exe110⤵
-
\??\c:\9hhthb.exec:\9hhthb.exe111⤵
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe112⤵
-
\??\c:\6284800.exec:\6284800.exe113⤵
-
\??\c:\jvvvp.exec:\jvvvp.exe114⤵
-
\??\c:\3bbnhb.exec:\3bbnhb.exe115⤵
-
\??\c:\vdjpv.exec:\vdjpv.exe116⤵
-
\??\c:\g2204.exec:\g2204.exe117⤵
-
\??\c:\hbnhbt.exec:\hbnhbt.exe118⤵
-
\??\c:\04480.exec:\04480.exe119⤵
-
\??\c:\thnnhh.exec:\thnnhh.exe120⤵
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-