Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 03:47
General
-
Target
d63abe588b87bbbc1854f05ee027b12f613a64ebc031c71044fcefc4a0108606.exe
-
Size
349KB
-
MD5
c127df286098c6e50dcc0f98b10238be
-
SHA1
01493860a0e40fa19b8e9787316dc79f9db6d558
-
SHA256
d63abe588b87bbbc1854f05ee027b12f613a64ebc031c71044fcefc4a0108606
-
SHA512
d005189b32569ca993f161e097f60762db154c053fdd432f1c2dd3c853ffdb8399acfec88e77cef27048b4c7ddbde2e08c2cbcbf7162eda1e5c4615db3f473d1
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYA4K:l7TcbWXZshJX2VGd4K
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 62 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d63abe588b87bbbc1854f05ee027b12f613a64ebc031c71044fcefc4a0108606.exe"C:\Users\Admin\AppData\Local\Temp\d63abe588b87bbbc1854f05ee027b12f613a64ebc031c71044fcefc4a0108606.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\4802260.exec:\4802260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjd.exec:\jdvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82262.exec:\82262.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrllfx.exec:\frrllfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnttn.exec:\tnnttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrfxrl.exec:\frrfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\44606.exec:\44606.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\888622.exec:\888622.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnhb.exec:\thtnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6848882.exec:\6848882.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\284622.exec:\284622.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\444604.exec:\444604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttnn.exec:\tnttnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfrlrrf.exec:\xfrlrrf.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhhn.exec:\bbhhhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tthnt.exec:\7tthnt.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\0022600.exec:\0022600.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64062.exec:\64062.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpvp.exec:\vdpvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvjd.exec:\ddvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe23⤵
- Executes dropped EXE
-
\??\c:\08048.exec:\08048.exe24⤵
- Executes dropped EXE
-
\??\c:\djpjj.exec:\djpjj.exe25⤵
- Executes dropped EXE
-
\??\c:\vvpjj.exec:\vvpjj.exe26⤵
- Executes dropped EXE
-
\??\c:\8204804.exec:\8204804.exe27⤵
- Executes dropped EXE
-
\??\c:\000048.exec:\000048.exe28⤵
- Executes dropped EXE
-
\??\c:\82266.exec:\82266.exe29⤵
- Executes dropped EXE
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe30⤵
- Executes dropped EXE
-
\??\c:\ppvjv.exec:\ppvjv.exe31⤵
- Executes dropped EXE
-
\??\c:\4480862.exec:\4480862.exe32⤵
- Executes dropped EXE
-
\??\c:\rxlfxrl.exec:\rxlfxrl.exe33⤵
- Executes dropped EXE
-
\??\c:\pvpjv.exec:\pvpjv.exe34⤵
- Executes dropped EXE
-
\??\c:\6226004.exec:\6226004.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ppddv.exec:\ppddv.exe36⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe37⤵
- Executes dropped EXE
-
\??\c:\6666622.exec:\6666622.exe38⤵
- Executes dropped EXE
-
\??\c:\022440.exec:\022440.exe39⤵
- Executes dropped EXE
-
\??\c:\1vpjd.exec:\1vpjd.exe40⤵
- Executes dropped EXE
-
\??\c:\228002.exec:\228002.exe41⤵
- Executes dropped EXE
-
\??\c:\26406.exec:\26406.exe42⤵
- Executes dropped EXE
-
\??\c:\frxfllf.exec:\frxfllf.exe43⤵
- Executes dropped EXE
-
\??\c:\bntnhh.exec:\bntnhh.exe44⤵
- Executes dropped EXE
-
\??\c:\9bttnt.exec:\9bttnt.exe45⤵
- Executes dropped EXE
-
\??\c:\68044.exec:\68044.exe46⤵
- Executes dropped EXE
-
\??\c:\486420.exec:\486420.exe47⤵
- Executes dropped EXE
-
\??\c:\rxrlfff.exec:\rxrlfff.exe48⤵
- Executes dropped EXE
-
\??\c:\m8260.exec:\m8260.exe49⤵
- Executes dropped EXE
-
\??\c:\460888.exec:\460888.exe50⤵
- Executes dropped EXE
-
\??\c:\080048.exec:\080048.exe51⤵
- Executes dropped EXE
-
\??\c:\2426420.exec:\2426420.exe52⤵
- Executes dropped EXE
-
\??\c:\bbbbbb.exec:\bbbbbb.exe53⤵
- Executes dropped EXE
-
\??\c:\1nbbtt.exec:\1nbbtt.exe54⤵
- Executes dropped EXE
-
\??\c:\nhbbtb.exec:\nhbbtb.exe55⤵
- Executes dropped EXE
-
\??\c:\hbhbhn.exec:\hbhbhn.exe56⤵
- Executes dropped EXE
-
\??\c:\hbnntb.exec:\hbnntb.exe57⤵
- Executes dropped EXE
-
\??\c:\m4262.exec:\m4262.exe58⤵
- Executes dropped EXE
-
\??\c:\jdvjp.exec:\jdvjp.exe59⤵
- Executes dropped EXE
-
\??\c:\xfrrlrl.exec:\xfrrlrl.exe60⤵
- Executes dropped EXE
-
\??\c:\nhnnhh.exec:\nhnnhh.exe61⤵
- Executes dropped EXE
-
\??\c:\6624422.exec:\6624422.exe62⤵
- Executes dropped EXE
-
\??\c:\8640482.exec:\8640482.exe63⤵
- Executes dropped EXE
-
\??\c:\268266.exec:\268266.exe64⤵
- Executes dropped EXE
-
\??\c:\08440.exec:\08440.exe65⤵
- Executes dropped EXE
-
\??\c:\44280.exec:\44280.exe66⤵
-
\??\c:\3dpjj.exec:\3dpjj.exe67⤵
-
\??\c:\62860.exec:\62860.exe68⤵
-
\??\c:\82826.exec:\82826.exe69⤵
-
\??\c:\xlrrrff.exec:\xlrrrff.exe70⤵
-
\??\c:\tbnhbt.exec:\tbnhbt.exe71⤵
-
\??\c:\hbhnnt.exec:\hbhnnt.exe72⤵
-
\??\c:\vdjjp.exec:\vdjjp.exe73⤵
-
\??\c:\nhntbt.exec:\nhntbt.exe74⤵
-
\??\c:\84200.exec:\84200.exe75⤵
-
\??\c:\jvjdd.exec:\jvjdd.exe76⤵
-
\??\c:\lfrrxfr.exec:\lfrrxfr.exe77⤵
-
\??\c:\g4060.exec:\g4060.exe78⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe79⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe80⤵
-
\??\c:\48646.exec:\48646.exe81⤵
-
\??\c:\k44866.exec:\k44866.exe82⤵
-
\??\c:\66604.exec:\66604.exe83⤵
-
\??\c:\7nthnh.exec:\7nthnh.exe84⤵
-
\??\c:\tnnnhb.exec:\tnnnhb.exe85⤵
-
\??\c:\vdvpj.exec:\vdvpj.exe86⤵
-
\??\c:\4286404.exec:\4286404.exe87⤵
-
\??\c:\6666822.exec:\6666822.exe88⤵
-
\??\c:\jjpjj.exec:\jjpjj.exe89⤵
-
\??\c:\064404.exec:\064404.exe90⤵
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe91⤵
-
\??\c:\fxlrllx.exec:\fxlrllx.exe92⤵
-
\??\c:\62606.exec:\62606.exe93⤵
-
\??\c:\dpjvp.exec:\dpjvp.exe94⤵
-
\??\c:\6248266.exec:\6248266.exe95⤵
-
\??\c:\448022.exec:\448022.exe96⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe97⤵
-
\??\c:\866464.exec:\866464.exe98⤵
-
\??\c:\htbtbt.exec:\htbtbt.exe99⤵
-
\??\c:\2226646.exec:\2226646.exe100⤵
-
\??\c:\1rrlrrl.exec:\1rrlrrl.exe101⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe102⤵
-
\??\c:\84446.exec:\84446.exe103⤵
-
\??\c:\806468.exec:\806468.exe104⤵
-
\??\c:\nbnbnt.exec:\nbnbnt.exe105⤵
-
\??\c:\8460860.exec:\8460860.exe106⤵
-
\??\c:\rxrffxx.exec:\rxrffxx.exe107⤵
-
\??\c:\200208.exec:\200208.exe108⤵
-
\??\c:\82460.exec:\82460.exe109⤵
-
\??\c:\640426.exec:\640426.exe110⤵
-
\??\c:\440426.exec:\440426.exe111⤵
-
\??\c:\hhhnbb.exec:\hhhnbb.exe112⤵
-
\??\c:\jjppj.exec:\jjppj.exe113⤵
-
\??\c:\rxrfxfx.exec:\rxrfxfx.exe114⤵
-
\??\c:\82048.exec:\82048.exe115⤵
-
\??\c:\648826.exec:\648826.exe116⤵
-
\??\c:\btthbh.exec:\btthbh.exe117⤵
-
\??\c:\rxxrlrx.exec:\rxxrlrx.exe118⤵
-
\??\c:\828088.exec:\828088.exe119⤵
-
\??\c:\jjjdj.exec:\jjjdj.exe120⤵
-
\??\c:\lfxxxff.exec:\lfxxxff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-