Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 11:39
General
-
Target
f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe
-
Size
66KB
-
MD5
7dc2efe69bce3e7b63a16301849e3114
-
SHA1
ae2ba113fca0dfab484e570cb7f6682aff94846f
-
SHA256
f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72
-
SHA512
66a36f6ea9106c5aa220f78b3da9dcc535f6f351364b8275c898ffe17d4b984736ffd065977ef79ad8ccd3ebf994bba8b75782808f10870ee5cd4c3f7704d55f
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzkzNM+:ymb3NkkiQ3mdBjFIvlpM+
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe"C:\Users\Admin\AppData\Local\Temp\f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\thnnnn.exec:\thnnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxffff.exec:\flxffff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tbbhh.exec:\1tbbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvpdv.exec:\pvpdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxllll.exec:\flxllll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbnn.exec:\hbnbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvj.exec:\jddvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrllll.exec:\frrllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnhn.exec:\bttnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvp.exec:\ddvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vdvp.exec:\3vdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxlrl.exec:\lxxxlrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnnhh.exec:\thnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrlrl.exec:\frxrlrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbbnn.exec:\tbbbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvjd.exec:\pjvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllfrrr.exec:\lllfrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbbb.exec:\hhbbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppp.exec:\vpppp.exe23⤵
- Executes dropped EXE
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe24⤵
- Executes dropped EXE
-
\??\c:\bnhhbh.exec:\bnhhbh.exe25⤵
- Executes dropped EXE
-
\??\c:\httbtt.exec:\httbtt.exe26⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe27⤵
- Executes dropped EXE
-
\??\c:\lxffrrf.exec:\lxffrrf.exe28⤵
- Executes dropped EXE
-
\??\c:\tbhhbh.exec:\tbhhbh.exe29⤵
- Executes dropped EXE
-
\??\c:\pvpdp.exec:\pvpdp.exe30⤵
- Executes dropped EXE
-
\??\c:\rxlfffx.exec:\rxlfffx.exe31⤵
- Executes dropped EXE
-
\??\c:\tttnhn.exec:\tttnhn.exe32⤵
- Executes dropped EXE
-
\??\c:\1vvvj.exec:\1vvvj.exe33⤵
- Executes dropped EXE
-
\??\c:\djpdp.exec:\djpdp.exe34⤵
- Executes dropped EXE
-
\??\c:\xlrffxf.exec:\xlrffxf.exe35⤵
- Executes dropped EXE
-
\??\c:\lfxrxfx.exec:\lfxrxfx.exe36⤵
- Executes dropped EXE
-
\??\c:\9nnbtt.exec:\9nnbtt.exe37⤵
- Executes dropped EXE
-
\??\c:\vpdvp.exec:\vpdvp.exe38⤵
- Executes dropped EXE
-
\??\c:\pdvjv.exec:\pdvjv.exe39⤵
- Executes dropped EXE
-
\??\c:\fxlxrrr.exec:\fxlxrrr.exe40⤵
- Executes dropped EXE
-
\??\c:\bntbbb.exec:\bntbbb.exe41⤵
- Executes dropped EXE
-
\??\c:\9tbhnh.exec:\9tbhnh.exe42⤵
- Executes dropped EXE
-
\??\c:\9pddp.exec:\9pddp.exe43⤵
- Executes dropped EXE
-
\??\c:\flxrfxr.exec:\flxrfxr.exe44⤵
- Executes dropped EXE
-
\??\c:\fxrlfxl.exec:\fxrlfxl.exe45⤵
- Executes dropped EXE
-
\??\c:\bttnbh.exec:\bttnbh.exe46⤵
- Executes dropped EXE
-
\??\c:\nbbhtb.exec:\nbbhtb.exe47⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe48⤵
- Executes dropped EXE
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe49⤵
- Executes dropped EXE
-
\??\c:\nhbthh.exec:\nhbthh.exe50⤵
- Executes dropped EXE
-
\??\c:\nntnhh.exec:\nntnhh.exe51⤵
- Executes dropped EXE
-
\??\c:\dpjpd.exec:\dpjpd.exe52⤵
- Executes dropped EXE
-
\??\c:\3lllrlr.exec:\3lllrlr.exe53⤵
- Executes dropped EXE
-
\??\c:\xrrxxlr.exec:\xrrxxlr.exe54⤵
- Executes dropped EXE
-
\??\c:\hhnnhh.exec:\hhnnhh.exe55⤵
- Executes dropped EXE
-
\??\c:\pvjjv.exec:\pvjjv.exe56⤵
- Executes dropped EXE
-
\??\c:\dvpvv.exec:\dvpvv.exe57⤵
- Executes dropped EXE
-
\??\c:\rlrlllr.exec:\rlrlllr.exe58⤵
- Executes dropped EXE
-
\??\c:\httttt.exec:\httttt.exe59⤵
- Executes dropped EXE
-
\??\c:\jdjjd.exec:\jdjjd.exe60⤵
- Executes dropped EXE
-
\??\c:\jvvpd.exec:\jvvpd.exe61⤵
- Executes dropped EXE
-
\??\c:\frffrxr.exec:\frffrxr.exe62⤵
- Executes dropped EXE
-
\??\c:\htbnbn.exec:\htbnbn.exe63⤵
- Executes dropped EXE
-
\??\c:\tbhhtt.exec:\tbhhtt.exe64⤵
- Executes dropped EXE
-
\??\c:\5dvpd.exec:\5dvpd.exe65⤵
- Executes dropped EXE
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe66⤵
-
\??\c:\bbtttt.exec:\bbtttt.exe67⤵
-
\??\c:\hhtbhh.exec:\hhtbhh.exe68⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe69⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe70⤵
-
\??\c:\jpdpd.exec:\jpdpd.exe71⤵
-
\??\c:\fxflrrx.exec:\fxflrrx.exe72⤵
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe73⤵
-
\??\c:\ntnhbb.exec:\ntnhbb.exe74⤵
-
\??\c:\ddddp.exec:\ddddp.exe75⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe76⤵
-
\??\c:\lrfxrrr.exec:\lrfxrrr.exe77⤵
-
\??\c:\frrfrlf.exec:\frrfrlf.exe78⤵
-
\??\c:\tbnnbb.exec:\tbnnbb.exe79⤵
-
\??\c:\pvppd.exec:\pvppd.exe80⤵
-
\??\c:\ppppj.exec:\ppppj.exe81⤵
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe82⤵
-
\??\c:\tbntnn.exec:\tbntnn.exe83⤵
-
\??\c:\nbtnbb.exec:\nbtnbb.exe84⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe85⤵
-
\??\c:\fxrrlxx.exec:\fxrrlxx.exe86⤵
-
\??\c:\bttnbb.exec:\bttnbb.exe87⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe88⤵
-
\??\c:\vddvv.exec:\vddvv.exe89⤵
-
\??\c:\xffxrrl.exec:\xffxrrl.exe90⤵
-
\??\c:\ffffxll.exec:\ffffxll.exe91⤵
-
\??\c:\nbbbbb.exec:\nbbbbb.exe92⤵
-
\??\c:\dppdp.exec:\dppdp.exe93⤵
-
\??\c:\vppjd.exec:\vppjd.exe94⤵
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe95⤵
-
\??\c:\btbthh.exec:\btbthh.exe96⤵
-
\??\c:\3hhhtt.exec:\3hhhtt.exe97⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe98⤵
-
\??\c:\jdpdv.exec:\jdpdv.exe99⤵
-
\??\c:\xrrlffx.exec:\xrrlffx.exe100⤵
-
\??\c:\9ntnbt.exec:\9ntnbt.exe101⤵
-
\??\c:\jvvvp.exec:\jvvvp.exe102⤵
-
\??\c:\ddddv.exec:\ddddv.exe103⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe104⤵
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe105⤵
-
\??\c:\tntnbt.exec:\tntnbt.exe106⤵
-
\??\c:\jvjvp.exec:\jvjvp.exe107⤵
-
\??\c:\pddvj.exec:\pddvj.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\pjdvp.exec:\pjdvp.exe109⤵
-
\??\c:\1rllfff.exec:\1rllfff.exe110⤵
-
\??\c:\thbhhh.exec:\thbhhh.exe111⤵
-
\??\c:\tnhbbb.exec:\tnhbbb.exe112⤵
-
\??\c:\pddvj.exec:\pddvj.exe113⤵
-
\??\c:\xrffxrl.exec:\xrffxrl.exe114⤵
-
\??\c:\frllfxl.exec:\frllfxl.exe115⤵
-
\??\c:\thbhtb.exec:\thbhtb.exe116⤵
-
\??\c:\7vvpp.exec:\7vvpp.exe117⤵
-
\??\c:\vppjv.exec:\vppjv.exe118⤵
-
\??\c:\lrrlfff.exec:\lrrlfff.exe119⤵
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe120⤵
-
\??\c:\5bhhbb.exec:\5bhhbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-