Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 11:46
General
-
Target
f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe
-
Size
66KB
-
MD5
7dc2efe69bce3e7b63a16301849e3114
-
SHA1
ae2ba113fca0dfab484e570cb7f6682aff94846f
-
SHA256
f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72
-
SHA512
66a36f6ea9106c5aa220f78b3da9dcc535f6f351364b8275c898ffe17d4b984736ffd065977ef79ad8ccd3ebf994bba8b75782808f10870ee5cd4c3f7704d55f
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzkzNM+:ymb3NkkiQ3mdBjFIvlpM+
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe"C:\Users\Admin\AppData\Local\Temp\f9df4404b6cd8faebba99cf1987fc0c3ab737078018d6deccceea2fcde774f72.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbttn.exec:\ttbttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3djdp.exec:\3djdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddj.exec:\jvddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrxrf.exec:\lxxrxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnbh.exec:\bthnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpv.exec:\pjvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrffxl.exec:\llrffxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnhhb.exec:\nbnhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjvj.exec:\1pjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrrrx.exec:\rrxrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbtt.exec:\btbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ttttt.exec:\9ttttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdv.exec:\dvvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllllfl.exec:\lllllfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nbtth.exec:\1nbtth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddddv.exec:\ddddv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7frlffx.exec:\7frlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrlll.exec:\xlrrlll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnnhh.exec:\nbnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddv.exec:\dvddv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdj.exec:\pdjdj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffffr.exec:\lfffffr.exe23⤵
- Executes dropped EXE
-
\??\c:\bhbntn.exec:\bhbntn.exe24⤵
- Executes dropped EXE
-
\??\c:\dddvj.exec:\dddvj.exe25⤵
- Executes dropped EXE
-
\??\c:\pjdvv.exec:\pjdvv.exe26⤵
- Executes dropped EXE
-
\??\c:\frrxfll.exec:\frrxfll.exe27⤵
- Executes dropped EXE
-
\??\c:\nbnhbh.exec:\nbnhbh.exe28⤵
- Executes dropped EXE
-
\??\c:\vvvvj.exec:\vvvvj.exe29⤵
- Executes dropped EXE
-
\??\c:\jdddd.exec:\jdddd.exe30⤵
- Executes dropped EXE
-
\??\c:\rrfxfxf.exec:\rrfxfxf.exe31⤵
- Executes dropped EXE
-
\??\c:\bhnhhb.exec:\bhnhhb.exe32⤵
- Executes dropped EXE
-
\??\c:\bntnhb.exec:\bntnhb.exe33⤵
- Executes dropped EXE
-
\??\c:\3jpjj.exec:\3jpjj.exe34⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\frxrllf.exec:\frxrllf.exe36⤵
- Executes dropped EXE
-
\??\c:\frxrrrf.exec:\frxrrrf.exe37⤵
- Executes dropped EXE
-
\??\c:\bntnnb.exec:\bntnnb.exe38⤵
- Executes dropped EXE
-
\??\c:\djdjd.exec:\djdjd.exe39⤵
- Executes dropped EXE
-
\??\c:\fxflxxx.exec:\fxflxxx.exe40⤵
- Executes dropped EXE
-
\??\c:\btthtn.exec:\btthtn.exe41⤵
- Executes dropped EXE
-
\??\c:\ddjjj.exec:\ddjjj.exe42⤵
- Executes dropped EXE
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe43⤵
- Executes dropped EXE
-
\??\c:\btntnn.exec:\btntnn.exe44⤵
- Executes dropped EXE
-
\??\c:\bbbbhb.exec:\bbbbhb.exe45⤵
- Executes dropped EXE
-
\??\c:\rfrlfrl.exec:\rfrlfrl.exe46⤵
- Executes dropped EXE
-
\??\c:\bnnhhb.exec:\bnnhhb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nnbbht.exec:\nnbbht.exe48⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe49⤵
- Executes dropped EXE
-
\??\c:\rlrrffx.exec:\rlrrffx.exe50⤵
- Executes dropped EXE
-
\??\c:\xrfffll.exec:\xrfffll.exe51⤵
- Executes dropped EXE
-
\??\c:\hbbtnn.exec:\hbbtnn.exe52⤵
- Executes dropped EXE
-
\??\c:\bbbhbb.exec:\bbbhbb.exe53⤵
- Executes dropped EXE
-
\??\c:\ppjvp.exec:\ppjvp.exe54⤵
- Executes dropped EXE
-
\??\c:\xxrlrrl.exec:\xxrlrrl.exe55⤵
- Executes dropped EXE
-
\??\c:\1xfrllf.exec:\1xfrllf.exe56⤵
- Executes dropped EXE
-
\??\c:\tntntb.exec:\tntntb.exe57⤵
- Executes dropped EXE
-
\??\c:\vjjpp.exec:\vjjpp.exe58⤵
- Executes dropped EXE
-
\??\c:\jdpjv.exec:\jdpjv.exe59⤵
- Executes dropped EXE
-
\??\c:\llfxxxx.exec:\llfxxxx.exe60⤵
- Executes dropped EXE
-
\??\c:\tnbbbb.exec:\tnbbbb.exe61⤵
- Executes dropped EXE
-
\??\c:\bbhbnn.exec:\bbhbnn.exe62⤵
- Executes dropped EXE
-
\??\c:\dpvpj.exec:\dpvpj.exe63⤵
- Executes dropped EXE
-
\??\c:\jdvvp.exec:\jdvvp.exe64⤵
- Executes dropped EXE
-
\??\c:\fxrxrff.exec:\fxrxrff.exe65⤵
- Executes dropped EXE
-
\??\c:\xlfxrrf.exec:\xlfxrrf.exe66⤵
-
\??\c:\tnnnnh.exec:\tnnnnh.exe67⤵
-
\??\c:\dddpj.exec:\dddpj.exe68⤵
-
\??\c:\dddvj.exec:\dddvj.exe69⤵
-
\??\c:\5ffxlll.exec:\5ffxlll.exe70⤵
-
\??\c:\1frrxxl.exec:\1frrxxl.exe71⤵
-
\??\c:\hbhnnn.exec:\hbhnnn.exe72⤵
-
\??\c:\tnbtbh.exec:\tnbtbh.exe73⤵
-
\??\c:\1dppp.exec:\1dppp.exe74⤵
-
\??\c:\rflrlrr.exec:\rflrlrr.exe75⤵
-
\??\c:\5pjdv.exec:\5pjdv.exe76⤵
-
\??\c:\frrlffl.exec:\frrlffl.exe77⤵
-
\??\c:\7fxrlrf.exec:\7fxrlrf.exe78⤵
-
\??\c:\tnhhnn.exec:\tnhhnn.exe79⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe80⤵
-
\??\c:\jddjv.exec:\jddjv.exe81⤵
-
\??\c:\rfrllff.exec:\rfrllff.exe82⤵
-
\??\c:\rlrrllf.exec:\rlrrllf.exe83⤵
-
\??\c:\nbbbbb.exec:\nbbbbb.exe84⤵
-
\??\c:\pjddv.exec:\pjddv.exe85⤵
-
\??\c:\vjvvj.exec:\vjvvj.exe86⤵
-
\??\c:\7llfxrl.exec:\7llfxrl.exe87⤵
-
\??\c:\llxffrx.exec:\llxffrx.exe88⤵
-
\??\c:\nnnnnn.exec:\nnnnnn.exe89⤵
-
\??\c:\nbhbbb.exec:\nbhbbb.exe90⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe91⤵
-
\??\c:\lflrlfr.exec:\lflrlfr.exe92⤵
-
\??\c:\3rfxllr.exec:\3rfxllr.exe93⤵
-
\??\c:\bbbnnb.exec:\bbbnnb.exe94⤵
-
\??\c:\tthnhh.exec:\tthnhh.exe95⤵
-
\??\c:\jvvpd.exec:\jvvpd.exe96⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe97⤵
-
\??\c:\fflfllx.exec:\fflfllx.exe98⤵
-
\??\c:\rrllffx.exec:\rrllffx.exe99⤵
-
\??\c:\hbnntb.exec:\hbnntb.exe100⤵
-
\??\c:\btbtbb.exec:\btbtbb.exe101⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe102⤵
-
\??\c:\rrfxrrx.exec:\rrfxrrx.exe103⤵
-
\??\c:\llrrllf.exec:\llrrllf.exe104⤵
-
\??\c:\httntn.exec:\httntn.exe105⤵
-
\??\c:\bthhnn.exec:\bthhnn.exe106⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe107⤵
-
\??\c:\vvvpd.exec:\vvvpd.exe108⤵
-
\??\c:\xfxlllf.exec:\xfxlllf.exe109⤵
-
\??\c:\btbbtt.exec:\btbbtt.exe110⤵
-
\??\c:\5ddjd.exec:\5ddjd.exe111⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe112⤵
-
\??\c:\xfxrrrl.exec:\xfxrrrl.exe113⤵
-
\??\c:\bbbhhh.exec:\bbbhhh.exe114⤵
-
\??\c:\bbbnnn.exec:\bbbnnn.exe115⤵
-
\??\c:\vdddv.exec:\vdddv.exe116⤵
-
\??\c:\pdjdp.exec:\pdjdp.exe117⤵
-
\??\c:\rffxrff.exec:\rffxrff.exe118⤵
-
\??\c:\ffrlrrx.exec:\ffrlrrx.exe119⤵
-
\??\c:\bhnnnt.exec:\bhnnnt.exe120⤵
-
\??\c:\nnthhh.exec:\nnthhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-