Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 14:12
General
-
Target
297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe
-
Size
72KB
-
MD5
df190e37b21597ba70e584c0ce2a80e0
-
SHA1
8ef6725ea15d326f582efb4f6785d4eff26e5a74
-
SHA256
297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88e
-
SHA512
229a765c2599aee039effa70f8d721b0c628cdbc82a1ab61fde32cae9c147a77f5913d128fb5c229014dd7fecfea8dddf5c94498a371d643e55256b93cf4b975
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjF:ymb3NkkiQ3mdBjFI4VV
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe"C:\Users\Admin\AppData\Local\Temp\297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9dppd.exec:\9dppd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnhh.exec:\nnnnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nbtbb.exec:\3nbtbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjd.exec:\pjjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrrffl.exec:\rlrrffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhhbn.exec:\tbhhbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hnhbb.exec:\1hnhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjd.exec:\vvvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrrffx.exec:\7xrrffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdv.exec:\vjjdv.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppp.exec:\ddppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnnn.exec:\thtnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdddv.exec:\pdddv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrllf.exec:\xlxrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1thbtt.exec:\1thbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jddv.exec:\7jddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxflxx.exec:\fxxflxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbhh.exec:\thbbhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpv.exec:\jjvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhbnn.exec:\hnhbnn.exe23⤵
- Executes dropped EXE
-
\??\c:\1dpjj.exec:\1dpjj.exe24⤵
- Executes dropped EXE
-
\??\c:\rllfxxx.exec:\rllfxxx.exe25⤵
- Executes dropped EXE
-
\??\c:\bntttb.exec:\bntttb.exe26⤵
- Executes dropped EXE
-
\??\c:\pvddp.exec:\pvddp.exe27⤵
- Executes dropped EXE
-
\??\c:\rrrrllf.exec:\rrrrllf.exe28⤵
- Executes dropped EXE
-
\??\c:\3nhnhh.exec:\3nhnhh.exe29⤵
- Executes dropped EXE
-
\??\c:\hnhntb.exec:\hnhntb.exe30⤵
- Executes dropped EXE
-
\??\c:\jvdvv.exec:\jvdvv.exe31⤵
- Executes dropped EXE
-
\??\c:\lflllrr.exec:\lflllrr.exe32⤵
- Executes dropped EXE
-
\??\c:\tnntnn.exec:\tnntnn.exe33⤵
- Executes dropped EXE
-
\??\c:\jjvjj.exec:\jjvjj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xlrrlll.exec:\xlrrlll.exe35⤵
- Executes dropped EXE
-
\??\c:\bhbntb.exec:\bhbntb.exe36⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe37⤵
- Executes dropped EXE
-
\??\c:\jjdpj.exec:\jjdpj.exe38⤵
- Executes dropped EXE
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe39⤵
- Executes dropped EXE
-
\??\c:\rxfllll.exec:\rxfllll.exe40⤵
- Executes dropped EXE
-
\??\c:\7bhhhn.exec:\7bhhhn.exe41⤵
- Executes dropped EXE
-
\??\c:\pdvpj.exec:\pdvpj.exe42⤵
- Executes dropped EXE
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe43⤵
- Executes dropped EXE
-
\??\c:\hbnbhb.exec:\hbnbhb.exe44⤵
- Executes dropped EXE
-
\??\c:\bthhbb.exec:\bthhbb.exe45⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe46⤵
- Executes dropped EXE
-
\??\c:\dvvvv.exec:\dvvvv.exe47⤵
- Executes dropped EXE
-
\??\c:\xxffxxx.exec:\xxffxxx.exe48⤵
- Executes dropped EXE
-
\??\c:\nhthbb.exec:\nhthbb.exe49⤵
- Executes dropped EXE
-
\??\c:\nbnnnn.exec:\nbnnnn.exe50⤵
- Executes dropped EXE
-
\??\c:\vvvvp.exec:\vvvvp.exe51⤵
- Executes dropped EXE
-
\??\c:\lfrxrxr.exec:\lfrxrxr.exe52⤵
- Executes dropped EXE
-
\??\c:\xllflfr.exec:\xllflfr.exe53⤵
- Executes dropped EXE
-
\??\c:\1ttnnn.exec:\1ttnnn.exe54⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe55⤵
- Executes dropped EXE
-
\??\c:\rfrfxlx.exec:\rfrfxlx.exe56⤵
- Executes dropped EXE
-
\??\c:\rllrlrl.exec:\rllrlrl.exe57⤵
- Executes dropped EXE
-
\??\c:\btnnbh.exec:\btnnbh.exe58⤵
- Executes dropped EXE
-
\??\c:\frxxxxl.exec:\frxxxxl.exe59⤵
- Executes dropped EXE
-
\??\c:\hbtthh.exec:\hbtthh.exe60⤵
- Executes dropped EXE
-
\??\c:\ddjpj.exec:\ddjpj.exe61⤵
- Executes dropped EXE
-
\??\c:\ddvvp.exec:\ddvvp.exe62⤵
- Executes dropped EXE
-
\??\c:\llffllx.exec:\llffllx.exe63⤵
- Executes dropped EXE
-
\??\c:\lrxxxxx.exec:\lrxxxxx.exe64⤵
- Executes dropped EXE
-
\??\c:\ttbbtt.exec:\ttbbtt.exe65⤵
- Executes dropped EXE
-
\??\c:\vdpjv.exec:\vdpjv.exe66⤵
-
\??\c:\vpvpd.exec:\vpvpd.exe67⤵
-
\??\c:\rfrlfff.exec:\rfrlfff.exe68⤵
-
\??\c:\lrrrxfx.exec:\lrrrxfx.exe69⤵
-
\??\c:\bhnnnn.exec:\bhnnnn.exe70⤵
-
\??\c:\djjpj.exec:\djjpj.exe71⤵
-
\??\c:\frffxxr.exec:\frffxxr.exe72⤵
-
\??\c:\frfffll.exec:\frfffll.exe73⤵
-
\??\c:\7ttttt.exec:\7ttttt.exe74⤵
-
\??\c:\jpppv.exec:\jpppv.exe75⤵
-
\??\c:\9djjd.exec:\9djjd.exe76⤵
-
\??\c:\flrrxxf.exec:\flrrxxf.exe77⤵
-
\??\c:\hhhtth.exec:\hhhtth.exe78⤵
-
\??\c:\htbtnn.exec:\htbtnn.exe79⤵
-
\??\c:\jjjvp.exec:\jjjvp.exe80⤵
-
\??\c:\1rllfff.exec:\1rllfff.exe81⤵
-
\??\c:\3rflfll.exec:\3rflfll.exe82⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nnnnhh.exec:\nnnnhh.exe83⤵
-
\??\c:\tnbbtt.exec:\tnbbtt.exe84⤵
-
\??\c:\rxxffff.exec:\rxxffff.exe85⤵
-
\??\c:\lrrlfrx.exec:\lrrlfrx.exe86⤵
-
\??\c:\hhbbtb.exec:\hhbbtb.exe87⤵
-
\??\c:\ttbttt.exec:\ttbttt.exe88⤵
-
\??\c:\ddjjv.exec:\ddjjv.exe89⤵
-
\??\c:\5jvvj.exec:\5jvvj.exe90⤵
-
\??\c:\lfffxff.exec:\lfffxff.exe91⤵
-
\??\c:\1bhtbh.exec:\1bhtbh.exe92⤵
-
\??\c:\pdpjd.exec:\pdpjd.exe93⤵
-
\??\c:\djjvd.exec:\djjvd.exe94⤵
-
\??\c:\1lrlllf.exec:\1lrlllf.exe95⤵
-
\??\c:\nnhhtt.exec:\nnhhtt.exe96⤵
-
\??\c:\ntbbtb.exec:\ntbbtb.exe97⤵
-
\??\c:\jpdvv.exec:\jpdvv.exe98⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe99⤵
-
\??\c:\rlffffx.exec:\rlffffx.exe100⤵
-
\??\c:\btthht.exec:\btthht.exe101⤵
-
\??\c:\9vddv.exec:\9vddv.exe102⤵
-
\??\c:\ddppp.exec:\ddppp.exe103⤵
-
\??\c:\9ntbnt.exec:\9ntbnt.exe104⤵
-
\??\c:\5pjjv.exec:\5pjjv.exe105⤵
-
\??\c:\xlffflx.exec:\xlffflx.exe106⤵
-
\??\c:\5rlllff.exec:\5rlllff.exe107⤵
-
\??\c:\3thbhh.exec:\3thbhh.exe108⤵
-
\??\c:\jjpvv.exec:\jjpvv.exe109⤵
-
\??\c:\ppppp.exec:\ppppp.exe110⤵
-
\??\c:\xrrrllf.exec:\xrrrllf.exe111⤵
-
\??\c:\lrrrlll.exec:\lrrrlll.exe112⤵
-
\??\c:\hbtttt.exec:\hbtttt.exe113⤵
-
\??\c:\nhbbhh.exec:\nhbbhh.exe114⤵
-
\??\c:\jjppd.exec:\jjppd.exe115⤵
-
\??\c:\xxlfxff.exec:\xxlfxff.exe116⤵
-
\??\c:\nntttt.exec:\nntttt.exe117⤵
-
\??\c:\5bnhtb.exec:\5bnhtb.exe118⤵
-
\??\c:\ddppd.exec:\ddppd.exe119⤵
-
\??\c:\3pvpj.exec:\3pvpj.exe120⤵
-
\??\c:\9dvpj.exec:\9dvpj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-