Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 14:11
General
-
Target
b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a.exe
-
Size
69KB
-
MD5
4a8039cf581bbec82ee1fd8d9743cc77
-
SHA1
1cb69dd2513e70ae1f0644007ac9343e350df2da
-
SHA256
b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a
-
SHA512
23b61816860e13ba4b573bce98cdfa21437d5b051547d43215ac154b32a37094c64aacbdde9881eefb6142da861c2f1b061c69143561ec68956d05beaba561f7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAch:ymb3NkkiQ3mdBjFIsIVch
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a.exe"C:\Users\Admin\AppData\Local\Temp\b99586c3fc6e0f48f064ac8a49ddc657ab932b3c9a7b71ff8e0ceecf9494a70a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfrllf.exec:\lrfrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlllffx.exec:\rlllffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbtt.exec:\nhbbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttnb.exec:\tnttnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vjdd.exec:\9vjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxxlll.exec:\flxxlll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddpd.exec:\pddpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxlfff.exec:\rlxlfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbntnn.exec:\nbntnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdjd.exec:\vjdjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnbb.exec:\hhtnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpp.exec:\dvvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvv.exec:\pjvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xfxllf.exec:\5xfxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbtb.exec:\bthbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlxrlf.exec:\xxlxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhbb.exec:\ttnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdvp.exec:\7vdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfxrrl.exec:\flfxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnn.exec:\thbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dvpd.exec:\7dvpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjjd.exec:\jpjjd.exe23⤵
- Executes dropped EXE
-
\??\c:\5xxrlll.exec:\5xxrlll.exe24⤵
- Executes dropped EXE
-
\??\c:\rfrxrrl.exec:\rfrxrrl.exe25⤵
- Executes dropped EXE
-
\??\c:\btnnnn.exec:\btnnnn.exe26⤵
- Executes dropped EXE
-
\??\c:\hbhhbh.exec:\hbhhbh.exe27⤵
- Executes dropped EXE
-
\??\c:\jjppv.exec:\jjppv.exe28⤵
- Executes dropped EXE
-
\??\c:\xlxxxxr.exec:\xlxxxxr.exe29⤵
- Executes dropped EXE
-
\??\c:\nnhhhh.exec:\nnhhhh.exe30⤵
- Executes dropped EXE
-
\??\c:\bbbtnn.exec:\bbbtnn.exe31⤵
- Executes dropped EXE
-
\??\c:\jddvp.exec:\jddvp.exe32⤵
- Executes dropped EXE
-
\??\c:\llfxllx.exec:\llfxllx.exe33⤵
- Executes dropped EXE
-
\??\c:\rflfxrl.exec:\rflfxrl.exe34⤵
- Executes dropped EXE
-
\??\c:\tbbbtn.exec:\tbbbtn.exe35⤵
- Executes dropped EXE
-
\??\c:\ttnnhb.exec:\ttnnhb.exe36⤵
- Executes dropped EXE
-
\??\c:\pjjjd.exec:\pjjjd.exe37⤵
- Executes dropped EXE
-
\??\c:\fxlfllr.exec:\fxlfllr.exe38⤵
- Executes dropped EXE
-
\??\c:\lffxrrr.exec:\lffxrrr.exe39⤵
- Executes dropped EXE
-
\??\c:\tbhhbb.exec:\tbhhbb.exe40⤵
- Executes dropped EXE
-
\??\c:\hbtbtb.exec:\hbtbtb.exe41⤵
- Executes dropped EXE
-
\??\c:\jpjdv.exec:\jpjdv.exe42⤵
- Executes dropped EXE
-
\??\c:\frxfxxx.exec:\frxfxxx.exe43⤵
- Executes dropped EXE
-
\??\c:\xrffxxf.exec:\xrffxxf.exe44⤵
- Executes dropped EXE
-
\??\c:\hnhhbb.exec:\hnhhbb.exe45⤵
- Executes dropped EXE
-
\??\c:\pddpd.exec:\pddpd.exe46⤵
- Executes dropped EXE
-
\??\c:\pjpjv.exec:\pjpjv.exe47⤵
- Executes dropped EXE
-
\??\c:\xlrrlll.exec:\xlrrlll.exe48⤵
- Executes dropped EXE
-
\??\c:\bnnhbt.exec:\bnnhbt.exe49⤵
- Executes dropped EXE
-
\??\c:\hbtnbb.exec:\hbtnbb.exe50⤵
- Executes dropped EXE
-
\??\c:\vppdv.exec:\vppdv.exe51⤵
- Executes dropped EXE
-
\??\c:\vjdpd.exec:\vjdpd.exe52⤵
- Executes dropped EXE
-
\??\c:\7rxlrlx.exec:\7rxlrlx.exe53⤵
- Executes dropped EXE
-
\??\c:\btbnbt.exec:\btbnbt.exe54⤵
- Executes dropped EXE
-
\??\c:\hbhbbt.exec:\hbhbbt.exe55⤵
- Executes dropped EXE
-
\??\c:\jjppd.exec:\jjppd.exe56⤵
- Executes dropped EXE
-
\??\c:\dddpj.exec:\dddpj.exe57⤵
- Executes dropped EXE
-
\??\c:\xrflrfx.exec:\xrflrfx.exe58⤵
- Executes dropped EXE
-
\??\c:\htnhbb.exec:\htnhbb.exe59⤵
- Executes dropped EXE
-
\??\c:\nhtnnn.exec:\nhtnnn.exe60⤵
- Executes dropped EXE
-
\??\c:\pvjdv.exec:\pvjdv.exe61⤵
- Executes dropped EXE
-
\??\c:\3xlflll.exec:\3xlflll.exe62⤵
- Executes dropped EXE
-
\??\c:\xlllfxr.exec:\xlllfxr.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hbnhtt.exec:\hbnhtt.exe64⤵
- Executes dropped EXE
-
\??\c:\tntthn.exec:\tntthn.exe65⤵
- Executes dropped EXE
-
\??\c:\pdddp.exec:\pdddp.exe66⤵
-
\??\c:\lflxxxr.exec:\lflxxxr.exe67⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe68⤵
-
\??\c:\vvvjv.exec:\vvvjv.exe69⤵
-
\??\c:\1rxrfxr.exec:\1rxrfxr.exe70⤵
-
\??\c:\xrrrllf.exec:\xrrrllf.exe71⤵
-
\??\c:\vppjv.exec:\vppjv.exe72⤵
-
\??\c:\fxrlfff.exec:\fxrlfff.exe73⤵
-
\??\c:\btnbnh.exec:\btnbnh.exe74⤵
-
\??\c:\bbhbbb.exec:\bbhbbb.exe75⤵
-
\??\c:\jjjjp.exec:\jjjjp.exe76⤵
-
\??\c:\pddvp.exec:\pddvp.exe77⤵
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe78⤵
-
\??\c:\rlllfxl.exec:\rlllfxl.exe79⤵
-
\??\c:\htnhtn.exec:\htnhtn.exe80⤵
-
\??\c:\vjdjd.exec:\vjdjd.exe81⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe82⤵
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe83⤵
-
\??\c:\3tbttn.exec:\3tbttn.exe84⤵
-
\??\c:\7bthtn.exec:\7bthtn.exe85⤵
-
\??\c:\1jdvj.exec:\1jdvj.exe86⤵
-
\??\c:\pvppd.exec:\pvppd.exe87⤵
-
\??\c:\xfxrxfx.exec:\xfxrxfx.exe88⤵
-
\??\c:\htbtnt.exec:\htbtnt.exe89⤵
-
\??\c:\nbbthb.exec:\nbbthb.exe90⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe91⤵
-
\??\c:\dpdvj.exec:\dpdvj.exe92⤵
-
\??\c:\xxxrxrl.exec:\xxxrxrl.exe93⤵
-
\??\c:\tnbtnh.exec:\tnbtnh.exe94⤵
-
\??\c:\9bbtnh.exec:\9bbtnh.exe95⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe96⤵
-
\??\c:\7lfxlfr.exec:\7lfxlfr.exe97⤵
-
\??\c:\hbttnt.exec:\hbttnt.exe98⤵
-
\??\c:\bnhthb.exec:\bnhthb.exe99⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe100⤵
-
\??\c:\fxxlxlf.exec:\fxxlxlf.exe101⤵
-
\??\c:\hbttnh.exec:\hbttnh.exe102⤵
-
\??\c:\bbnhbt.exec:\bbnhbt.exe103⤵
-
\??\c:\dddvj.exec:\dddvj.exe104⤵
-
\??\c:\ddjdv.exec:\ddjdv.exe105⤵
-
\??\c:\rllxllx.exec:\rllxllx.exe106⤵
-
\??\c:\3tthtn.exec:\3tthtn.exe107⤵
-
\??\c:\bbbnbt.exec:\bbbnbt.exe108⤵
-
\??\c:\1djdd.exec:\1djdd.exe109⤵
-
\??\c:\xfxxffr.exec:\xfxxffr.exe110⤵
-
\??\c:\1llfxrf.exec:\1llfxrf.exe111⤵
-
\??\c:\lrfxllx.exec:\lrfxllx.exe112⤵
-
\??\c:\hhhbtt.exec:\hhhbtt.exe113⤵
-
\??\c:\tnthnb.exec:\tnthnb.exe114⤵
-
\??\c:\pjjdj.exec:\pjjdj.exe115⤵
-
\??\c:\frfflff.exec:\frfflff.exe116⤵
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe117⤵
-
\??\c:\hnbbtn.exec:\hnbbtn.exe118⤵
-
\??\c:\jpvdp.exec:\jpvdp.exe119⤵
-
\??\c:\djjvj.exec:\djjvj.exe120⤵
-
\??\c:\5flxlfr.exec:\5flxlfr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-