Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 17:44
General
-
Target
c056c7646d380e1bcaa8701681af7496170c1e33d6daf5bacb68f89d72414643N.exe
-
Size
70KB
-
MD5
bea6ae7f8ece893c6b457b53aeb342d0
-
SHA1
3818e647df7ae4cc654df225f365ca547648ba8b
-
SHA256
c056c7646d380e1bcaa8701681af7496170c1e33d6daf5bacb68f89d72414643
-
SHA512
1612067ac58b23238bc75657ebba7293134af65b83d7e8ca58ed3dc92d5b69703626327b8a344b8d531744754ea5b9c9c7a3db3061b349acffc9d46a701e099c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3Aa:ymb3NkkiQ3mdBjFI46TQa
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c056c7646d380e1bcaa8701681af7496170c1e33d6daf5bacb68f89d72414643N.exe"C:\Users\Admin\AppData\Local\Temp\c056c7646d380e1bcaa8701681af7496170c1e33d6daf5bacb68f89d72414643N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvd.exec:\vddvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflfffr.exec:\lflfffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllfff.exec:\ffllfff.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\fllllll.exec:\fllllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hhbhn.exec:\3hhbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddd.exec:\dvddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5frlrrl.exec:\5frlrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxrfx.exec:\lxfxrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vvvv.exec:\1vvvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vpvp.exec:\3vpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1llfxfr.exec:\1llfxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbtt.exec:\hhbbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvp.exec:\vvvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxflrrx.exec:\rxflrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbhhb.exec:\nbbhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjd.exec:\vdjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddpp.exec:\vddpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbthn.exec:\btbthn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbttt.exec:\9hbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdddd.exec:\vdddd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppp.exec:\ppppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffffx.exec:\fxffffx.exe23⤵
- Executes dropped EXE
-
\??\c:\hhnhtt.exec:\hhnhtt.exe24⤵
- Executes dropped EXE
-
\??\c:\5hhbbh.exec:\5hhbbh.exe25⤵
- Executes dropped EXE
-
\??\c:\vdppp.exec:\vdppp.exe26⤵
- Executes dropped EXE
-
\??\c:\5vjdv.exec:\5vjdv.exe27⤵
- Executes dropped EXE
-
\??\c:\rlxrffx.exec:\rlxrffx.exe28⤵
- Executes dropped EXE
-
\??\c:\bntbtt.exec:\bntbtt.exe29⤵
- Executes dropped EXE
-
\??\c:\9djjv.exec:\9djjv.exe30⤵
- Executes dropped EXE
-
\??\c:\rrxrlrr.exec:\rrxrlrr.exe31⤵
- Executes dropped EXE
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe32⤵
- Executes dropped EXE
-
\??\c:\nnbttn.exec:\nnbttn.exe33⤵
- Executes dropped EXE
-
\??\c:\hnhhbb.exec:\hnhhbb.exe34⤵
- Executes dropped EXE
-
\??\c:\9jjdv.exec:\9jjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\3pvdj.exec:\3pvdj.exe36⤵
- Executes dropped EXE
-
\??\c:\rrxrxxf.exec:\rrxrxxf.exe37⤵
- Executes dropped EXE
-
\??\c:\7lrlffr.exec:\7lrlffr.exe38⤵
- Executes dropped EXE
-
\??\c:\hnhhhh.exec:\hnhhhh.exe39⤵
- Executes dropped EXE
-
\??\c:\nnbhnb.exec:\nnbhnb.exe40⤵
- Executes dropped EXE
-
\??\c:\5dvvv.exec:\5dvvv.exe41⤵
- Executes dropped EXE
-
\??\c:\5rxrlrr.exec:\5rxrlrr.exe42⤵
- Executes dropped EXE
-
\??\c:\tntttb.exec:\tntttb.exe43⤵
- Executes dropped EXE
-
\??\c:\bttnnn.exec:\bttnnn.exe44⤵
- Executes dropped EXE
-
\??\c:\pvddv.exec:\pvddv.exe45⤵
- Executes dropped EXE
-
\??\c:\5rxxxxx.exec:\5rxxxxx.exe46⤵
- Executes dropped EXE
-
\??\c:\nhhhhh.exec:\nhhhhh.exe47⤵
- Executes dropped EXE
-
\??\c:\pvdjp.exec:\pvdjp.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ttbbhh.exec:\ttbbhh.exe49⤵
- Executes dropped EXE
-
\??\c:\nhnnbb.exec:\nhnnbb.exe50⤵
- Executes dropped EXE
-
\??\c:\vvvvp.exec:\vvvvp.exe51⤵
- Executes dropped EXE
-
\??\c:\rrfffff.exec:\rrfffff.exe52⤵
- Executes dropped EXE
-
\??\c:\xllflfl.exec:\xllflfl.exe53⤵
- Executes dropped EXE
-
\??\c:\pvvjp.exec:\pvvjp.exe54⤵
- Executes dropped EXE
-
\??\c:\9tnntt.exec:\9tnntt.exe55⤵
- Executes dropped EXE
-
\??\c:\vjjjp.exec:\vjjjp.exe56⤵
- Executes dropped EXE
-
\??\c:\llffxxx.exec:\llffxxx.exe57⤵
- Executes dropped EXE
-
\??\c:\nbtnnh.exec:\nbtnnh.exe58⤵
- Executes dropped EXE
-
\??\c:\vjjjd.exec:\vjjjd.exe59⤵
- Executes dropped EXE
-
\??\c:\jjjjd.exec:\jjjjd.exe60⤵
- Executes dropped EXE
-
\??\c:\frllrrr.exec:\frllrrr.exe61⤵
- Executes dropped EXE
-
\??\c:\3rlfllf.exec:\3rlfllf.exe62⤵
- Executes dropped EXE
-
\??\c:\3dvdp.exec:\3dvdp.exe63⤵
- Executes dropped EXE
-
\??\c:\pvvvp.exec:\pvvvp.exe64⤵
- Executes dropped EXE
-
\??\c:\lrrlllf.exec:\lrrlllf.exe65⤵
- Executes dropped EXE
-
\??\c:\1hhhbb.exec:\1hhhbb.exe66⤵
-
\??\c:\nnthhh.exec:\nnthhh.exe67⤵
-
\??\c:\vdppp.exec:\vdppp.exe68⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5jppp.exec:\5jppp.exe69⤵
-
\??\c:\3llfrrl.exec:\3llfrrl.exe70⤵
-
\??\c:\3hnhhn.exec:\3hnhhn.exe71⤵
-
\??\c:\3bhbtb.exec:\3bhbtb.exe72⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe73⤵
-
\??\c:\lrxxllx.exec:\lrxxllx.exe74⤵
-
\??\c:\9rrrrxf.exec:\9rrrrxf.exe75⤵
-
\??\c:\ttbbbh.exec:\ttbbbh.exe76⤵
-
\??\c:\bbhhbb.exec:\bbhhbb.exe77⤵
-
\??\c:\pvvvp.exec:\pvvvp.exe78⤵
-
\??\c:\lrrllrl.exec:\lrrllrl.exe79⤵
-
\??\c:\hbhbtt.exec:\hbhbtt.exe80⤵
-
\??\c:\3tbbtb.exec:\3tbbtb.exe81⤵
-
\??\c:\9djdd.exec:\9djdd.exe82⤵
-
\??\c:\xfffflf.exec:\xfffflf.exe83⤵
-
\??\c:\rfllffx.exec:\rfllffx.exe84⤵
-
\??\c:\nnhbnn.exec:\nnhbnn.exe85⤵
-
\??\c:\3hnbbt.exec:\3hnbbt.exe86⤵
-
\??\c:\jppjj.exec:\jppjj.exe87⤵
-
\??\c:\ddjdd.exec:\ddjdd.exe88⤵
-
\??\c:\lxxxrxr.exec:\lxxxrxr.exe89⤵
-
\??\c:\tnnnhh.exec:\tnnnhh.exe90⤵
-
\??\c:\7btnnn.exec:\7btnnn.exe91⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe92⤵
-
\??\c:\djjvd.exec:\djjvd.exe93⤵
-
\??\c:\1rlllll.exec:\1rlllll.exe94⤵
-
\??\c:\hhnhtn.exec:\hhnhtn.exe95⤵
-
\??\c:\hbttnn.exec:\hbttnn.exe96⤵
-
\??\c:\vdvpd.exec:\vdvpd.exe97⤵
-
\??\c:\3pjjd.exec:\3pjjd.exe98⤵
-
\??\c:\xxrrlxr.exec:\xxrrlxr.exe99⤵
-
\??\c:\tttnnn.exec:\tttnnn.exe100⤵
-
\??\c:\hnbnhb.exec:\hnbnhb.exe101⤵
-
\??\c:\dvddp.exec:\dvddp.exe102⤵
-
\??\c:\xxrlffx.exec:\xxrlffx.exe103⤵
-
\??\c:\vpjjv.exec:\vpjjv.exe104⤵
-
\??\c:\3pjjj.exec:\3pjjj.exe105⤵
-
\??\c:\xlrrllx.exec:\xlrrllx.exe106⤵
-
\??\c:\5nbhbh.exec:\5nbhbh.exe107⤵
-
\??\c:\tbbbbh.exec:\tbbbbh.exe108⤵
-
\??\c:\vpppp.exec:\vpppp.exe109⤵
-
\??\c:\5vppj.exec:\5vppj.exe110⤵
-
\??\c:\xrxxxfx.exec:\xrxxxfx.exe111⤵
-
\??\c:\tntttt.exec:\tntttt.exe112⤵
-
\??\c:\hbnnhh.exec:\hbnnhh.exe113⤵
-
\??\c:\djdvd.exec:\djdvd.exe114⤵
-
\??\c:\djjjd.exec:\djjjd.exe115⤵
-
\??\c:\9rlfxxx.exec:\9rlfxxx.exe116⤵
-
\??\c:\btbtnt.exec:\btbtnt.exe117⤵
-
\??\c:\hhnnnn.exec:\hhnnnn.exe118⤵
-
\??\c:\jdddd.exec:\jdddd.exe119⤵
-
\??\c:\ppvvd.exec:\ppvvd.exe120⤵
-
\??\c:\rlrrrrl.exec:\rlrrrrl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-