Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 18:08
General
-
Target
0da22660f5f5658f18427c7c1bc21b6e042fb3b7d1b81b94519d40502d07ed91.exe
-
Size
57KB
-
MD5
97d247a964ebc605b441b15cadf6ad37
-
SHA1
6f5bf24383710c9ce9d326fa0c3a7b0a060239ea
-
SHA256
0da22660f5f5658f18427c7c1bc21b6e042fb3b7d1b81b94519d40502d07ed91
-
SHA512
b091b5581859f722370276d60fe9a503ad92438cb0e122d5f2b177ca81f9929a9bd849cf83fd0a95a2ae4a28b4c28d3504811106628ced47369d34109c3e06ed
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIY6St9xn7v1:ymb3NkkiQ3mdBjFIY79xr1
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da22660f5f5658f18427c7c1bc21b6e042fb3b7d1b81b94519d40502d07ed91.exe"C:\Users\Admin\AppData\Local\Temp\0da22660f5f5658f18427c7c1bc21b6e042fb3b7d1b81b94519d40502d07ed91.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdp.exec:\vjjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lxrffx.exec:\1lxrffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnhb.exec:\hbtnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7dvvd.exec:\7dvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rrfrlf.exec:\1rrfrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnbb.exec:\hbtnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjjj.exec:\pdjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfxrf.exec:\rllfxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhbt.exec:\ttnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvjd.exec:\ddvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrfxfr.exec:\xlrfxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tttnh.exec:\3tttnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrlfxl.exec:\rxrlfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhnbb.exec:\bhhnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jppd.exec:\9jppd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdpj.exec:\vjdpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrrfff.exec:\7lrrfff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttbtn.exec:\nttbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjvp.exec:\ddjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjv.exec:\vvpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfrxl.exec:\rflfrxl.exe23⤵
- Executes dropped EXE
-
\??\c:\xrxrxrx.exec:\xrxrxrx.exe24⤵
- Executes dropped EXE
-
\??\c:\tbthbt.exec:\tbthbt.exe25⤵
- Executes dropped EXE
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3bbhbt.exec:\3bbhbt.exe27⤵
- Executes dropped EXE
-
\??\c:\jvppp.exec:\jvppp.exe28⤵
- Executes dropped EXE
-
\??\c:\pjjdd.exec:\pjjdd.exe29⤵
- Executes dropped EXE
-
\??\c:\rxrrflx.exec:\rxrrflx.exe30⤵
- Executes dropped EXE
-
\??\c:\rxlfrlx.exec:\rxlfrlx.exe31⤵
- Executes dropped EXE
-
\??\c:\1vddv.exec:\1vddv.exe32⤵
- Executes dropped EXE
-
\??\c:\nhbtnh.exec:\nhbtnh.exe33⤵
- Executes dropped EXE
-
\??\c:\dpjdv.exec:\dpjdv.exe34⤵
- Executes dropped EXE
-
\??\c:\lxflxrl.exec:\lxflxrl.exe35⤵
- Executes dropped EXE
-
\??\c:\hbtnhh.exec:\hbtnhh.exe36⤵
- Executes dropped EXE
-
\??\c:\7pppj.exec:\7pppj.exe37⤵
- Executes dropped EXE
-
\??\c:\9xxlxrl.exec:\9xxlxrl.exe38⤵
- Executes dropped EXE
-
\??\c:\9xxrllf.exec:\9xxrllf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ttnnbb.exec:\ttnnbb.exe40⤵
- Executes dropped EXE
-
\??\c:\1bhbtt.exec:\1bhbtt.exe41⤵
- Executes dropped EXE
-
\??\c:\7jpjd.exec:\7jpjd.exe42⤵
- Executes dropped EXE
-
\??\c:\frrlrlf.exec:\frrlrlf.exe43⤵
- Executes dropped EXE
-
\??\c:\lfrrllf.exec:\lfrrllf.exe44⤵
- Executes dropped EXE
-
\??\c:\hbnntn.exec:\hbnntn.exe45⤵
- Executes dropped EXE
-
\??\c:\bbbnbt.exec:\bbbnbt.exe46⤵
- Executes dropped EXE
-
\??\c:\5djdv.exec:\5djdv.exe47⤵
- Executes dropped EXE
-
\??\c:\3ddvj.exec:\3ddvj.exe48⤵
- Executes dropped EXE
-
\??\c:\flxrffx.exec:\flxrffx.exe49⤵
- Executes dropped EXE
-
\??\c:\1bttnt.exec:\1bttnt.exe50⤵
- Executes dropped EXE
-
\??\c:\ntbbbb.exec:\ntbbbb.exe51⤵
- Executes dropped EXE
-
\??\c:\3dddp.exec:\3dddp.exe52⤵
- Executes dropped EXE
-
\??\c:\5ddvd.exec:\5ddvd.exe53⤵
- Executes dropped EXE
-
\??\c:\rlxxxfl.exec:\rlxxxfl.exe54⤵
- Executes dropped EXE
-
\??\c:\btnhbb.exec:\btnhbb.exe55⤵
- Executes dropped EXE
-
\??\c:\bttnhh.exec:\bttnhh.exe56⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe57⤵
- Executes dropped EXE
-
\??\c:\jdjdd.exec:\jdjdd.exe58⤵
- Executes dropped EXE
-
\??\c:\lfxrlll.exec:\lfxrlll.exe59⤵
- Executes dropped EXE
-
\??\c:\7bhbbt.exec:\7bhbbt.exe60⤵
- Executes dropped EXE
-
\??\c:\1ttnbb.exec:\1ttnbb.exe61⤵
- Executes dropped EXE
-
\??\c:\5vvjj.exec:\5vvjj.exe62⤵
- Executes dropped EXE
-
\??\c:\pvdpd.exec:\pvdpd.exe63⤵
- Executes dropped EXE
-
\??\c:\xrfrfxr.exec:\xrfrfxr.exe64⤵
- Executes dropped EXE
-
\??\c:\btbtbt.exec:\btbtbt.exe65⤵
- Executes dropped EXE
-
\??\c:\9nnbnh.exec:\9nnbnh.exe66⤵
-
\??\c:\vvdpv.exec:\vvdpv.exe67⤵
-
\??\c:\xxxfxff.exec:\xxxfxff.exe68⤵
-
\??\c:\lfrllff.exec:\lfrllff.exe69⤵
-
\??\c:\tbbbbb.exec:\tbbbbb.exe70⤵
-
\??\c:\bbnhbb.exec:\bbnhbb.exe71⤵
-
\??\c:\7pjjj.exec:\7pjjj.exe72⤵
-
\??\c:\jddpd.exec:\jddpd.exe73⤵
-
\??\c:\1rrlrlx.exec:\1rrlrlx.exe74⤵
-
\??\c:\nnbtnn.exec:\nnbtnn.exe75⤵
-
\??\c:\5nnnhb.exec:\5nnnhb.exe76⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe77⤵
-
\??\c:\5flffxf.exec:\5flffxf.exe78⤵
-
\??\c:\5flfxxr.exec:\5flfxxr.exe79⤵
-
\??\c:\nnhhbb.exec:\nnhhbb.exe80⤵
-
\??\c:\hnttnh.exec:\hnttnh.exe81⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe82⤵
-
\??\c:\xrxxlll.exec:\xrxxlll.exe83⤵
-
\??\c:\xxxrfxl.exec:\xxxrfxl.exe84⤵
-
\??\c:\bnnbhh.exec:\bnnbhh.exe85⤵
-
\??\c:\vvppj.exec:\vvppj.exe86⤵
-
\??\c:\jdjdj.exec:\jdjdj.exe87⤵
-
\??\c:\flfxrlx.exec:\flfxrlx.exe88⤵
-
\??\c:\fffxxrr.exec:\fffxxrr.exe89⤵
-
\??\c:\bbhthb.exec:\bbhthb.exe90⤵
-
\??\c:\bhhbhb.exec:\bhhbhb.exe91⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe92⤵
-
\??\c:\pppjv.exec:\pppjv.exe93⤵
-
\??\c:\fllfxrl.exec:\fllfxrl.exe94⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe95⤵
-
\??\c:\1btthn.exec:\1btthn.exe96⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe97⤵
-
\??\c:\5jdvp.exec:\5jdvp.exe98⤵
-
\??\c:\1ffxlrl.exec:\1ffxlrl.exe99⤵
-
\??\c:\7xxxrrr.exec:\7xxxrrr.exe100⤵
-
\??\c:\bhhhhh.exec:\bhhhhh.exe101⤵
-
\??\c:\5vvvj.exec:\5vvvj.exe102⤵
-
\??\c:\5lflxxr.exec:\5lflxxr.exe103⤵
-
\??\c:\9bnhhb.exec:\9bnhhb.exe104⤵
-
\??\c:\7bhnht.exec:\7bhnht.exe105⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe106⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe107⤵
-
\??\c:\rffxllf.exec:\rffxllf.exe108⤵
-
\??\c:\tnntbt.exec:\tnntbt.exe109⤵
-
\??\c:\nhhtnn.exec:\nhhtnn.exe110⤵
-
\??\c:\1vpjv.exec:\1vpjv.exe111⤵
-
\??\c:\dpppj.exec:\dpppj.exe112⤵
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe113⤵
-
\??\c:\3bbbtn.exec:\3bbbtn.exe114⤵
- System Location Discovery: System Language Discovery
-
\??\c:\btbttt.exec:\btbttt.exe115⤵
-
\??\c:\vjpdp.exec:\vjpdp.exe116⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe117⤵
-
\??\c:\rlffxll.exec:\rlffxll.exe118⤵
-
\??\c:\llrlfxr.exec:\llrlfxr.exe119⤵
-
\??\c:\5bhbtt.exec:\5bhbtt.exe120⤵
-
\??\c:\7hbttn.exec:\7hbttn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-