Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25/11/2024, 21:28
General
-
Target
a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe
-
Size
120KB
-
MD5
b320df553dda4158c19fab252d462f02
-
SHA1
7913a626fb7f7a72ad664a61cae7646885c1eaba
-
SHA256
a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3
-
SHA512
e90b2737b70cbefc6a79037c3fc00474c62453f37b67d4b802b16cb5119273252c1a5b294943f5e2ee7a87d4ef8baeb58787b745cd7547ccaa5ce5f6cd330b13
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX8XFE:n3C9BRW0j/uVEZFN
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe"C:\Users\Admin\AppData\Local\Temp\a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbtn.exec:\bthbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhttnt.exec:\bhttnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpvj.exec:\vjpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfllxr.exec:\xxfllxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlxrrl.exec:\lxlxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rxllxf.exec:\1rxllxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ntttb.exec:\5ntttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddvp.exec:\dddvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5llfxxx.exec:\5llfxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5thhhb.exec:\5thhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvd.exec:\dvvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlxrff.exec:\xrlxrff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhnht.exec:\bnhnht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvp.exec:\jddvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnhh.exec:\httnhh.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnnh.exec:\tntnnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tntbt.exec:\5tntbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdd.exec:\dvjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdpp.exec:\dpdpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flllffx.exec:\flllffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhnbt.exec:\tnhnbt.exe23⤵
- Executes dropped EXE
-
\??\c:\vvdjj.exec:\vvdjj.exe24⤵
- Executes dropped EXE
-
\??\c:\lxffxxr.exec:\lxffxxr.exe25⤵
- Executes dropped EXE
-
\??\c:\btnhtn.exec:\btnhtn.exe26⤵
- Executes dropped EXE
-
\??\c:\pvjdd.exec:\pvjdd.exe27⤵
- Executes dropped EXE
-
\??\c:\rxrfffx.exec:\rxrfffx.exe28⤵
- Executes dropped EXE
-
\??\c:\btnbnh.exec:\btnbnh.exe29⤵
- Executes dropped EXE
-
\??\c:\pvpvj.exec:\pvpvj.exe30⤵
- Executes dropped EXE
-
\??\c:\xxxfrlr.exec:\xxxfrlr.exe31⤵
- Executes dropped EXE
-
\??\c:\nthbhh.exec:\nthbhh.exe32⤵
- Executes dropped EXE
-
\??\c:\3dvvp.exec:\3dvvp.exe33⤵
- Executes dropped EXE
-
\??\c:\rfxlrfr.exec:\rfxlrfr.exe34⤵
- Executes dropped EXE
-
\??\c:\rxllxxr.exec:\rxllxxr.exe35⤵
- Executes dropped EXE
-
\??\c:\tnhntn.exec:\tnhntn.exe36⤵
- Executes dropped EXE
-
\??\c:\vvdvp.exec:\vvdvp.exe37⤵
- Executes dropped EXE
-
\??\c:\3lrrxll.exec:\3lrrxll.exe38⤵
- Executes dropped EXE
-
\??\c:\tnbnbt.exec:\tnbnbt.exe39⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe40⤵
- Executes dropped EXE
-
\??\c:\flrrxrf.exec:\flrrxrf.exe41⤵
- Executes dropped EXE
-
\??\c:\5htnnb.exec:\5htnnb.exe42⤵
- Executes dropped EXE
-
\??\c:\jppdp.exec:\jppdp.exe43⤵
- Executes dropped EXE
-
\??\c:\lffrlxr.exec:\lffrlxr.exe44⤵
- Executes dropped EXE
-
\??\c:\ntbbnh.exec:\ntbbnh.exe45⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe46⤵
- Executes dropped EXE
-
\??\c:\3vvvp.exec:\3vvvp.exe47⤵
- Executes dropped EXE
-
\??\c:\rrxfrlf.exec:\rrxfrlf.exe48⤵
- Executes dropped EXE
-
\??\c:\3bbbtt.exec:\3bbbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe50⤵
- Executes dropped EXE
-
\??\c:\lrfffrf.exec:\lrfffrf.exe51⤵
- Executes dropped EXE
-
\??\c:\hbhhth.exec:\hbhhth.exe52⤵
- Executes dropped EXE
-
\??\c:\1pvvj.exec:\1pvvj.exe53⤵
- Executes dropped EXE
-
\??\c:\9vdvp.exec:\9vdvp.exe54⤵
- Executes dropped EXE
-
\??\c:\llfxrlr.exec:\llfxrlr.exe55⤵
- Executes dropped EXE
-
\??\c:\thbnhb.exec:\thbnhb.exe56⤵
- Executes dropped EXE
-
\??\c:\tttnhb.exec:\tttnhb.exe57⤵
- Executes dropped EXE
-
\??\c:\btbbhh.exec:\btbbhh.exe58⤵
- Executes dropped EXE
-
\??\c:\bnbntn.exec:\bnbntn.exe59⤵
- Executes dropped EXE
-
\??\c:\fffxxxf.exec:\fffxxxf.exe60⤵
- Executes dropped EXE
-
\??\c:\tnttnn.exec:\tnttnn.exe61⤵
- Executes dropped EXE
-
\??\c:\3jvpv.exec:\3jvpv.exe62⤵
- Executes dropped EXE
-
\??\c:\jdppj.exec:\jdppj.exe63⤵
- Executes dropped EXE
-
\??\c:\nnbtnn.exec:\nnbtnn.exe64⤵
- Executes dropped EXE
-
\??\c:\7thbnn.exec:\7thbnn.exe65⤵
- Executes dropped EXE
-
\??\c:\9ddvv.exec:\9ddvv.exe66⤵
- Executes dropped EXE
-
\??\c:\rrfxllf.exec:\rrfxllf.exe67⤵
-
\??\c:\xfxrfxf.exec:\xfxrfxf.exe68⤵
-
\??\c:\nhtntn.exec:\nhtntn.exe69⤵
-
\??\c:\vdvjp.exec:\vdvjp.exe70⤵
-
\??\c:\rfffflf.exec:\rfffflf.exe71⤵
-
\??\c:\3tnhbt.exec:\3tnhbt.exe72⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe73⤵
-
\??\c:\djvpj.exec:\djvpj.exe74⤵
-
\??\c:\frxrrrr.exec:\frxrrrr.exe75⤵
-
\??\c:\1hhbtt.exec:\1hhbtt.exe76⤵
-
\??\c:\thhbtn.exec:\thhbtn.exe77⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe78⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe79⤵
-
\??\c:\tbhbnn.exec:\tbhbnn.exe80⤵
-
\??\c:\thnhbb.exec:\thnhbb.exe81⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe82⤵
-
\??\c:\xllrlxx.exec:\xllrlxx.exe83⤵
-
\??\c:\bntnhn.exec:\bntnhn.exe84⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe85⤵
-
\??\c:\jvvvv.exec:\jvvvv.exe86⤵
-
\??\c:\xxlrrrl.exec:\xxlrrrl.exe87⤵
-
\??\c:\xflfrrl.exec:\xflfrrl.exe88⤵
-
\??\c:\ttbbbb.exec:\ttbbbb.exe89⤵
-
\??\c:\vdjpp.exec:\vdjpp.exe90⤵
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe91⤵
-
\??\c:\3rrrllf.exec:\3rrrllf.exe92⤵
-
\??\c:\btnhbn.exec:\btnhbn.exe93⤵
-
\??\c:\fxxrlff.exec:\fxxrlff.exe94⤵
-
\??\c:\lfxfxxx.exec:\lfxfxxx.exe95⤵
-
\??\c:\btbbbb.exec:\btbbbb.exe96⤵
-
\??\c:\ttnnnn.exec:\ttnnnn.exe97⤵
- System Location Discovery: System Language Discovery
-
\??\c:\ddjjv.exec:\ddjjv.exe98⤵
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe99⤵
-
\??\c:\xxxrxlx.exec:\xxxrxlx.exe100⤵
-
\??\c:\tttttt.exec:\tttttt.exe101⤵
-
\??\c:\tnnbtt.exec:\tnnbtt.exe102⤵
-
\??\c:\5dpjv.exec:\5dpjv.exe103⤵
-
\??\c:\5djjd.exec:\5djjd.exe104⤵
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe105⤵
-
\??\c:\rrrlfff.exec:\rrrlfff.exe106⤵
-
\??\c:\thbhbt.exec:\thbhbt.exe107⤵
-
\??\c:\jpvjd.exec:\jpvjd.exe108⤵
-
\??\c:\1jjjj.exec:\1jjjj.exe109⤵
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe110⤵
-
\??\c:\xxrxxxr.exec:\xxrxxxr.exe111⤵
-
\??\c:\ddddj.exec:\ddddj.exe112⤵
-
\??\c:\xlrlffx.exec:\xlrlffx.exe113⤵
-
\??\c:\5rffffx.exec:\5rffffx.exe114⤵
-
\??\c:\1pvpd.exec:\1pvpd.exe115⤵
-
\??\c:\vjvjv.exec:\vjvjv.exe116⤵
-
\??\c:\frrxrxf.exec:\frrxrxf.exe117⤵
-
\??\c:\dpppd.exec:\dpppd.exe118⤵
-
\??\c:\ffrxrxx.exec:\ffrxrxx.exe119⤵
-
\??\c:\9ntnhh.exec:\9ntnhh.exe120⤵
-
\??\c:\pvpvv.exec:\pvpvv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-