Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-11-2024 01:41
General
-
Target
6bf6b1a8390fafa928fbac8c3ae42fde8ea362310e3756a02f58f1e85c486f2b.exe
-
Size
61KB
-
MD5
6955fdc4736ce413c92e6ebcea171b21
-
SHA1
5f87449da30f84dfd5751ce4987ac98af6088781
-
SHA256
6bf6b1a8390fafa928fbac8c3ae42fde8ea362310e3756a02f58f1e85c486f2b
-
SHA512
ffbb1351aada01b8ab4a398aebfd8b5293fc42360e352dcac1db4eb7ba559a5b6a81d250f58f46c725c9eb86d622867351ac55fbabd74a0b547127ee0be088c9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+byS:ymb3NkkiQ3mdBjF+3TpV
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bf6b1a8390fafa928fbac8c3ae42fde8ea362310e3756a02f58f1e85c486f2b.exe"C:\Users\Admin\AppData\Local\Temp\6bf6b1a8390fafa928fbac8c3ae42fde8ea362310e3756a02f58f1e85c486f2b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbhb.exec:\nhbbhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjvp.exec:\dvjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvj.exec:\dvvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxlfxr.exec:\frxlfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbtn.exec:\nhhbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9djvj.exec:\9djvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrrxr.exec:\xrxrrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbtt.exec:\bnbbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppjd.exec:\pppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htntnh.exec:\htntnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvv.exec:\vjdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5llfrrl.exec:\5llfrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllfrr.exec:\ffllfrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhhbh.exec:\thhhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jjjv.exec:\5jjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpj.exec:\pdvpj.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\rlffxfr.exec:\rlffxfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhnnb.exec:\bhhnnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjpj.exec:\djjpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnhhh.exec:\hhnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lrlfll.exec:\1lrlfll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddd.exec:\pvddd.exe23⤵
- Executes dropped EXE
-
\??\c:\3lllxxx.exec:\3lllxxx.exe24⤵
- Executes dropped EXE
-
\??\c:\rrfxrrr.exec:\rrfxrrr.exe25⤵
- Executes dropped EXE
-
\??\c:\3ntnhb.exec:\3ntnhb.exe26⤵
- Executes dropped EXE
-
\??\c:\1lffrxx.exec:\1lffrxx.exe27⤵
- Executes dropped EXE
-
\??\c:\rrrllrr.exec:\rrrllrr.exe28⤵
- Executes dropped EXE
-
\??\c:\thtnhb.exec:\thtnhb.exe29⤵
- Executes dropped EXE
-
\??\c:\jpvpv.exec:\jpvpv.exe30⤵
- Executes dropped EXE
-
\??\c:\rxlxrlx.exec:\rxlxrlx.exe31⤵
- Executes dropped EXE
-
\??\c:\bthhtt.exec:\bthhtt.exe32⤵
- Executes dropped EXE
-
\??\c:\hhntnh.exec:\hhntnh.exe33⤵
- Executes dropped EXE
-
\??\c:\7pppd.exec:\7pppd.exe34⤵
- Executes dropped EXE
-
\??\c:\lffxrxr.exec:\lffxrxr.exe35⤵
- Executes dropped EXE
-
\??\c:\jvvvp.exec:\jvvvp.exe36⤵
- Executes dropped EXE
-
\??\c:\djjvp.exec:\djjvp.exe37⤵
- Executes dropped EXE
-
\??\c:\lfxrfff.exec:\lfxrfff.exe38⤵
- Executes dropped EXE
-
\??\c:\rflfxrl.exec:\rflfxrl.exe39⤵
- Executes dropped EXE
-
\??\c:\tbtttt.exec:\tbtttt.exe40⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe41⤵
- Executes dropped EXE
-
\??\c:\lfffrlf.exec:\lfffrlf.exe42⤵
- Executes dropped EXE
-
\??\c:\1nhbtt.exec:\1nhbtt.exe43⤵
- Executes dropped EXE
-
\??\c:\tntnbb.exec:\tntnbb.exe44⤵
- Executes dropped EXE
-
\??\c:\vvjvv.exec:\vvjvv.exe45⤵
- Executes dropped EXE
-
\??\c:\xrrlxxf.exec:\xrrlxxf.exe46⤵
- Executes dropped EXE
-
\??\c:\1lrlxrx.exec:\1lrlxrx.exe47⤵
- Executes dropped EXE
-
\??\c:\3bhbbb.exec:\3bhbbb.exe48⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe49⤵
- Executes dropped EXE
-
\??\c:\7lrlxrl.exec:\7lrlxrl.exe50⤵
- Executes dropped EXE
-
\??\c:\htttnn.exec:\htttnn.exe51⤵
- Executes dropped EXE
-
\??\c:\5jvjj.exec:\5jvjj.exe52⤵
- Executes dropped EXE
-
\??\c:\rxffxrr.exec:\rxffxrr.exe53⤵
- Executes dropped EXE
-
\??\c:\rrxxxxr.exec:\rrxxxxr.exe54⤵
- Executes dropped EXE
-
\??\c:\tbhtnh.exec:\tbhtnh.exe55⤵
- Executes dropped EXE
-
\??\c:\jdjdd.exec:\jdjdd.exe56⤵
- Executes dropped EXE
-
\??\c:\5djdp.exec:\5djdp.exe57⤵
- Executes dropped EXE
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe58⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe59⤵
- Executes dropped EXE
-
\??\c:\xfrlfxx.exec:\xfrlfxx.exe60⤵
- Executes dropped EXE
-
\??\c:\bbbttt.exec:\bbbttt.exe61⤵
- Executes dropped EXE
-
\??\c:\tbtttt.exec:\tbtttt.exe62⤵
- Executes dropped EXE
-
\??\c:\vvvpd.exec:\vvvpd.exe63⤵
- Executes dropped EXE
-
\??\c:\frxrfxx.exec:\frxrfxx.exe64⤵
- Executes dropped EXE
-
\??\c:\3lflfff.exec:\3lflfff.exe65⤵
- Executes dropped EXE
-
\??\c:\nhhhnn.exec:\nhhhnn.exe66⤵
-
\??\c:\1vddp.exec:\1vddp.exe67⤵
-
\??\c:\7rllxxr.exec:\7rllxxr.exe68⤵
-
\??\c:\lxrlxxr.exec:\lxrlxxr.exe69⤵
-
\??\c:\ntbnhh.exec:\ntbnhh.exe70⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe71⤵
-
\??\c:\5vjjp.exec:\5vjjp.exe72⤵
-
\??\c:\xfflffx.exec:\xfflffx.exe73⤵
-
\??\c:\jpjpv.exec:\jpjpv.exe74⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe75⤵
-
\??\c:\rlrxxff.exec:\rlrxxff.exe76⤵
-
\??\c:\9btnhh.exec:\9btnhh.exe77⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe78⤵
-
\??\c:\fxflfff.exec:\fxflfff.exe79⤵
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe80⤵
-
\??\c:\tbhtnb.exec:\tbhtnb.exe81⤵
-
\??\c:\vpppj.exec:\vpppj.exe82⤵
-
\??\c:\rflrxlx.exec:\rflrxlx.exe83⤵
-
\??\c:\htnnbb.exec:\htnnbb.exe84⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe85⤵
-
\??\c:\1vjdj.exec:\1vjdj.exe86⤵
-
\??\c:\lflfxxx.exec:\lflfxxx.exe87⤵
-
\??\c:\ththtt.exec:\ththtt.exe88⤵
-
\??\c:\thhttn.exec:\thhttn.exe89⤵
-
\??\c:\3jjjj.exec:\3jjjj.exe90⤵
-
\??\c:\3llfxrr.exec:\3llfxrr.exe91⤵
-
\??\c:\9rlrrlf.exec:\9rlrrlf.exe92⤵
-
\??\c:\ntnnbb.exec:\ntnnbb.exe93⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe94⤵
-
\??\c:\rrxxxfx.exec:\rrxxxfx.exe95⤵
-
\??\c:\frfrfxf.exec:\frfrfxf.exe96⤵
-
\??\c:\lfrfxrr.exec:\lfrfxrr.exe97⤵
-
\??\c:\fxfxrxr.exec:\fxfxrxr.exe98⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe99⤵
-
\??\c:\pjpjv.exec:\pjpjv.exe100⤵
-
\??\c:\fxffxff.exec:\fxffxff.exe101⤵
-
\??\c:\9ttthh.exec:\9ttthh.exe102⤵
-
\??\c:\1vjpd.exec:\1vjpd.exe103⤵
-
\??\c:\vjjjj.exec:\vjjjj.exe104⤵
-
\??\c:\lrfxrxx.exec:\lrfxrxx.exe105⤵
-
\??\c:\bbbtnn.exec:\bbbtnn.exe106⤵
-
\??\c:\hthhnh.exec:\hthhnh.exe107⤵
-
\??\c:\pjdpp.exec:\pjdpp.exe108⤵
-
\??\c:\rffxrrr.exec:\rffxrrr.exe109⤵
-
\??\c:\1xllxfr.exec:\1xllxfr.exe110⤵
-
\??\c:\5hhbtt.exec:\5hhbtt.exe111⤵
-
\??\c:\vvjdd.exec:\vvjdd.exe112⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe113⤵
-
\??\c:\frlffff.exec:\frlffff.exe114⤵
-
\??\c:\bnbhbb.exec:\bnbhbb.exe115⤵
-
\??\c:\bntnnt.exec:\bntnnt.exe116⤵
-
\??\c:\jjjjd.exec:\jjjjd.exe117⤵
-
\??\c:\ppppv.exec:\ppppv.exe118⤵
-
\??\c:\lllrlxl.exec:\lllrlxl.exe119⤵
-
\??\c:\btnnhh.exec:\btnnhh.exe120⤵
-
\??\c:\nhtthh.exec:\nhtthh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-