Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-11-2024 01:22
General
-
Target
2f51a7ee95c2222d3e91c88a02cc83e8422b4ff07dbb3a4b32626d5d5ee13d90.exe
-
Size
72KB
-
MD5
2e6639661b8e824117bd9f263ec9d950
-
SHA1
c4b64cdbb148111b0b3c5b8afae2118d6b22a5de
-
SHA256
2f51a7ee95c2222d3e91c88a02cc83e8422b4ff07dbb3a4b32626d5d5ee13d90
-
SHA512
22afcb9367f2324ff708309f3499783663dc31f5ba64add9f8931c1773fd6fb7e2d0d10aba1f0948df0d902effb565418bcb57a0999bc6f2f57eee3d4e0d6c21
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjX:ymb3NkkiQ3mdBjFI4Vn
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 32 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 40 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f51a7ee95c2222d3e91c88a02cc83e8422b4ff07dbb3a4b32626d5d5ee13d90.exe"C:\Users\Admin\AppData\Local\Temp\2f51a7ee95c2222d3e91c88a02cc83e8422b4ff07dbb3a4b32626d5d5ee13d90.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrllxl.exec:\rfrllxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhnh.exec:\tthhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dddv.exec:\3dddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrflrxf.exec:\xrflrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhnnt.exec:\bnhnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpj.exec:\jpvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rxrfll.exec:\9rxrfll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pddv.exec:\1pddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjp.exec:\jjpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xlfffl.exec:\1xlfffl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntnnn.exec:\3ntnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjd.exec:\vvpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtnnn.exec:\bhtnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhnn.exec:\hbhhnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdj.exec:\pdjdj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrllll.exec:\rlrllll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnnnh.exec:\bhnnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxllx.exec:\fffxllx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbbtt.exec:\nbbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlfrrl.exec:\frlfrrl.exe23⤵
- Executes dropped EXE
-
\??\c:\rfxrllr.exec:\rfxrllr.exe24⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe25⤵
- Executes dropped EXE
-
\??\c:\dpvpj.exec:\dpvpj.exe26⤵
- Executes dropped EXE
-
\??\c:\hntttb.exec:\hntttb.exe27⤵
- Executes dropped EXE
-
\??\c:\bhnhhh.exec:\bhnhhh.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ttnbbn.exec:\ttnbbn.exe29⤵
- Executes dropped EXE
-
\??\c:\1bbttt.exec:\1bbttt.exe30⤵
- Executes dropped EXE
-
\??\c:\3jjdp.exec:\3jjdp.exe31⤵
- Executes dropped EXE
-
\??\c:\ffllfff.exec:\ffllfff.exe32⤵
- Executes dropped EXE
-
\??\c:\xllxlff.exec:\xllxlff.exe33⤵
- Executes dropped EXE
-
\??\c:\hntttt.exec:\hntttt.exe34⤵
- Executes dropped EXE
-
\??\c:\djjpp.exec:\djjpp.exe35⤵
- Executes dropped EXE
-
\??\c:\rffxllf.exec:\rffxllf.exe36⤵
- Executes dropped EXE
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe37⤵
- Executes dropped EXE
-
\??\c:\htbhhb.exec:\htbhhb.exe38⤵
- Executes dropped EXE
-
\??\c:\jdjdd.exec:\jdjdd.exe39⤵
- Executes dropped EXE
-
\??\c:\7pvjv.exec:\7pvjv.exe40⤵
- Executes dropped EXE
-
\??\c:\xxxlxlx.exec:\xxxlxlx.exe41⤵
- Executes dropped EXE
-
\??\c:\fxxrrll.exec:\fxxrrll.exe42⤵
- Executes dropped EXE
-
\??\c:\thhnnb.exec:\thhnnb.exe43⤵
- Executes dropped EXE
-
\??\c:\nbbthh.exec:\nbbthh.exe44⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe45⤵
- Executes dropped EXE
-
\??\c:\rlfxllf.exec:\rlfxllf.exe46⤵
- Executes dropped EXE
-
\??\c:\bnnhbt.exec:\bnnhbt.exe47⤵
- Executes dropped EXE
-
\??\c:\jvpjd.exec:\jvpjd.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\1lllxxl.exec:\1lllxxl.exe49⤵
- Executes dropped EXE
-
\??\c:\thnbtt.exec:\thnbtt.exe50⤵
- Executes dropped EXE
-
\??\c:\ppdpv.exec:\ppdpv.exe51⤵
- Executes dropped EXE
-
\??\c:\frrlfxr.exec:\frrlfxr.exe52⤵
- Executes dropped EXE
-
\??\c:\xxxffrr.exec:\xxxffrr.exe53⤵
- Executes dropped EXE
-
\??\c:\hbnhhh.exec:\hbnhhh.exe54⤵
- Executes dropped EXE
-
\??\c:\btbbtt.exec:\btbbtt.exe55⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe56⤵
- Executes dropped EXE
-
\??\c:\rrrlfff.exec:\rrrlfff.exe57⤵
- Executes dropped EXE
-
\??\c:\9bbbtn.exec:\9bbbtn.exe58⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe59⤵
- Executes dropped EXE
-
\??\c:\lffrrrr.exec:\lffrrrr.exe60⤵
- Executes dropped EXE
-
\??\c:\rfrfxxl.exec:\rfrfxxl.exe61⤵
- Executes dropped EXE
-
\??\c:\nbnbhn.exec:\nbnbhn.exe62⤵
- Executes dropped EXE
-
\??\c:\9jvpj.exec:\9jvpj.exe63⤵
- Executes dropped EXE
-
\??\c:\vpvdd.exec:\vpvdd.exe64⤵
- Executes dropped EXE
-
\??\c:\lrxxrff.exec:\lrxxrff.exe65⤵
- Executes dropped EXE
-
\??\c:\htbttt.exec:\htbttt.exe66⤵
-
\??\c:\hbnhnt.exec:\hbnhnt.exe67⤵
-
\??\c:\dppdv.exec:\dppdv.exe68⤵
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe69⤵
-
\??\c:\5rxxxxx.exec:\5rxxxxx.exe70⤵
-
\??\c:\httnnn.exec:\httnnn.exe71⤵
-
\??\c:\ddjjv.exec:\ddjjv.exe72⤵
-
\??\c:\vpppp.exec:\vpppp.exe73⤵
-
\??\c:\llffxxr.exec:\llffxxr.exe74⤵
-
\??\c:\rlrllxf.exec:\rlrllxf.exe75⤵
-
\??\c:\ttnbbh.exec:\ttnbbh.exe76⤵
-
\??\c:\5pvdj.exec:\5pvdj.exe77⤵
-
\??\c:\5jjdv.exec:\5jjdv.exe78⤵
-
\??\c:\9fflfxr.exec:\9fflfxr.exe79⤵
-
\??\c:\tnhbtt.exec:\tnhbtt.exe80⤵
-
\??\c:\vpjdd.exec:\vpjdd.exe81⤵
-
\??\c:\vpvpd.exec:\vpvpd.exe82⤵
-
\??\c:\xrrlfff.exec:\xrrlfff.exe83⤵
-
\??\c:\thnnhh.exec:\thnnhh.exe84⤵
-
\??\c:\nnnbbb.exec:\nnnbbb.exe85⤵
-
\??\c:\jvpjv.exec:\jvpjv.exe86⤵
-
\??\c:\3flfxxr.exec:\3flfxxr.exe87⤵
-
\??\c:\bnnnth.exec:\bnnnth.exe88⤵
-
\??\c:\nbbntn.exec:\nbbntn.exe89⤵
-
\??\c:\7pdjp.exec:\7pdjp.exe90⤵
-
\??\c:\fflrfxl.exec:\fflrfxl.exe91⤵
-
\??\c:\3nhtht.exec:\3nhtht.exe92⤵
-
\??\c:\bnnnhb.exec:\bnnnhb.exe93⤵
-
\??\c:\jjjdd.exec:\jjjdd.exe94⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe95⤵
-
\??\c:\fxrxxll.exec:\fxrxxll.exe96⤵
-
\??\c:\nhbbbb.exec:\nhbbbb.exe97⤵
-
\??\c:\bttthh.exec:\bttthh.exe98⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe99⤵
-
\??\c:\frfxfff.exec:\frfxfff.exe100⤵
-
\??\c:\rfrrlrr.exec:\rfrrlrr.exe101⤵
-
\??\c:\bntnhb.exec:\bntnhb.exe102⤵
-
\??\c:\jvpdp.exec:\jvpdp.exe103⤵
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe104⤵
-
\??\c:\nbhbbn.exec:\nbhbbn.exe105⤵
-
\??\c:\nhhbnh.exec:\nhhbnh.exe106⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe107⤵
-
\??\c:\5ddjv.exec:\5ddjv.exe108⤵
-
\??\c:\fffxrlf.exec:\fffxrlf.exe109⤵
-
\??\c:\tbbtnn.exec:\tbbtnn.exe110⤵
-
\??\c:\hnntnh.exec:\hnntnh.exe111⤵
-
\??\c:\vpddj.exec:\vpddj.exe112⤵
-
\??\c:\vpvdv.exec:\vpvdv.exe113⤵
-
\??\c:\llxxxxf.exec:\llxxxxf.exe114⤵
-
\??\c:\bhhnhb.exec:\bhhnhb.exe115⤵
-
\??\c:\7vjjj.exec:\7vjjj.exe116⤵
-
\??\c:\vvjdp.exec:\vvjdp.exe117⤵
-
\??\c:\fllfrxf.exec:\fllfrxf.exe118⤵
-
\??\c:\frrxlff.exec:\frrxlff.exe119⤵
-
\??\c:\tnnnnn.exec:\tnnnnn.exe120⤵
- System Location Discovery: System Language Discovery
-
\??\c:\djjdp.exec:\djjdp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-