Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-11-2024 13:38
General
-
Target
b39b23d6ffd020d594e16b0ce25e34d104746426f0c53951346904cbc755cf4e.exe
-
Size
76KB
-
MD5
a7a28e6bc1e5d1c8fb54c18889c8e7bf
-
SHA1
2acaff2087071c04cf89dbb6fb0c30537bb1f5d0
-
SHA256
b39b23d6ffd020d594e16b0ce25e34d104746426f0c53951346904cbc755cf4e
-
SHA512
c369dc61f692ed9e238616bd1350c15ad441160b0b054998efcc11ff880313e32992ccd6fb35e16305bd72a0bea02dcbbca5045611a5d3007722c1541b3d5fde
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmsf:ymb3NkkiQ3mdBjFIvl358nLA89OMFVHp
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b39b23d6ffd020d594e16b0ce25e34d104746426f0c53951346904cbc755cf4e.exe"C:\Users\Admin\AppData\Local\Temp\b39b23d6ffd020d594e16b0ce25e34d104746426f0c53951346904cbc755cf4e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\24486.exec:\24486.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhbtt.exec:\hbhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnhtt.exec:\1tnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6228802.exec:\6228802.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26260.exec:\26260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a8226.exec:\a8226.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4228288.exec:\4228288.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnnhh.exec:\nbnnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\40220.exec:\40220.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbtbt.exec:\bnbtbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\22822.exec:\22822.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u082888.exec:\u082888.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdv.exec:\jjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00424.exec:\00424.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthnhh.exec:\nthnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6684880.exec:\6684880.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24004.exec:\24004.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jdvp.exec:\9jdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrffx.exec:\xrxrffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48440.exec:\48440.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6044844.exec:\6044844.exe23⤵
- Executes dropped EXE
-
\??\c:\42448.exec:\42448.exe24⤵
- Executes dropped EXE
-
\??\c:\w28266.exec:\w28266.exe25⤵
- Executes dropped EXE
-
\??\c:\ppjjv.exec:\ppjjv.exe26⤵
- Executes dropped EXE
-
\??\c:\860428.exec:\860428.exe27⤵
- Executes dropped EXE
-
\??\c:\3nthtn.exec:\3nthtn.exe28⤵
- Executes dropped EXE
-
\??\c:\02482.exec:\02482.exe29⤵
- Executes dropped EXE
-
\??\c:\2060848.exec:\2060848.exe30⤵
- Executes dropped EXE
-
\??\c:\48486.exec:\48486.exe31⤵
- Executes dropped EXE
-
\??\c:\hnnhtn.exec:\hnnhtn.exe32⤵
- Executes dropped EXE
-
\??\c:\btbnhb.exec:\btbnhb.exe33⤵
- Executes dropped EXE
-
\??\c:\nbbnbt.exec:\nbbnbt.exe34⤵
- Executes dropped EXE
-
\??\c:\6860482.exec:\6860482.exe35⤵
- Executes dropped EXE
-
\??\c:\40008.exec:\40008.exe36⤵
- Executes dropped EXE
-
\??\c:\2282486.exec:\2282486.exe37⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe38⤵
- Executes dropped EXE
-
\??\c:\pdpjp.exec:\pdpjp.exe39⤵
- Executes dropped EXE
-
\??\c:\i664260.exec:\i664260.exe40⤵
- Executes dropped EXE
-
\??\c:\08822.exec:\08822.exe41⤵
- Executes dropped EXE
-
\??\c:\2442082.exec:\2442082.exe42⤵
- Executes dropped EXE
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe43⤵
- Executes dropped EXE
-
\??\c:\dpdvd.exec:\dpdvd.exe44⤵
- Executes dropped EXE
-
\??\c:\7fflxrl.exec:\7fflxrl.exe45⤵
- Executes dropped EXE
-
\??\c:\08044.exec:\08044.exe46⤵
- Executes dropped EXE
-
\??\c:\0882266.exec:\0882266.exe47⤵
- Executes dropped EXE
-
\??\c:\7pjdp.exec:\7pjdp.exe48⤵
- Executes dropped EXE
-
\??\c:\482204.exec:\482204.exe49⤵
- Executes dropped EXE
-
\??\c:\fllxlxr.exec:\fllxlxr.exe50⤵
- Executes dropped EXE
-
\??\c:\e68822.exec:\e68822.exe51⤵
- Executes dropped EXE
-
\??\c:\vpdpd.exec:\vpdpd.exe52⤵
- Executes dropped EXE
-
\??\c:\m2868.exec:\m2868.exe53⤵
- Executes dropped EXE
-
\??\c:\thbtnh.exec:\thbtnh.exe54⤵
- Executes dropped EXE
-
\??\c:\nbhtbt.exec:\nbhtbt.exe55⤵
- Executes dropped EXE
-
\??\c:\2482084.exec:\2482084.exe56⤵
- Executes dropped EXE
-
\??\c:\xxxrfxl.exec:\xxxrfxl.exe57⤵
- Executes dropped EXE
-
\??\c:\6288608.exec:\6288608.exe58⤵
- Executes dropped EXE
-
\??\c:\tbtthn.exec:\tbtthn.exe59⤵
- Executes dropped EXE
-
\??\c:\4000826.exec:\4000826.exe60⤵
- Executes dropped EXE
-
\??\c:\tbthtt.exec:\tbthtt.exe61⤵
- Executes dropped EXE
-
\??\c:\66602.exec:\66602.exe62⤵
- Executes dropped EXE
-
\??\c:\a2864.exec:\a2864.exe63⤵
- Executes dropped EXE
-
\??\c:\866084.exec:\866084.exe64⤵
- Executes dropped EXE
-
\??\c:\802600.exec:\802600.exe65⤵
- Executes dropped EXE
-
\??\c:\422042.exec:\422042.exe66⤵
-
\??\c:\0064608.exec:\0064608.exe67⤵
-
\??\c:\a8202.exec:\a8202.exe68⤵
-
\??\c:\c660088.exec:\c660088.exe69⤵
-
\??\c:\ppjpd.exec:\ppjpd.exe70⤵
-
\??\c:\0842604.exec:\0842604.exe71⤵
-
\??\c:\pddpd.exec:\pddpd.exe72⤵
-
\??\c:\nnnbhb.exec:\nnnbhb.exe73⤵
-
\??\c:\64442.exec:\64442.exe74⤵
-
\??\c:\o482042.exec:\o482042.exe75⤵
-
\??\c:\8062460.exec:\8062460.exe76⤵
-
\??\c:\rrxxrrf.exec:\rrxxrrf.exe77⤵
-
\??\c:\lxlfrlx.exec:\lxlfrlx.exe78⤵
-
\??\c:\k66482.exec:\k66482.exe79⤵
-
\??\c:\rxxrxxl.exec:\rxxrxxl.exe80⤵
-
\??\c:\lflfrrl.exec:\lflfrrl.exe81⤵
-
\??\c:\848208.exec:\848208.exe82⤵
-
\??\c:\bntnhn.exec:\bntnhn.exe83⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dppvv.exec:\dppvv.exe84⤵
-
\??\c:\086086.exec:\086086.exe85⤵
-
\??\c:\c804600.exec:\c804600.exe86⤵
-
\??\c:\xxrrrff.exec:\xxrrrff.exe87⤵
-
\??\c:\06288.exec:\06288.exe88⤵
-
\??\c:\046668.exec:\046668.exe89⤵
-
\??\c:\fxllrrf.exec:\fxllrrf.exe90⤵
-
\??\c:\bbhbtb.exec:\bbhbtb.exe91⤵
-
\??\c:\pvpdv.exec:\pvpdv.exe92⤵
-
\??\c:\dvvjv.exec:\dvvjv.exe93⤵
-
\??\c:\m2820.exec:\m2820.exe94⤵
-
\??\c:\rllxxrf.exec:\rllxxrf.exe95⤵
-
\??\c:\2848686.exec:\2848686.exe96⤵
-
\??\c:\ntnhbb.exec:\ntnhbb.exe97⤵
-
\??\c:\5nhthb.exec:\5nhthb.exe98⤵
-
\??\c:\640424.exec:\640424.exe99⤵
-
\??\c:\9vvpd.exec:\9vvpd.exe100⤵
-
\??\c:\lrlrlfr.exec:\lrlrlfr.exe101⤵
-
\??\c:\24086.exec:\24086.exe102⤵
-
\??\c:\pdpdv.exec:\pdpdv.exe103⤵
-
\??\c:\rrrlfxl.exec:\rrrlfxl.exe104⤵
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe105⤵
-
\??\c:\flxrfxr.exec:\flxrfxr.exe106⤵
-
\??\c:\pvvjv.exec:\pvvjv.exe107⤵
-
\??\c:\jvpdp.exec:\jvpdp.exe108⤵
-
\??\c:\m4466.exec:\m4466.exe109⤵
-
\??\c:\lfrrfxx.exec:\lfrrfxx.exe110⤵
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe111⤵
-
\??\c:\bbhbbt.exec:\bbhbbt.exe112⤵
-
\??\c:\20042.exec:\20042.exe113⤵
-
\??\c:\k22082.exec:\k22082.exe114⤵
-
\??\c:\nbhttn.exec:\nbhttn.exe115⤵
-
\??\c:\vppjd.exec:\vppjd.exe116⤵
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe117⤵
-
\??\c:\jpjdd.exec:\jpjdd.exe118⤵
-
\??\c:\0886486.exec:\0886486.exe119⤵
-
\??\c:\q22082.exec:\q22082.exe120⤵
-
\??\c:\8686600.exec:\8686600.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-