Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26/11/2024, 02:30
General
-
Target
221e8c1bb311c20f59810f07efcbd1df7f9ce75fce474325462b1f31c853f5dbN.exe
-
Size
71KB
-
MD5
5e7311becc25b8bbf4b9d800fafd50b0
-
SHA1
47b09cb4734bc8e673b44860309b439efbafb1f1
-
SHA256
221e8c1bb311c20f59810f07efcbd1df7f9ce75fce474325462b1f31c853f5db
-
SHA512
30c043eb840e04395344e471af5bde04eb102e52e1fc570ddd22f0496e85a30c6fad352bc1eeafd6027390a7450c71bf7e6a3e0dcb2c5b79110ba2ed3b2204fd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfj0:ymb3NkkiQ3mdBjFI4VE
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\221e8c1bb311c20f59810f07efcbd1df7f9ce75fce474325462b1f31c853f5dbN.exe"C:\Users\Admin\AppData\Local\Temp\221e8c1bb311c20f59810f07efcbd1df7f9ce75fce474325462b1f31c853f5dbN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\c244064.exec:\c244064.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\3llfxlf.exec:\3llfxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2282604.exec:\2282604.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlrllf.exec:\lrlrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0282660.exec:\0282660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddv.exec:\pvddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ppdj.exec:\7ppdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\426408.exec:\426408.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhbn.exec:\tnbhbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddd.exec:\pjddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w24204.exec:\w24204.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m2826.exec:\m2826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlxllf.exec:\9rlxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\466460.exec:\466460.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\80822.exec:\80822.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20840.exec:\20840.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvpj.exec:\pvvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpd.exec:\jdvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2822604.exec:\2822604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbbb.exec:\nhhbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhbb.exec:\htbhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbtht.exec:\bbbtht.exe23⤵
- Executes dropped EXE
-
\??\c:\3btnhb.exec:\3btnhb.exe24⤵
- Executes dropped EXE
-
\??\c:\s8488.exec:\s8488.exe25⤵
- Executes dropped EXE
-
\??\c:\hnnbtn.exec:\hnnbtn.exe26⤵
- Executes dropped EXE
-
\??\c:\hhhbbt.exec:\hhhbbt.exe27⤵
- Executes dropped EXE
-
\??\c:\66222.exec:\66222.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\8620002.exec:\8620002.exe29⤵
- Executes dropped EXE
-
\??\c:\24000.exec:\24000.exe30⤵
- Executes dropped EXE
-
\??\c:\6680062.exec:\6680062.exe31⤵
- Executes dropped EXE
-
\??\c:\btbtnn.exec:\btbtnn.exe32⤵
- Executes dropped EXE
-
\??\c:\djpjv.exec:\djpjv.exe33⤵
- Executes dropped EXE
-
\??\c:\a6220.exec:\a6220.exe34⤵
- Executes dropped EXE
-
\??\c:\rlfxffl.exec:\rlfxffl.exe35⤵
- Executes dropped EXE
-
\??\c:\6424046.exec:\6424046.exe36⤵
- Executes dropped EXE
-
\??\c:\i800444.exec:\i800444.exe37⤵
- Executes dropped EXE
-
\??\c:\3ffxxxr.exec:\3ffxxxr.exe38⤵
- Executes dropped EXE
-
\??\c:\tbbnht.exec:\tbbnht.exe39⤵
- Executes dropped EXE
-
\??\c:\u642604.exec:\u642604.exe40⤵
- Executes dropped EXE
-
\??\c:\642880.exec:\642880.exe41⤵
- Executes dropped EXE
-
\??\c:\nthtnb.exec:\nthtnb.exe42⤵
- Executes dropped EXE
-
\??\c:\64004.exec:\64004.exe43⤵
- Executes dropped EXE
-
\??\c:\7pvvp.exec:\7pvvp.exe44⤵
- Executes dropped EXE
-
\??\c:\1rxrrrr.exec:\1rxrrrr.exe45⤵
- Executes dropped EXE
-
\??\c:\o222222.exec:\o222222.exe46⤵
- Executes dropped EXE
-
\??\c:\q62000.exec:\q62000.exe47⤵
- Executes dropped EXE
-
\??\c:\2622882.exec:\2622882.exe48⤵
- Executes dropped EXE
-
\??\c:\604200.exec:\604200.exe49⤵
- Executes dropped EXE
-
\??\c:\ffxxlrl.exec:\ffxxlrl.exe50⤵
- Executes dropped EXE
-
\??\c:\6884446.exec:\6884446.exe51⤵
- Executes dropped EXE
-
\??\c:\fxxlfxx.exec:\fxxlfxx.exe52⤵
- Executes dropped EXE
-
\??\c:\86024.exec:\86024.exe53⤵
- Executes dropped EXE
-
\??\c:\68604.exec:\68604.exe54⤵
- Executes dropped EXE
-
\??\c:\jpjvp.exec:\jpjvp.exe55⤵
- Executes dropped EXE
-
\??\c:\402644.exec:\402644.exe56⤵
- Executes dropped EXE
-
\??\c:\vjjvp.exec:\vjjvp.exe57⤵
- Executes dropped EXE
-
\??\c:\9vvvp.exec:\9vvvp.exe58⤵
- Executes dropped EXE
-
\??\c:\rfxrfxx.exec:\rfxrfxx.exe59⤵
- Executes dropped EXE
-
\??\c:\vdpdv.exec:\vdpdv.exe60⤵
- Executes dropped EXE
-
\??\c:\tbbtnh.exec:\tbbtnh.exe61⤵
- Executes dropped EXE
-
\??\c:\lxrxlrf.exec:\lxrxlrf.exe62⤵
- Executes dropped EXE
-
\??\c:\28028.exec:\28028.exe63⤵
- Executes dropped EXE
-
\??\c:\frlxlxr.exec:\frlxlxr.exe64⤵
- Executes dropped EXE
-
\??\c:\9vpdv.exec:\9vpdv.exe65⤵
- Executes dropped EXE
-
\??\c:\fxlrfxl.exec:\fxlrfxl.exe66⤵
-
\??\c:\pjjvj.exec:\pjjvj.exe67⤵
-
\??\c:\ffrfxxl.exec:\ffrfxxl.exe68⤵
-
\??\c:\g2884.exec:\g2884.exe69⤵
-
\??\c:\7pjvj.exec:\7pjvj.exe70⤵
-
\??\c:\406082.exec:\406082.exe71⤵
-
\??\c:\2622240.exec:\2622240.exe72⤵
-
\??\c:\884022.exec:\884022.exe73⤵
-
\??\c:\0066222.exec:\0066222.exe74⤵
-
\??\c:\9btnhh.exec:\9btnhh.exe75⤵
-
\??\c:\i800442.exec:\i800442.exe76⤵
-
\??\c:\2480860.exec:\2480860.exe77⤵
-
\??\c:\662660.exec:\662660.exe78⤵
-
\??\c:\pvdpd.exec:\pvdpd.exe79⤵
-
\??\c:\g2286.exec:\g2286.exe80⤵
-
\??\c:\xrllxxr.exec:\xrllxxr.exe81⤵
-
\??\c:\rxxlffr.exec:\rxxlffr.exe82⤵
-
\??\c:\1bnhbn.exec:\1bnhbn.exe83⤵
-
\??\c:\fflflff.exec:\fflflff.exe84⤵
-
\??\c:\6464044.exec:\6464044.exe85⤵
-
\??\c:\1nnhbb.exec:\1nnhbb.exe86⤵
-
\??\c:\5rlfxrl.exec:\5rlfxrl.exe87⤵
-
\??\c:\268604.exec:\268604.exe88⤵
-
\??\c:\nnbhth.exec:\nnbhth.exe89⤵
-
\??\c:\1rrlxrl.exec:\1rrlxrl.exe90⤵
-
\??\c:\860060.exec:\860060.exe91⤵
-
\??\c:\48848.exec:\48848.exe92⤵
- System Location Discovery: System Language Discovery
-
\??\c:\42446.exec:\42446.exe93⤵
-
\??\c:\206044.exec:\206044.exe94⤵
-
\??\c:\nhhhbh.exec:\nhhhbh.exe95⤵
-
\??\c:\xrlxrlr.exec:\xrlxrlr.exe96⤵
-
\??\c:\djjdv.exec:\djjdv.exe97⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe98⤵
-
\??\c:\8082680.exec:\8082680.exe99⤵
-
\??\c:\pddvj.exec:\pddvj.exe100⤵
-
\??\c:\426424.exec:\426424.exe101⤵
-
\??\c:\o682488.exec:\o682488.exe102⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe103⤵
-
\??\c:\862666.exec:\862666.exe104⤵
-
\??\c:\g4620.exec:\g4620.exe105⤵
-
\??\c:\000082.exec:\000082.exe106⤵
- System Location Discovery: System Language Discovery
-
\??\c:\5xrlrxx.exec:\5xrlrxx.exe107⤵
-
\??\c:\1vpvp.exec:\1vpvp.exe108⤵
-
\??\c:\82660.exec:\82660.exe109⤵
-
\??\c:\u448626.exec:\u448626.exe110⤵
-
\??\c:\422602.exec:\422602.exe111⤵
-
\??\c:\lxrxflf.exec:\lxrxflf.exe112⤵
-
\??\c:\3xxrrxr.exec:\3xxrrxr.exe113⤵
-
\??\c:\8226004.exec:\8226004.exe114⤵
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe115⤵
-
\??\c:\w66260.exec:\w66260.exe116⤵
-
\??\c:\a4040.exec:\a4040.exe117⤵
-
\??\c:\86664.exec:\86664.exe118⤵
-
\??\c:\08486.exec:\08486.exe119⤵
-
\??\c:\484860.exec:\484860.exe120⤵
-
\??\c:\jpppj.exec:\jpppj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-