Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17/12/2024, 00:03
General
-
Target
7c05ceb9e0a1ef1b812752d737e6fe3dec2b11f41499c80da8d37cfd684d602c.exe
-
Size
74KB
-
MD5
61e2fbf07114fc301797deca6baafb0d
-
SHA1
86cf501da6f3019d0469730fa5b93cd778e9f969
-
SHA256
7c05ceb9e0a1ef1b812752d737e6fe3dec2b11f41499c80da8d37cfd684d602c
-
SHA512
692f9350c4985a98e24cfa89b0a039204dbe0ff08888fa227a6de20dff56008358582bc17bbdd2eb88e4dbcd7543c72cf69afeca6406f26564cb7add200c8396
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65y:ymb3NkkiQ3mdBjFIFdJ8bViW68
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c05ceb9e0a1ef1b812752d737e6fe3dec2b11f41499c80da8d37cfd684d602c.exe"C:\Users\Admin\AppData\Local\Temp\7c05ceb9e0a1ef1b812752d737e6fe3dec2b11f41499c80da8d37cfd684d602c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\04004.exec:\04004.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6060826.exec:\6060826.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\68868.exec:\68868.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w80048.exec:\w80048.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppdp.exec:\dppdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppvv.exec:\dppvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnhtn.exec:\bhnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbth.exec:\btbbth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnhh.exec:\bntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\802600.exec:\802600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnthht.exec:\tnthht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvp.exec:\dpvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26226.exec:\26226.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4868266.exec:\4868266.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpjj.exec:\djpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvp.exec:\pvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\082244.exec:\082244.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04604.exec:\04604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2400488.exec:\2400488.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdddv.exec:\pdddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe23⤵
- Executes dropped EXE
-
\??\c:\26804.exec:\26804.exe24⤵
- Executes dropped EXE
-
\??\c:\vpvpj.exec:\vpvpj.exe25⤵
- Executes dropped EXE
-
\??\c:\402600.exec:\402600.exe26⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe27⤵
- Executes dropped EXE
-
\??\c:\62440.exec:\62440.exe28⤵
- Executes dropped EXE
-
\??\c:\82266.exec:\82266.exe29⤵
- Executes dropped EXE
-
\??\c:\22820.exec:\22820.exe30⤵
- Executes dropped EXE
-
\??\c:\1nnhtn.exec:\1nnhtn.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\82482.exec:\82482.exe32⤵
- Executes dropped EXE
-
\??\c:\pjppd.exec:\pjppd.exe33⤵
- Executes dropped EXE
-
\??\c:\frrlxxr.exec:\frrlxxr.exe34⤵
- Executes dropped EXE
-
\??\c:\pppjv.exec:\pppjv.exe35⤵
- Executes dropped EXE
-
\??\c:\02260.exec:\02260.exe36⤵
- Executes dropped EXE
-
\??\c:\i626448.exec:\i626448.exe37⤵
- Executes dropped EXE
-
\??\c:\880640.exec:\880640.exe38⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe39⤵
- Executes dropped EXE
-
\??\c:\1xfxllf.exec:\1xfxllf.exe40⤵
- Executes dropped EXE
-
\??\c:\vvvpp.exec:\vvvpp.exe41⤵
- Executes dropped EXE
-
\??\c:\bbhbnn.exec:\bbhbnn.exe42⤵
- Executes dropped EXE
-
\??\c:\nbbntb.exec:\nbbntb.exe43⤵
- Executes dropped EXE
-
\??\c:\668266.exec:\668266.exe44⤵
- Executes dropped EXE
-
\??\c:\5vpjv.exec:\5vpjv.exe45⤵
- Executes dropped EXE
-
\??\c:\vjvjv.exec:\vjvjv.exe46⤵
- Executes dropped EXE
-
\??\c:\lxrfrlr.exec:\lxrfrlr.exe47⤵
- Executes dropped EXE
-
\??\c:\4822228.exec:\4822228.exe48⤵
- Executes dropped EXE
-
\??\c:\tnnnnn.exec:\tnnnnn.exe49⤵
- Executes dropped EXE
-
\??\c:\6800488.exec:\6800488.exe50⤵
- Executes dropped EXE
-
\??\c:\6082666.exec:\6082666.exe51⤵
- Executes dropped EXE
-
\??\c:\068822.exec:\068822.exe52⤵
- Executes dropped EXE
-
\??\c:\g0042.exec:\g0042.exe53⤵
- Executes dropped EXE
-
\??\c:\lxxrlff.exec:\lxxrlff.exe54⤵
- Executes dropped EXE
-
\??\c:\flfxllx.exec:\flfxllx.exe55⤵
- Executes dropped EXE
-
\??\c:\0400444.exec:\0400444.exe56⤵
- Executes dropped EXE
-
\??\c:\04666.exec:\04666.exe57⤵
- Executes dropped EXE
-
\??\c:\bnnhtt.exec:\bnnhtt.exe58⤵
- Executes dropped EXE
-
\??\c:\frxlrxl.exec:\frxlrxl.exe59⤵
- Executes dropped EXE
-
\??\c:\fffxxrr.exec:\fffxxrr.exe60⤵
- Executes dropped EXE
-
\??\c:\tttnbb.exec:\tttnbb.exe61⤵
- Executes dropped EXE
-
\??\c:\680044.exec:\680044.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ntthbt.exec:\ntthbt.exe63⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe64⤵
- Executes dropped EXE
-
\??\c:\e40082.exec:\e40082.exe65⤵
- Executes dropped EXE
-
\??\c:\htttnn.exec:\htttnn.exe66⤵
-
\??\c:\dpvjv.exec:\dpvjv.exe67⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tnnhbb.exec:\tnnhbb.exe68⤵
-
\??\c:\822222.exec:\822222.exe69⤵
-
\??\c:\frxrxlf.exec:\frxrxlf.exe70⤵
-
\??\c:\8400820.exec:\8400820.exe71⤵
-
\??\c:\s2264.exec:\s2264.exe72⤵
-
\??\c:\3dvdp.exec:\3dvdp.exe73⤵
-
\??\c:\42826.exec:\42826.exe74⤵
-
\??\c:\rxxxlff.exec:\rxxxlff.exe75⤵
-
\??\c:\thttnn.exec:\thttnn.exe76⤵
-
\??\c:\bhhnht.exec:\bhhnht.exe77⤵
-
\??\c:\i282604.exec:\i282604.exe78⤵
-
\??\c:\hbbbbt.exec:\hbbbbt.exe79⤵
-
\??\c:\vjvjv.exec:\vjvjv.exe80⤵
-
\??\c:\3jppd.exec:\3jppd.exe81⤵
-
\??\c:\k62266.exec:\k62266.exe82⤵
-
\??\c:\dpvvp.exec:\dpvvp.exe83⤵
-
\??\c:\2626006.exec:\2626006.exe84⤵
-
\??\c:\228288.exec:\228288.exe85⤵
-
\??\c:\pjpjv.exec:\pjpjv.exe86⤵
-
\??\c:\jjvvp.exec:\jjvvp.exe87⤵
-
\??\c:\vvvvj.exec:\vvvvj.exe88⤵
-
\??\c:\2802884.exec:\2802884.exe89⤵
-
\??\c:\266600.exec:\266600.exe90⤵
-
\??\c:\64660.exec:\64660.exe91⤵
-
\??\c:\1pvpd.exec:\1pvpd.exe92⤵
-
\??\c:\806022.exec:\806022.exe93⤵
-
\??\c:\6004448.exec:\6004448.exe94⤵
-
\??\c:\08246.exec:\08246.exe95⤵
-
\??\c:\440662.exec:\440662.exe96⤵
-
\??\c:\8644462.exec:\8644462.exe97⤵
-
\??\c:\q40000.exec:\q40000.exe98⤵
-
\??\c:\8244888.exec:\8244888.exe99⤵
-
\??\c:\84882.exec:\84882.exe100⤵
-
\??\c:\6082884.exec:\6082884.exe101⤵
-
\??\c:\nthnnn.exec:\nthnnn.exe102⤵
-
\??\c:\xlfflll.exec:\xlfflll.exe103⤵
-
\??\c:\jvddj.exec:\jvddj.exe104⤵
-
\??\c:\1djdv.exec:\1djdv.exe105⤵
-
\??\c:\vppdv.exec:\vppdv.exe106⤵
-
\??\c:\440482.exec:\440482.exe107⤵
-
\??\c:\nbhbtt.exec:\nbhbtt.exe108⤵
-
\??\c:\3jdvj.exec:\3jdvj.exe109⤵
-
\??\c:\vdvdv.exec:\vdvdv.exe110⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe111⤵
-
\??\c:\vpvpd.exec:\vpvpd.exe112⤵
-
\??\c:\bhtthb.exec:\bhtthb.exe113⤵
-
\??\c:\hbbtbb.exec:\hbbtbb.exe114⤵
-
\??\c:\xrfrfff.exec:\xrfrfff.exe115⤵
-
\??\c:\e44882.exec:\e44882.exe116⤵
-
\??\c:\nthbnh.exec:\nthbnh.exe117⤵
-
\??\c:\488206.exec:\488206.exe118⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe119⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe120⤵
-
\??\c:\206682.exec:\206682.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-