Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-12-2024 02:38
General
-
Target
0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273.exe
-
Size
83KB
-
MD5
1ba21cc120f0857bd04c038bc38d6b99
-
SHA1
5210a5dba10c2c06eeba04da14a432bad06bd464
-
SHA256
0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273
-
SHA512
b370fa16195e906f7a3c69a024199258c4983534a297c24924312e9fffed72860f3550eeea1c7a565af0a6b369f1e721bf919c986d7959db2c9497c5126bf648
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qf:ymb3NkkiQ3mdBjFIIp9L9QrrA8I
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273.exe"C:\Users\Admin\AppData\Local\Temp\0ea68803618a9886e7eecfcda8563fce9e7d990ba73203d4d0033504abc76273.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\846284.exec:\846284.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k04208.exec:\k04208.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\224204.exec:\224204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rllrfr.exec:\7rllrfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6004264.exec:\6004264.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdpd.exec:\dpdpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxflxl.exec:\xlxflxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhthtn.exec:\nhthtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5btbhb.exec:\5btbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\440804.exec:\440804.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvjd.exec:\djvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lxlfrr.exec:\7lxlfrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8848864.exec:\8848864.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlxlfr.exec:\frlxlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nbtht.exec:\5nbtht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnbht.exec:\ntnbht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06642.exec:\06642.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnbnh.exec:\1tnbnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnhn.exec:\nnnnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlllrr.exec:\lxlllrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64420.exec:\64420.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnhnh.exec:\5tnhnh.exe23⤵
- Executes dropped EXE
-
\??\c:\xrxlrlf.exec:\xrxlrlf.exe24⤵
- Executes dropped EXE
-
\??\c:\llxlfrf.exec:\llxlfrf.exe25⤵
- Executes dropped EXE
-
\??\c:\0848662.exec:\0848662.exe26⤵
- Executes dropped EXE
-
\??\c:\2842048.exec:\2842048.exe27⤵
- Executes dropped EXE
-
\??\c:\1lxrflx.exec:\1lxrflx.exe28⤵
- Executes dropped EXE
-
\??\c:\7lfrllx.exec:\7lfrllx.exe29⤵
- Executes dropped EXE
-
\??\c:\1xlxlfr.exec:\1xlxlfr.exe30⤵
- Executes dropped EXE
-
\??\c:\000204.exec:\000204.exe31⤵
- Executes dropped EXE
-
\??\c:\tnhbbb.exec:\tnhbbb.exe32⤵
- Executes dropped EXE
-
\??\c:\9pvjd.exec:\9pvjd.exe33⤵
- Executes dropped EXE
-
\??\c:\3pjpv.exec:\3pjpv.exe34⤵
- Executes dropped EXE
-
\??\c:\4048682.exec:\4048682.exe35⤵
- Executes dropped EXE
-
\??\c:\9rfxlfl.exec:\9rfxlfl.exe36⤵
- Executes dropped EXE
-
\??\c:\5dvpj.exec:\5dvpj.exe37⤵
- Executes dropped EXE
-
\??\c:\w00808.exec:\w00808.exe38⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe39⤵
- Executes dropped EXE
-
\??\c:\7bthbn.exec:\7bthbn.exe40⤵
- Executes dropped EXE
-
\??\c:\5rrflxf.exec:\5rrflxf.exe41⤵
- Executes dropped EXE
-
\??\c:\3lxlxrf.exec:\3lxlxrf.exe42⤵
- Executes dropped EXE
-
\??\c:\q04860.exec:\q04860.exe43⤵
- Executes dropped EXE
-
\??\c:\7djpv.exec:\7djpv.exe44⤵
- Executes dropped EXE
-
\??\c:\604468.exec:\604468.exe45⤵
- Executes dropped EXE
-
\??\c:\1jdvd.exec:\1jdvd.exe46⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe47⤵
- Executes dropped EXE
-
\??\c:\u264820.exec:\u264820.exe48⤵
- Executes dropped EXE
-
\??\c:\6864208.exec:\6864208.exe49⤵
- Executes dropped EXE
-
\??\c:\06228.exec:\06228.exe50⤵
- Executes dropped EXE
-
\??\c:\ntbbtt.exec:\ntbbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\e66460.exec:\e66460.exe52⤵
- Executes dropped EXE
-
\??\c:\k04804.exec:\k04804.exe53⤵
- Executes dropped EXE
-
\??\c:\22866.exec:\22866.exe54⤵
- Executes dropped EXE
-
\??\c:\866008.exec:\866008.exe55⤵
- Executes dropped EXE
-
\??\c:\0228860.exec:\0228860.exe56⤵
- Executes dropped EXE
-
\??\c:\xlfrfrf.exec:\xlfrfrf.exe57⤵
- Executes dropped EXE
-
\??\c:\jvvjv.exec:\jvvjv.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vdvjv.exec:\vdvjv.exe59⤵
- Executes dropped EXE
-
\??\c:\484822.exec:\484822.exe60⤵
- Executes dropped EXE
-
\??\c:\1ddpv.exec:\1ddpv.exe61⤵
- Executes dropped EXE
-
\??\c:\5nthbn.exec:\5nthbn.exe62⤵
- Executes dropped EXE
-
\??\c:\m4046.exec:\m4046.exe63⤵
- Executes dropped EXE
-
\??\c:\k48648.exec:\k48648.exe64⤵
- Executes dropped EXE
-
\??\c:\jpddj.exec:\jpddj.exe65⤵
- Executes dropped EXE
-
\??\c:\rrrxlxl.exec:\rrrxlxl.exe66⤵
-
\??\c:\thnbnb.exec:\thnbnb.exe67⤵
-
\??\c:\pvpjp.exec:\pvpjp.exe68⤵
-
\??\c:\rlllxxr.exec:\rlllxxr.exe69⤵
-
\??\c:\lffxrrl.exec:\lffxrrl.exe70⤵
-
\??\c:\s0648.exec:\s0648.exe71⤵
-
\??\c:\u482004.exec:\u482004.exe72⤵
-
\??\c:\644286.exec:\644286.exe73⤵
-
\??\c:\a6804.exec:\a6804.exe74⤵
-
\??\c:\pvjpd.exec:\pvjpd.exe75⤵
-
\??\c:\064888.exec:\064888.exe76⤵
-
\??\c:\vvpdp.exec:\vvpdp.exe77⤵
-
\??\c:\8042648.exec:\8042648.exe78⤵
-
\??\c:\ppdpj.exec:\ppdpj.exe79⤵
-
\??\c:\84046.exec:\84046.exe80⤵
-
\??\c:\206826.exec:\206826.exe81⤵
-
\??\c:\i848200.exec:\i848200.exe82⤵
-
\??\c:\i222620.exec:\i222620.exe83⤵
-
\??\c:\rrlxllx.exec:\rrlxllx.exe84⤵
-
\??\c:\662260.exec:\662260.exe85⤵
-
\??\c:\jppjv.exec:\jppjv.exe86⤵
-
\??\c:\8642048.exec:\8642048.exe87⤵
-
\??\c:\5thttt.exec:\5thttt.exe88⤵
-
\??\c:\frflfrr.exec:\frflfrr.exe89⤵
-
\??\c:\u220820.exec:\u220820.exe90⤵
-
\??\c:\86866.exec:\86866.exe91⤵
-
\??\c:\0060264.exec:\0060264.exe92⤵
-
\??\c:\e62648.exec:\e62648.exe93⤵
-
\??\c:\tnnhbt.exec:\tnnhbt.exe94⤵
-
\??\c:\lxlrxlf.exec:\lxlrxlf.exe95⤵
-
\??\c:\jdjpv.exec:\jdjpv.exe96⤵
-
\??\c:\a6080.exec:\a6080.exe97⤵
-
\??\c:\bhhtbt.exec:\bhhtbt.exe98⤵
-
\??\c:\a0468.exec:\a0468.exe99⤵
-
\??\c:\86042.exec:\86042.exe100⤵
-
\??\c:\0848484.exec:\0848484.exe101⤵
-
\??\c:\a6082.exec:\a6082.exe102⤵
-
\??\c:\2402666.exec:\2402666.exe103⤵
-
\??\c:\xfrxlfr.exec:\xfrxlfr.exe104⤵
-
\??\c:\s8820.exec:\s8820.exe105⤵
-
\??\c:\1dvjp.exec:\1dvjp.exe106⤵
-
\??\c:\4004208.exec:\4004208.exe107⤵
-
\??\c:\4288844.exec:\4288844.exe108⤵
-
\??\c:\6486488.exec:\6486488.exe109⤵
-
\??\c:\8286408.exec:\8286408.exe110⤵
-
\??\c:\m4060.exec:\m4060.exe111⤵
-
\??\c:\ththtn.exec:\ththtn.exe112⤵
-
\??\c:\206026.exec:\206026.exe113⤵
-
\??\c:\vjjvp.exec:\vjjvp.exe114⤵
-
\??\c:\lxrrxxl.exec:\lxrrxxl.exe115⤵
-
\??\c:\s6684.exec:\s6684.exe116⤵
-
\??\c:\84042.exec:\84042.exe117⤵
-
\??\c:\fllxrfx.exec:\fllxrfx.exe118⤵
-
\??\c:\i486486.exec:\i486486.exe119⤵
-
\??\c:\246048.exec:\246048.exe120⤵
-
\??\c:\e28604.exec:\e28604.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-