Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-12-2024 21:50
General
-
Target
20d06190ad6341c7985f90b2f20133b5b35da45b23e87c5b1ad00b81b64818f8N.exe
-
Size
70KB
-
MD5
aa53cf5abf69aefb48931c27a1c3a590
-
SHA1
f23f573d2545edee8d6e8b2034e83f049da29617
-
SHA256
20d06190ad6341c7985f90b2f20133b5b35da45b23e87c5b1ad00b81b64818f8
-
SHA512
4ec21bb4cb0f69f2d7ccbe811eae8420c9795d06053fc641627e817021e6e62c2cb1ba55e9b40b477d864e4124e49587775405a340f831fc5362a9a41e262c67
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAcx:ymb3NkkiQ3mdBjFIsIVcx
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20d06190ad6341c7985f90b2f20133b5b35da45b23e87c5b1ad00b81b64818f8N.exe"C:\Users\Admin\AppData\Local\Temp\20d06190ad6341c7985f90b2f20133b5b35da45b23e87c5b1ad00b81b64818f8N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjvj.exec:\jvjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxflxr.exec:\lrxflxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bnhnn.exec:\3bnhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjpj.exec:\1pjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtnhh.exec:\nbtnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhbbb.exec:\hhhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvjv.exec:\jvvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrrxr.exec:\xrfrrxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbhb.exec:\hhbbhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxxrff.exec:\lrxxrff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnhhb.exec:\hnnhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddvp.exec:\pddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlfxrf.exec:\frlfxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhtnh.exec:\nhhtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvppj.exec:\jvppj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rfxxll.exec:\9rfxxll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnhtt.exec:\hnnhtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjdv.exec:\jpjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjd.exec:\jjpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbnbb.exec:\hhbnbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnhbt.exec:\thnhbt.exe23⤵
- Executes dropped EXE
-
\??\c:\vvpdp.exec:\vvpdp.exe24⤵
- Executes dropped EXE
-
\??\c:\xrlrrll.exec:\xrlrrll.exe25⤵
- Executes dropped EXE
-
\??\c:\bhbhtt.exec:\bhbhtt.exe26⤵
- Executes dropped EXE
-
\??\c:\9ppdp.exec:\9ppdp.exe27⤵
- Executes dropped EXE
-
\??\c:\rllfxxx.exec:\rllfxxx.exe28⤵
- Executes dropped EXE
-
\??\c:\bnnbnn.exec:\bnnbnn.exe29⤵
- Executes dropped EXE
-
\??\c:\thnhbb.exec:\thnhbb.exe30⤵
- Executes dropped EXE
-
\??\c:\3jjjd.exec:\3jjjd.exe31⤵
- Executes dropped EXE
-
\??\c:\1rffxxr.exec:\1rffxxr.exe32⤵
- Executes dropped EXE
-
\??\c:\bntnnn.exec:\bntnnn.exe33⤵
- Executes dropped EXE
-
\??\c:\hbbbtt.exec:\hbbbtt.exe34⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe35⤵
- Executes dropped EXE
-
\??\c:\flffxxr.exec:\flffxxr.exe36⤵
- Executes dropped EXE
-
\??\c:\9xfxffx.exec:\9xfxffx.exe37⤵
- Executes dropped EXE
-
\??\c:\tbnhbb.exec:\tbnhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\nbbthh.exec:\nbbthh.exe39⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe40⤵
- Executes dropped EXE
-
\??\c:\xrxrlff.exec:\xrxrlff.exe41⤵
- Executes dropped EXE
-
\??\c:\lxfrlrr.exec:\lxfrlrr.exe42⤵
- Executes dropped EXE
-
\??\c:\7tbbtt.exec:\7tbbtt.exe43⤵
- Executes dropped EXE
-
\??\c:\jvjpd.exec:\jvjpd.exe44⤵
- Executes dropped EXE
-
\??\c:\jvjpd.exec:\jvjpd.exe45⤵
- Executes dropped EXE
-
\??\c:\9lfxllf.exec:\9lfxllf.exe46⤵
- Executes dropped EXE
-
\??\c:\bhbtnt.exec:\bhbtnt.exe47⤵
- Executes dropped EXE
-
\??\c:\vjpjv.exec:\vjpjv.exe48⤵
- Executes dropped EXE
-
\??\c:\vjjjv.exec:\vjjjv.exe49⤵
- Executes dropped EXE
-
\??\c:\xlxrllx.exec:\xlxrllx.exe50⤵
- Executes dropped EXE
-
\??\c:\nhnntb.exec:\nhnntb.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hhhthb.exec:\hhhthb.exe52⤵
- Executes dropped EXE
-
\??\c:\ppdpj.exec:\ppdpj.exe53⤵
- Executes dropped EXE
-
\??\c:\jpjdp.exec:\jpjdp.exe54⤵
- Executes dropped EXE
-
\??\c:\5lfxrrl.exec:\5lfxrrl.exe55⤵
- Executes dropped EXE
-
\??\c:\nhtnhn.exec:\nhtnhn.exe56⤵
- Executes dropped EXE
-
\??\c:\htnhnn.exec:\htnhnn.exe57⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe58⤵
- Executes dropped EXE
-
\??\c:\rxrlxrl.exec:\rxrlxrl.exe59⤵
- Executes dropped EXE
-
\??\c:\lflfxxr.exec:\lflfxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\5hhnnt.exec:\5hhnnt.exe61⤵
- Executes dropped EXE
-
\??\c:\htthbb.exec:\htthbb.exe62⤵
- Executes dropped EXE
-
\??\c:\djdvp.exec:\djdvp.exe63⤵
- Executes dropped EXE
-
\??\c:\rfrrfrf.exec:\rfrrfrf.exe64⤵
- Executes dropped EXE
-
\??\c:\hbthtb.exec:\hbthtb.exe65⤵
- Executes dropped EXE
-
\??\c:\hhbnbt.exec:\hhbnbt.exe66⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe67⤵
-
\??\c:\1llfrrl.exec:\1llfrrl.exe68⤵
-
\??\c:\fxlffff.exec:\fxlffff.exe69⤵
-
\??\c:\rflxlll.exec:\rflxlll.exe70⤵
-
\??\c:\nbhbbb.exec:\nbhbbb.exe71⤵
-
\??\c:\thtnhb.exec:\thtnhb.exe72⤵
-
\??\c:\jppjv.exec:\jppjv.exe73⤵
-
\??\c:\rlfflfr.exec:\rlfflfr.exe74⤵
-
\??\c:\lfxxrlx.exec:\lfxxrlx.exe75⤵
-
\??\c:\hbnbnh.exec:\hbnbnh.exe76⤵
-
\??\c:\hhnthb.exec:\hhnthb.exe77⤵
-
\??\c:\jvvjp.exec:\jvvjp.exe78⤵
-
\??\c:\jjvvj.exec:\jjvvj.exe79⤵
-
\??\c:\xrxlxrl.exec:\xrxlxrl.exe80⤵
-
\??\c:\tnthbt.exec:\tnthbt.exe81⤵
-
\??\c:\pjdvj.exec:\pjdvj.exe82⤵
-
\??\c:\pjpvp.exec:\pjpvp.exe83⤵
-
\??\c:\xxfxllf.exec:\xxfxllf.exe84⤵
-
\??\c:\thnhhb.exec:\thnhhb.exe85⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nbbbnn.exec:\nbbbnn.exe86⤵
-
\??\c:\3vpvd.exec:\3vpvd.exe87⤵
-
\??\c:\pvvvp.exec:\pvvvp.exe88⤵
-
\??\c:\frrlffx.exec:\frrlffx.exe89⤵
-
\??\c:\7xxlfll.exec:\7xxlfll.exe90⤵
-
\??\c:\nbnhnh.exec:\nbnhnh.exe91⤵
-
\??\c:\7pjdp.exec:\7pjdp.exe92⤵
-
\??\c:\pdvpj.exec:\pdvpj.exe93⤵
-
\??\c:\dvpdd.exec:\dvpdd.exe94⤵
-
\??\c:\rrrfrrf.exec:\rrrfrrf.exe95⤵
-
\??\c:\7hhbtn.exec:\7hhbtn.exe96⤵
-
\??\c:\1hbnbt.exec:\1hbnbt.exe97⤵
-
\??\c:\5jjdv.exec:\5jjdv.exe98⤵
-
\??\c:\rllfrlf.exec:\rllfrlf.exe99⤵
-
\??\c:\flxrrll.exec:\flxrrll.exe100⤵
-
\??\c:\1jvpj.exec:\1jvpj.exe101⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe102⤵
-
\??\c:\xlxlllr.exec:\xlxlllr.exe103⤵
-
\??\c:\nhhhhh.exec:\nhhhhh.exe104⤵
-
\??\c:\3btnbb.exec:\3btnbb.exe105⤵
-
\??\c:\ppvpd.exec:\ppvpd.exe106⤵
-
\??\c:\vvjvp.exec:\vvjvp.exe107⤵
-
\??\c:\rfrlrxf.exec:\rfrlrxf.exe108⤵
-
\??\c:\bnntnn.exec:\bnntnn.exe109⤵
-
\??\c:\1ntbnn.exec:\1ntbnn.exe110⤵
-
\??\c:\jdppj.exec:\jdppj.exe111⤵
-
\??\c:\9flfxxx.exec:\9flfxxx.exe112⤵
-
\??\c:\hntnhb.exec:\hntnhb.exe113⤵
-
\??\c:\jvjdj.exec:\jvjdj.exe114⤵
-
\??\c:\5vpjv.exec:\5vpjv.exe115⤵
-
\??\c:\lxlxrlx.exec:\lxlxrlx.exe116⤵
-
\??\c:\7nbbnh.exec:\7nbbnh.exe117⤵
-
\??\c:\hntbht.exec:\hntbht.exe118⤵
-
\??\c:\pdddp.exec:\pdddp.exe119⤵
-
\??\c:\rllxxrl.exec:\rllxxrl.exe120⤵
-
\??\c:\5lfffxf.exec:\5lfffxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-