Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-12-2024 03:34
General
-
Target
50a750c3a418dec6220a52ddf37df6badda634490ee22c9f6c4962a6616bbed2N.exe
-
Size
82KB
-
MD5
817ddd3b7c647fc56fed3c7b9b9ea0a0
-
SHA1
f408aa91aa6683ccc2d7aa08915da94f29fd7b2f
-
SHA256
50a750c3a418dec6220a52ddf37df6badda634490ee22c9f6c4962a6616bbed2
-
SHA512
af4ff8916ba245d66e09fa07b9e2ca2956a648078b949176ab7e9bd60d66ead7188992508a8d1faa9927969544fcf950c7fbdcaf9281b589910eca31f979ebd6
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeqj:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4rb
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\50a750c3a418dec6220a52ddf37df6badda634490ee22c9f6c4962a6616bbed2N.exe"C:\Users\Admin\AppData\Local\Temp\50a750c3a418dec6220a52ddf37df6badda634490ee22c9f6c4962a6616bbed2N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbthb.exec:\hhbthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdv.exec:\vjjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvpdp.exec:\jvpdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlffxlx.exec:\xlffxlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvj.exec:\vddvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9thbtn.exec:\9thbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjv.exec:\dppjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxllf.exec:\xlfxllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tntnn.exec:\9tntnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jjdd.exec:\9jjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5btnhh.exec:\5btnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdjv.exec:\vpdjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9llxrrl.exec:\9llxrrl.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\nhthbn.exec:\nhthbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdd.exec:\vpjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbbt.exec:\bbhbbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvp.exec:\jdjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxlxfr.exec:\xlxlxfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrfxlf.exec:\xlrfxlf.exe23⤵
- Executes dropped EXE
-
\??\c:\nbbthb.exec:\nbbthb.exe24⤵
- Executes dropped EXE
-
\??\c:\dvjvv.exec:\dvjvv.exe25⤵
- Executes dropped EXE
-
\??\c:\ppjvj.exec:\ppjvj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xlfxlff.exec:\xlfxlff.exe27⤵
- Executes dropped EXE
-
\??\c:\xfrlffx.exec:\xfrlffx.exe28⤵
- Executes dropped EXE
-
\??\c:\7dpjj.exec:\7dpjj.exe29⤵
- Executes dropped EXE
-
\??\c:\9dpjv.exec:\9dpjv.exe30⤵
- Executes dropped EXE
-
\??\c:\xxxlfxx.exec:\xxxlfxx.exe31⤵
- Executes dropped EXE
-
\??\c:\btnhtn.exec:\btnhtn.exe32⤵
- Executes dropped EXE
-
\??\c:\xrxxrlf.exec:\xrxxrlf.exe33⤵
- Executes dropped EXE
-
\??\c:\nnbthh.exec:\nnbthh.exe34⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe35⤵
- Executes dropped EXE
-
\??\c:\djvpp.exec:\djvpp.exe36⤵
- Executes dropped EXE
-
\??\c:\rxrrffr.exec:\rxrrffr.exe37⤵
- Executes dropped EXE
-
\??\c:\nhthbt.exec:\nhthbt.exe38⤵
- Executes dropped EXE
-
\??\c:\9ththb.exec:\9ththb.exe39⤵
- Executes dropped EXE
-
\??\c:\xfrlffx.exec:\xfrlffx.exe40⤵
- Executes dropped EXE
-
\??\c:\rllrrlf.exec:\rllrrlf.exe41⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe42⤵
- Executes dropped EXE
-
\??\c:\lrfllfr.exec:\lrfllfr.exe43⤵
- Executes dropped EXE
-
\??\c:\dppjj.exec:\dppjj.exe44⤵
- Executes dropped EXE
-
\??\c:\7hhbbn.exec:\7hhbbn.exe45⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe46⤵
- Executes dropped EXE
-
\??\c:\lxxlxrx.exec:\lxxlxrx.exe47⤵
- Executes dropped EXE
-
\??\c:\rxxrffx.exec:\rxxrffx.exe48⤵
- Executes dropped EXE
-
\??\c:\nbhbtt.exec:\nbhbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\dpdvj.exec:\dpdvj.exe50⤵
- Executes dropped EXE
-
\??\c:\pdjdp.exec:\pdjdp.exe51⤵
- Executes dropped EXE
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe52⤵
- Executes dropped EXE
-
\??\c:\hntttt.exec:\hntttt.exe53⤵
- Executes dropped EXE
-
\??\c:\pvvpd.exec:\pvvpd.exe54⤵
- Executes dropped EXE
-
\??\c:\ddjdp.exec:\ddjdp.exe55⤵
- Executes dropped EXE
-
\??\c:\9xrlfxr.exec:\9xrlfxr.exe56⤵
- Executes dropped EXE
-
\??\c:\vdpjd.exec:\vdpjd.exe57⤵
- Executes dropped EXE
-
\??\c:\rxffxxx.exec:\rxffxxx.exe58⤵
- Executes dropped EXE
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe59⤵
- Executes dropped EXE
-
\??\c:\bbttnn.exec:\bbttnn.exe60⤵
- Executes dropped EXE
-
\??\c:\vjpdv.exec:\vjpdv.exe61⤵
- Executes dropped EXE
-
\??\c:\xrlfxlf.exec:\xrlfxlf.exe62⤵
- Executes dropped EXE
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe63⤵
- Executes dropped EXE
-
\??\c:\nhhhbb.exec:\nhhhbb.exe64⤵
- Executes dropped EXE
-
\??\c:\jdvpv.exec:\jdvpv.exe65⤵
- Executes dropped EXE
-
\??\c:\xrrlrrf.exec:\xrrlrrf.exe66⤵
-
\??\c:\7fxrlff.exec:\7fxrlff.exe67⤵
-
\??\c:\7nnnnn.exec:\7nnnnn.exe68⤵
-
\??\c:\hnttnh.exec:\hnttnh.exe69⤵
-
\??\c:\3ppdp.exec:\3ppdp.exe70⤵
-
\??\c:\djjvp.exec:\djjvp.exe71⤵
-
\??\c:\lfrlxrr.exec:\lfrlxrr.exe72⤵
-
\??\c:\9nhttt.exec:\9nhttt.exe73⤵
-
\??\c:\jddvp.exec:\jddvp.exe74⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe75⤵
-
\??\c:\7lffrrx.exec:\7lffrrx.exe76⤵
-
\??\c:\tnnhbb.exec:\tnnhbb.exe77⤵
-
\??\c:\ttbnnh.exec:\ttbnnh.exe78⤵
-
\??\c:\dvvvv.exec:\dvvvv.exe79⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe80⤵
-
\??\c:\3fxlxrl.exec:\3fxlxrl.exe81⤵
-
\??\c:\9bnbtn.exec:\9bnbtn.exe82⤵
-
\??\c:\bnbttt.exec:\bnbttt.exe83⤵
-
\??\c:\vpjdp.exec:\vpjdp.exe84⤵
-
\??\c:\vdpjv.exec:\vdpjv.exe85⤵
-
\??\c:\llflfrx.exec:\llflfrx.exe86⤵
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe87⤵
-
\??\c:\5hbhbb.exec:\5hbhbb.exe88⤵
-
\??\c:\pppjv.exec:\pppjv.exe89⤵
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe90⤵
-
\??\c:\fxrrlll.exec:\fxrrlll.exe91⤵
-
\??\c:\nhthhn.exec:\nhthhn.exe92⤵
-
\??\c:\3jpjj.exec:\3jpjj.exe93⤵
-
\??\c:\pjjvp.exec:\pjjvp.exe94⤵
-
\??\c:\frrlxxl.exec:\frrlxxl.exe95⤵
-
\??\c:\bntttn.exec:\bntttn.exe96⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe97⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe98⤵
-
\??\c:\rrfxllf.exec:\rrfxllf.exe99⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe100⤵
-
\??\c:\pddvp.exec:\pddvp.exe101⤵
-
\??\c:\rxxrllf.exec:\rxxrllf.exe102⤵
-
\??\c:\hbttnn.exec:\hbttnn.exe103⤵
-
\??\c:\5jdvj.exec:\5jdvj.exe104⤵
-
\??\c:\3rxrlff.exec:\3rxrlff.exe105⤵
-
\??\c:\lrllxrl.exec:\lrllxrl.exe106⤵
-
\??\c:\9lllffx.exec:\9lllffx.exe107⤵
-
\??\c:\tnbtbt.exec:\tnbtbt.exe108⤵
-
\??\c:\pdjvp.exec:\pdjvp.exe109⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe110⤵
-
\??\c:\7lfrfxf.exec:\7lfrfxf.exe111⤵
-
\??\c:\9bhhbt.exec:\9bhhbt.exe112⤵
-
\??\c:\nhnhnh.exec:\nhnhnh.exe113⤵
-
\??\c:\dvppj.exec:\dvppj.exe114⤵
-
\??\c:\fxffxrx.exec:\fxffxrx.exe115⤵
-
\??\c:\frrlffx.exec:\frrlffx.exe116⤵
-
\??\c:\nthhbb.exec:\nthhbb.exe117⤵
-
\??\c:\7dvjv.exec:\7dvjv.exe118⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe119⤵
-
\??\c:\1rxrxxf.exec:\1rxrxxf.exe120⤵
-
\??\c:\nhhbhb.exec:\nhhbhb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-