Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-12-2024 03:41
General
-
Target
31fb62663d933be51a04f0a6d6f54e0b7288404babf7c27e12f7b4bcb56871daN.exe
-
Size
71KB
-
MD5
66fa6c1fb1547424cebaef7242860150
-
SHA1
1c1dd06ff332fe1220277b6d065360582719cfc6
-
SHA256
31fb62663d933be51a04f0a6d6f54e0b7288404babf7c27e12f7b4bcb56871da
-
SHA512
4ab5bb1d0665d717954d87eafc4b2672add840c52452bbc077f06236a06c6c3fc2554c6709469d30a9b56de934b0713f05f6e93703c6a2441781b0e1405e2473
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3A89:ymb3NkkiQ3mdBjFI46TQ89
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\31fb62663d933be51a04f0a6d6f54e0b7288404babf7c27e12f7b4bcb56871daN.exe"C:\Users\Admin\AppData\Local\Temp\31fb62663d933be51a04f0a6d6f54e0b7288404babf7c27e12f7b4bcb56871daN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\288226.exec:\288226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08480.exec:\08480.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a6604.exec:\a6604.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\422204.exec:\422204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrrllf.exec:\rxrrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbhb.exec:\htbbhb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\httbbn.exec:\httbbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\046826.exec:\046826.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4066004.exec:\4066004.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvpj.exec:\pvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2228244.exec:\2228244.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\88488.exec:\88488.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdv.exec:\jjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k06644.exec:\k06644.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbtbb.exec:\ntbtbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k22222.exec:\k22222.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0426222.exec:\0426222.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\062648.exec:\062648.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxrlf.exec:\rfrxrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntttt.exec:\nntttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrlll.exec:\lrxrlll.exe23⤵
- Executes dropped EXE
-
\??\c:\k26604.exec:\k26604.exe24⤵
- Executes dropped EXE
-
\??\c:\c882688.exec:\c882688.exe25⤵
- Executes dropped EXE
-
\??\c:\284260.exec:\284260.exe26⤵
- Executes dropped EXE
-
\??\c:\5llffff.exec:\5llffff.exe27⤵
- Executes dropped EXE
-
\??\c:\rlxxxlf.exec:\rlxxxlf.exe28⤵
- Executes dropped EXE
-
\??\c:\pdvvp.exec:\pdvvp.exe29⤵
- Executes dropped EXE
-
\??\c:\26480.exec:\26480.exe30⤵
- Executes dropped EXE
-
\??\c:\44040.exec:\44040.exe31⤵
- Executes dropped EXE
-
\??\c:\662600.exec:\662600.exe32⤵
- Executes dropped EXE
-
\??\c:\8888600.exec:\8888600.exe33⤵
- Executes dropped EXE
-
\??\c:\24600.exec:\24600.exe34⤵
- Executes dropped EXE
-
\??\c:\2626004.exec:\2626004.exe35⤵
- Executes dropped EXE
-
\??\c:\864866.exec:\864866.exe36⤵
- Executes dropped EXE
-
\??\c:\000602.exec:\000602.exe37⤵
- Executes dropped EXE
-
\??\c:\6660482.exec:\6660482.exe38⤵
- Executes dropped EXE
-
\??\c:\80206.exec:\80206.exe39⤵
- Executes dropped EXE
-
\??\c:\806682.exec:\806682.exe40⤵
- Executes dropped EXE
-
\??\c:\htbntn.exec:\htbntn.exe41⤵
- Executes dropped EXE
-
\??\c:\lflxffx.exec:\lflxffx.exe42⤵
- Executes dropped EXE
-
\??\c:\xfxxrlf.exec:\xfxxrlf.exe43⤵
- Executes dropped EXE
-
\??\c:\9lxrlll.exec:\9lxrlll.exe44⤵
- Executes dropped EXE
-
\??\c:\8846026.exec:\8846026.exe45⤵
- Executes dropped EXE
-
\??\c:\rxrlffx.exec:\rxrlffx.exe46⤵
- Executes dropped EXE
-
\??\c:\rfxrffr.exec:\rfxrffr.exe47⤵
- Executes dropped EXE
-
\??\c:\84048.exec:\84048.exe48⤵
- Executes dropped EXE
-
\??\c:\u200448.exec:\u200448.exe49⤵
- Executes dropped EXE
-
\??\c:\dddvd.exec:\dddvd.exe50⤵
- Executes dropped EXE
-
\??\c:\llfxrrl.exec:\llfxrrl.exe51⤵
- Executes dropped EXE
-
\??\c:\88482.exec:\88482.exe52⤵
- Executes dropped EXE
-
\??\c:\thnbhh.exec:\thnbhh.exe53⤵
- Executes dropped EXE
-
\??\c:\7pdvv.exec:\7pdvv.exe54⤵
- Executes dropped EXE
-
\??\c:\lxxrxxx.exec:\lxxrxxx.exe55⤵
- Executes dropped EXE
-
\??\c:\dpjdv.exec:\dpjdv.exe56⤵
- Executes dropped EXE
-
\??\c:\rxlllll.exec:\rxlllll.exe57⤵
- Executes dropped EXE
-
\??\c:\vjpjj.exec:\vjpjj.exe58⤵
- Executes dropped EXE
-
\??\c:\846088.exec:\846088.exe59⤵
- Executes dropped EXE
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe60⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe61⤵
- Executes dropped EXE
-
\??\c:\288822.exec:\288822.exe62⤵
- Executes dropped EXE
-
\??\c:\u000482.exec:\u000482.exe63⤵
- Executes dropped EXE
-
\??\c:\024444.exec:\024444.exe64⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\26446.exec:\26446.exe66⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe67⤵
-
\??\c:\4884440.exec:\4884440.exe68⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe69⤵
-
\??\c:\8426004.exec:\8426004.exe70⤵
-
\??\c:\ttbhhb.exec:\ttbhhb.exe71⤵
-
\??\c:\btnbnh.exec:\btnbnh.exe72⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe73⤵
-
\??\c:\ntbtnn.exec:\ntbtnn.exe74⤵
-
\??\c:\7fllrxf.exec:\7fllrxf.exe75⤵
-
\??\c:\022828.exec:\022828.exe76⤵
-
\??\c:\824844.exec:\824844.exe77⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe78⤵
-
\??\c:\vdvpp.exec:\vdvpp.exe79⤵
-
\??\c:\tnhbnn.exec:\tnhbnn.exe80⤵
-
\??\c:\nbttnn.exec:\nbttnn.exe81⤵
-
\??\c:\40604.exec:\40604.exe82⤵
-
\??\c:\5ddvp.exec:\5ddvp.exe83⤵
-
\??\c:\rrrlflf.exec:\rrrlflf.exe84⤵
-
\??\c:\hntntt.exec:\hntntt.exe85⤵
-
\??\c:\06226.exec:\06226.exe86⤵
-
\??\c:\flrlllr.exec:\flrlllr.exe87⤵
-
\??\c:\ppjvv.exec:\ppjvv.exe88⤵
-
\??\c:\dvppj.exec:\dvppj.exe89⤵
-
\??\c:\tntnbb.exec:\tntnbb.exe90⤵
-
\??\c:\866668.exec:\866668.exe91⤵
-
\??\c:\42440.exec:\42440.exe92⤵
-
\??\c:\9lxfrfr.exec:\9lxfrfr.exe93⤵
-
\??\c:\lflxlfx.exec:\lflxlfx.exe94⤵
-
\??\c:\4682666.exec:\4682666.exe95⤵
-
\??\c:\hhbnhb.exec:\hhbnhb.exe96⤵
-
\??\c:\djdvd.exec:\djdvd.exe97⤵
-
\??\c:\84482.exec:\84482.exe98⤵
-
\??\c:\lxfrllf.exec:\lxfrllf.exe99⤵
-
\??\c:\5hbnbn.exec:\5hbnbn.exe100⤵
-
\??\c:\6060660.exec:\6060660.exe101⤵
-
\??\c:\k62600.exec:\k62600.exe102⤵
-
\??\c:\5xffrrr.exec:\5xffrrr.exe103⤵
-
\??\c:\8282222.exec:\8282222.exe104⤵
-
\??\c:\684482.exec:\684482.exe105⤵
-
\??\c:\62266.exec:\62266.exe106⤵
-
\??\c:\66804.exec:\66804.exe107⤵
-
\??\c:\rllxlfx.exec:\rllxlfx.exe108⤵
-
\??\c:\3lrlrff.exec:\3lrlrff.exe109⤵
-
\??\c:\pvdvj.exec:\pvdvj.exe110⤵
-
\??\c:\68042.exec:\68042.exe111⤵
-
\??\c:\dvdvd.exec:\dvdvd.exe112⤵
-
\??\c:\g6260.exec:\g6260.exe113⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe114⤵
-
\??\c:\5fxlfrl.exec:\5fxlfrl.exe115⤵
-
\??\c:\8460482.exec:\8460482.exe116⤵
-
\??\c:\nbbtnn.exec:\nbbtnn.exe117⤵
-
\??\c:\s4620.exec:\s4620.exe118⤵
-
\??\c:\lflfrrx.exec:\lflfrrx.exe119⤵
-
\??\c:\bbtbtt.exec:\bbtbtt.exe120⤵
-
\??\c:\5ntnhn.exec:\5ntnhn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-