Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-12-2024 05:43
General
-
Target
354031771af37f4cfe7d31435341e5c8e420f1479edb343476681c4c82029e4c.exe
-
Size
82KB
-
MD5
7b9f0a7b90de77b4940357127d5be098
-
SHA1
95c14897730771404ce4afe3748ff5ac5341fb61
-
SHA256
354031771af37f4cfe7d31435341e5c8e420f1479edb343476681c4c82029e4c
-
SHA512
a4d1e321aa4caedda459290e7ed690c45db5bd141bf565732a70231ec5669fd6ee6a2d64c13e2bc9d89b3886d5472ab244767180424610fe709c4781fd8d4548
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeqB:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4rJ
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\354031771af37f4cfe7d31435341e5c8e420f1479edb343476681c4c82029e4c.exe"C:\Users\Admin\AppData\Local\Temp\354031771af37f4cfe7d31435341e5c8e420f1479edb343476681c4c82029e4c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxrlf.exec:\rffxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllffff.exec:\xllffff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nnhhh.exec:\5nnhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddj.exec:\dvddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vjjd.exec:\3vjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxrrxl.exec:\xxxrrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbbtn.exec:\hnbbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvpp.exec:\jvvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrllf.exec:\fxxrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tnhbb.exec:\7tnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jjdv.exec:\3jjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxrrl.exec:\fffxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrxrl.exec:\lrxrxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnhbt.exec:\bhnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllrlr.exec:\fxllrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnnnn.exec:\hbnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvp.exec:\pjdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxrrl.exec:\rffxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrrllf.exec:\xxrrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnnn.exec:\bttnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdd.exec:\ddjdd.exe23⤵
- Executes dropped EXE
-
\??\c:\djjpj.exec:\djjpj.exe24⤵
- Executes dropped EXE
-
\??\c:\fxrlxlf.exec:\fxrlxlf.exe25⤵
- Executes dropped EXE
-
\??\c:\nbbbbh.exec:\nbbbbh.exe26⤵
- Executes dropped EXE
-
\??\c:\tnbtnh.exec:\tnbtnh.exe27⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe28⤵
- Executes dropped EXE
-
\??\c:\ttttnn.exec:\ttttnn.exe29⤵
- Executes dropped EXE
-
\??\c:\nhbbbb.exec:\nhbbbb.exe30⤵
- Executes dropped EXE
-
\??\c:\5dpjj.exec:\5dpjj.exe31⤵
- Executes dropped EXE
-
\??\c:\lxrrflf.exec:\lxrrflf.exe32⤵
- Executes dropped EXE
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe33⤵
- Executes dropped EXE
-
\??\c:\hhhbbb.exec:\hhhbbb.exe34⤵
- Executes dropped EXE
-
\??\c:\btnhnn.exec:\btnhnn.exe35⤵
- Executes dropped EXE
-
\??\c:\djvvv.exec:\djvvv.exe36⤵
- Executes dropped EXE
-
\??\c:\dpvpp.exec:\dpvpp.exe37⤵
- Executes dropped EXE
-
\??\c:\1fllllr.exec:\1fllllr.exe38⤵
- Executes dropped EXE
-
\??\c:\rxxrlxl.exec:\rxxrlxl.exe39⤵
- Executes dropped EXE
-
\??\c:\1pvpp.exec:\1pvpp.exe40⤵
- Executes dropped EXE
-
\??\c:\vjvjd.exec:\vjvjd.exe41⤵
- Executes dropped EXE
-
\??\c:\hnnhbt.exec:\hnnhbt.exe42⤵
- Executes dropped EXE
-
\??\c:\thhbtt.exec:\thhbtt.exe43⤵
- Executes dropped EXE
-
\??\c:\vvddv.exec:\vvddv.exe44⤵
- Executes dropped EXE
-
\??\c:\fxrlffx.exec:\fxrlffx.exe45⤵
- Executes dropped EXE
-
\??\c:\bbbbtt.exec:\bbbbtt.exe46⤵
- Executes dropped EXE
-
\??\c:\tnnhbt.exec:\tnnhbt.exe47⤵
- Executes dropped EXE
-
\??\c:\jpvvp.exec:\jpvvp.exe48⤵
- Executes dropped EXE
-
\??\c:\rlxrfff.exec:\rlxrfff.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\ttbbtb.exec:\ttbbtb.exe50⤵
- Executes dropped EXE
-
\??\c:\jvdvp.exec:\jvdvp.exe51⤵
- Executes dropped EXE
-
\??\c:\flrlllf.exec:\flrlllf.exe52⤵
- Executes dropped EXE
-
\??\c:\jddjd.exec:\jddjd.exe53⤵
- Executes dropped EXE
-
\??\c:\9frrflf.exec:\9frrflf.exe54⤵
- Executes dropped EXE
-
\??\c:\httntt.exec:\httntt.exe55⤵
- Executes dropped EXE
-
\??\c:\xlrrlfx.exec:\xlrrlfx.exe56⤵
- Executes dropped EXE
-
\??\c:\nhnhnn.exec:\nhnhnn.exe57⤵
- Executes dropped EXE
-
\??\c:\vpjjv.exec:\vpjjv.exe58⤵
- Executes dropped EXE
-
\??\c:\dvppp.exec:\dvppp.exe59⤵
- Executes dropped EXE
-
\??\c:\7rrlxxx.exec:\7rrlxxx.exe60⤵
- Executes dropped EXE
-
\??\c:\fxfffxx.exec:\fxfffxx.exe61⤵
- Executes dropped EXE
-
\??\c:\hhnnhh.exec:\hhnnhh.exe62⤵
- Executes dropped EXE
-
\??\c:\nbttnn.exec:\nbttnn.exe63⤵
- Executes dropped EXE
-
\??\c:\jvvjj.exec:\jvvjj.exe64⤵
- Executes dropped EXE
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe65⤵
- Executes dropped EXE
-
\??\c:\frfxrll.exec:\frfxrll.exe66⤵
-
\??\c:\htbttb.exec:\htbttb.exe67⤵
-
\??\c:\bnnhnh.exec:\bnnhnh.exe68⤵
-
\??\c:\ddjjp.exec:\ddjjp.exe69⤵
-
\??\c:\xrrlffl.exec:\xrrlffl.exe70⤵
-
\??\c:\rlxxrll.exec:\rlxxrll.exe71⤵
-
\??\c:\bthhnh.exec:\bthhnh.exe72⤵
-
\??\c:\thntnt.exec:\thntnt.exe73⤵
-
\??\c:\pddpp.exec:\pddpp.exe74⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe75⤵
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe76⤵
-
\??\c:\xxxrllf.exec:\xxxrllf.exe77⤵
-
\??\c:\ddjdv.exec:\ddjdv.exe78⤵
-
\??\c:\3rfxxxf.exec:\3rfxxxf.exe79⤵
-
\??\c:\xfllffx.exec:\xfllffx.exe80⤵
-
\??\c:\7tnhbt.exec:\7tnhbt.exe81⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe82⤵
-
\??\c:\7dppj.exec:\7dppj.exe83⤵
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe84⤵
-
\??\c:\tnntnn.exec:\tnntnn.exe85⤵
-
\??\c:\nbhbtt.exec:\nbhbtt.exe86⤵
-
\??\c:\9ddvj.exec:\9ddvj.exe87⤵
-
\??\c:\jjdpv.exec:\jjdpv.exe88⤵
-
\??\c:\rlrxlfx.exec:\rlrxlfx.exe89⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe90⤵
-
\??\c:\7nhhhb.exec:\7nhhhb.exe91⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe92⤵
-
\??\c:\5dvpd.exec:\5dvpd.exe93⤵
-
\??\c:\9lfxlfx.exec:\9lfxlfx.exe94⤵
-
\??\c:\httnhh.exec:\httnhh.exe95⤵
-
\??\c:\bhbbtn.exec:\bhbbtn.exe96⤵
-
\??\c:\ppvjv.exec:\ppvjv.exe97⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dpjdp.exec:\dpjdp.exe98⤵
-
\??\c:\rfffxrr.exec:\rfffxrr.exe99⤵
-
\??\c:\fxlxfxr.exec:\fxlxfxr.exe100⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bttthh.exec:\bttthh.exe101⤵
-
\??\c:\1jdvj.exec:\1jdvj.exe102⤵
-
\??\c:\dvdpd.exec:\dvdpd.exe103⤵
-
\??\c:\xrxllrr.exec:\xrxllrr.exe104⤵
-
\??\c:\tbbtnn.exec:\tbbtnn.exe105⤵
-
\??\c:\nhhhtn.exec:\nhhhtn.exe106⤵
-
\??\c:\djjvp.exec:\djjvp.exe107⤵
-
\??\c:\dpdvj.exec:\dpdvj.exe108⤵
-
\??\c:\rffrllf.exec:\rffrllf.exe109⤵
-
\??\c:\tnhbbt.exec:\tnhbbt.exe110⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe111⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe112⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe113⤵
-
\??\c:\frrrfrl.exec:\frrrfrl.exe114⤵
-
\??\c:\thnnhb.exec:\thnnhb.exe115⤵
-
\??\c:\5tthbt.exec:\5tthbt.exe116⤵
-
\??\c:\dvddv.exec:\dvddv.exe117⤵
-
\??\c:\5jdvj.exec:\5jdvj.exe118⤵
-
\??\c:\xflfxxx.exec:\xflfxxx.exe119⤵
-
\??\c:\xrrlffx.exec:\xrrlffx.exe120⤵
-
\??\c:\tbnhhn.exec:\tbnhhn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-