Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 05:31
General
-
Target
c4260fb2a49485c8cfda8980a4f6c66d5a0b7e722a6382dc1650facb3f9f9b47.exe
-
Size
83KB
-
MD5
543c7f7d1487155127f9cb6d98fb04d8
-
SHA1
66886af8238289b6ae961059b098368fc223dce1
-
SHA256
c4260fb2a49485c8cfda8980a4f6c66d5a0b7e722a6382dc1650facb3f9f9b47
-
SHA512
0afe03166403d4ab6b42d622b56f11e598adfb4fb43138ac54aa893025952481cc41e67e44d3a265895a93f7de9518477c4bab73aab9022f1efb491b27fe5e77
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Q7:ymb3NkkiQ3mdBjFIIp9L9QrrA8k
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 40 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4260fb2a49485c8cfda8980a4f6c66d5a0b7e722a6382dc1650facb3f9f9b47.exe"C:\Users\Admin\AppData\Local\Temp\c4260fb2a49485c8cfda8980a4f6c66d5a0b7e722a6382dc1650facb3f9f9b47.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1jvpp.exec:\1jvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfrlx.exec:\rflfrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hththh.exec:\hththh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvp.exec:\pjdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nnnbt.exec:\1nnnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7djvv.exec:\7djvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnbbt.exec:\hnnbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnbb.exec:\thtnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddpp.exec:\jddpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvj.exec:\dvvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflffxf.exec:\fflffxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnn.exec:\thbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvjv.exec:\jvvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllxlfx.exec:\xllxlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ththtb.exec:\ththtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvj.exec:\jvdvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrffxr.exec:\lxrffxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhthb.exec:\thhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnhbb.exec:\nbnhbb.exe23⤵
- Executes dropped EXE
-
\??\c:\vjdvd.exec:\vjdvd.exe24⤵
- Executes dropped EXE
-
\??\c:\xffxlrf.exec:\xffxlrf.exe25⤵
- Executes dropped EXE
-
\??\c:\tnnbtn.exec:\tnnbtn.exe26⤵
- Executes dropped EXE
-
\??\c:\dpvjv.exec:\dpvjv.exe27⤵
- Executes dropped EXE
-
\??\c:\ddjvp.exec:\ddjvp.exe28⤵
- Executes dropped EXE
-
\??\c:\frfrlfl.exec:\frfrlfl.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\btnnhb.exec:\btnnhb.exe30⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe31⤵
- Executes dropped EXE
-
\??\c:\tnhthb.exec:\tnhthb.exe32⤵
- Executes dropped EXE
-
\??\c:\hbtnbt.exec:\hbtnbt.exe33⤵
- Executes dropped EXE
-
\??\c:\jddvj.exec:\jddvj.exe34⤵
- Executes dropped EXE
-
\??\c:\pvpjj.exec:\pvpjj.exe35⤵
- Executes dropped EXE
-
\??\c:\nbhhtt.exec:\nbhhtt.exe36⤵
- Executes dropped EXE
-
\??\c:\pvdvd.exec:\pvdvd.exe37⤵
- Executes dropped EXE
-
\??\c:\9ddpd.exec:\9ddpd.exe38⤵
- Executes dropped EXE
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe39⤵
- Executes dropped EXE
-
\??\c:\xfrlfxl.exec:\xfrlfxl.exe40⤵
- Executes dropped EXE
-
\??\c:\thbthh.exec:\thbthh.exe41⤵
- Executes dropped EXE
-
\??\c:\jddvj.exec:\jddvj.exe42⤵
- Executes dropped EXE
-
\??\c:\lffrlll.exec:\lffrlll.exe43⤵
- Executes dropped EXE
-
\??\c:\lxrlxfx.exec:\lxrlxfx.exe44⤵
- Executes dropped EXE
-
\??\c:\nhnhbh.exec:\nhnhbh.exe45⤵
- Executes dropped EXE
-
\??\c:\jddpd.exec:\jddpd.exe46⤵
- Executes dropped EXE
-
\??\c:\fllxrlf.exec:\fllxrlf.exe47⤵
- Executes dropped EXE
-
\??\c:\nttnbb.exec:\nttnbb.exe48⤵
- Executes dropped EXE
-
\??\c:\btnhtt.exec:\btnhtt.exe49⤵
- Executes dropped EXE
-
\??\c:\vpdvj.exec:\vpdvj.exe50⤵
- Executes dropped EXE
-
\??\c:\nhntbh.exec:\nhntbh.exe51⤵
- Executes dropped EXE
-
\??\c:\djdvj.exec:\djdvj.exe52⤵
- Executes dropped EXE
-
\??\c:\3rlfffx.exec:\3rlfffx.exe53⤵
- Executes dropped EXE
-
\??\c:\xfllfff.exec:\xfllfff.exe54⤵
- Executes dropped EXE
-
\??\c:\btbbhh.exec:\btbbhh.exe55⤵
- Executes dropped EXE
-
\??\c:\djpdp.exec:\djpdp.exe56⤵
- Executes dropped EXE
-
\??\c:\xxffxxr.exec:\xxffxxr.exe57⤵
- Executes dropped EXE
-
\??\c:\fxlrlfr.exec:\fxlrlfr.exe58⤵
- Executes dropped EXE
-
\??\c:\nbtbtb.exec:\nbtbtb.exe59⤵
- Executes dropped EXE
-
\??\c:\tttnnh.exec:\tttnnh.exe60⤵
- Executes dropped EXE
-
\??\c:\pdvpj.exec:\pdvpj.exe61⤵
- Executes dropped EXE
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe62⤵
- Executes dropped EXE
-
\??\c:\rfxrllf.exec:\rfxrllf.exe63⤵
- Executes dropped EXE
-
\??\c:\nnhhbt.exec:\nnhhbt.exe64⤵
- Executes dropped EXE
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe65⤵
- Executes dropped EXE
-
\??\c:\3rlxlfx.exec:\3rlxlfx.exe66⤵
-
\??\c:\bnnhtt.exec:\bnnhtt.exe67⤵
-
\??\c:\1pvjp.exec:\1pvjp.exe68⤵
-
\??\c:\lxflfxr.exec:\lxflfxr.exe69⤵
-
\??\c:\fxfrlfr.exec:\fxfrlfr.exe70⤵
-
\??\c:\bhnnbt.exec:\bhnnbt.exe71⤵
-
\??\c:\hbtbnb.exec:\hbtbnb.exe72⤵
-
\??\c:\9vvpj.exec:\9vvpj.exe73⤵
-
\??\c:\rrlxxrx.exec:\rrlxxrx.exe74⤵
-
\??\c:\5frlffx.exec:\5frlffx.exe75⤵
-
\??\c:\5btnbb.exec:\5btnbb.exe76⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe77⤵
-
\??\c:\dppdv.exec:\dppdv.exe78⤵
-
\??\c:\7lfrllf.exec:\7lfrllf.exe79⤵
-
\??\c:\rlxrffx.exec:\rlxrffx.exe80⤵
-
\??\c:\5hbtnh.exec:\5hbtnh.exe81⤵
-
\??\c:\btbttt.exec:\btbttt.exe82⤵
-
\??\c:\pvpdv.exec:\pvpdv.exe83⤵
-
\??\c:\lrrfrrl.exec:\lrrfrrl.exe84⤵
-
\??\c:\7tnnhb.exec:\7tnnhb.exe85⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe86⤵
-
\??\c:\jvjdv.exec:\jvjdv.exe87⤵
-
\??\c:\frrflfx.exec:\frrflfx.exe88⤵
-
\??\c:\nhtnhh.exec:\nhtnhh.exe89⤵
- System Location Discovery: System Language Discovery
-
\??\c:\btnhtn.exec:\btnhtn.exe90⤵
-
\??\c:\5ppjp.exec:\5ppjp.exe91⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe92⤵
-
\??\c:\llxrfxr.exec:\llxrfxr.exe93⤵
-
\??\c:\lxxrllf.exec:\lxxrllf.exe94⤵
-
\??\c:\bbtthb.exec:\bbtthb.exe95⤵
-
\??\c:\tnhbnh.exec:\tnhbnh.exe96⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe97⤵
-
\??\c:\djvjd.exec:\djvjd.exe98⤵
-
\??\c:\xffxlfx.exec:\xffxlfx.exe99⤵
-
\??\c:\thhbnh.exec:\thhbnh.exe100⤵
-
\??\c:\tnnhbb.exec:\tnnhbb.exe101⤵
-
\??\c:\dppjv.exec:\dppjv.exe102⤵
-
\??\c:\vpvjp.exec:\vpvjp.exe103⤵
-
\??\c:\lrrlrrl.exec:\lrrlrrl.exe104⤵
-
\??\c:\bhhtnh.exec:\bhhtnh.exe105⤵
-
\??\c:\thhthb.exec:\thhthb.exe106⤵
-
\??\c:\1jdvj.exec:\1jdvj.exe107⤵
-
\??\c:\jjdpj.exec:\jjdpj.exe108⤵
-
\??\c:\lxxlxxf.exec:\lxxlxxf.exe109⤵
-
\??\c:\rfrlfxl.exec:\rfrlfxl.exe110⤵
-
\??\c:\bhhbnh.exec:\bhhbnh.exe111⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe112⤵
-
\??\c:\rfxxlll.exec:\rfxxlll.exe113⤵
-
\??\c:\lflfllr.exec:\lflfllr.exe114⤵
-
\??\c:\tnhtnb.exec:\tnhtnb.exe115⤵
-
\??\c:\bbthtn.exec:\bbthtn.exe116⤵
-
\??\c:\jpppj.exec:\jpppj.exe117⤵
-
\??\c:\lxrrfxl.exec:\lxrrfxl.exe118⤵
-
\??\c:\5rrfxxr.exec:\5rrfxxr.exe119⤵
-
\??\c:\bhnhtn.exec:\bhnhtn.exe120⤵
-
\??\c:\btthtt.exec:\btthtt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-