Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 12:03
General
-
Target
e504885c56c6ba6a298092c1d058a594960b96133bef4cc8599640679ccf95d1N.exe
-
Size
83KB
-
MD5
cd2fde1720a881eba4eb87e33be52a30
-
SHA1
3304e72b8218b518a3dbf3550ba307da0bb536a6
-
SHA256
e504885c56c6ba6a298092c1d058a594960b96133bef4cc8599640679ccf95d1
-
SHA512
e15c589ab1a88c0b5e8406578bcc168065859c5043d5eb5a4a4e7ab15cd76f5c6d81391002249f7bb8a419cb45da76f9713227b84a5f7edc55ead7942bbebfb1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrA89Qz:ymb3NkkiQ3mdBjFIIp9L9QrrA8C
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e504885c56c6ba6a298092c1d058a594960b96133bef4cc8599640679ccf95d1N.exe"C:\Users\Admin\AppData\Local\Temp\e504885c56c6ba6a298092c1d058a594960b96133bef4cc8599640679ccf95d1N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpp.exec:\jdvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlxlrr.exec:\lrlxlrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\086420.exec:\086420.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4626060.exec:\4626060.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4280222.exec:\4280222.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllrff.exec:\rxllrff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxffxxl.exec:\rxffxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdddd.exec:\vdddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnhb.exec:\tnnnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\046408.exec:\046408.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjpd.exec:\1pjpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o848288.exec:\o848288.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrrllf.exec:\frrrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e28226.exec:\e28226.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvv.exec:\pjvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\062260.exec:\062260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpj.exec:\vvvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08844.exec:\08844.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\046048.exec:\046048.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\464440.exec:\464440.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3flfxfx.exec:\3flfxfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\884266.exec:\884266.exe23⤵
- Executes dropped EXE
-
\??\c:\jdjvp.exec:\jdjvp.exe24⤵
- Executes dropped EXE
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe25⤵
- Executes dropped EXE
-
\??\c:\nhttbt.exec:\nhttbt.exe26⤵
- Executes dropped EXE
-
\??\c:\02042.exec:\02042.exe27⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe28⤵
- Executes dropped EXE
-
\??\c:\6802008.exec:\6802008.exe29⤵
- Executes dropped EXE
-
\??\c:\vdjjd.exec:\vdjjd.exe30⤵
- Executes dropped EXE
-
\??\c:\2040200.exec:\2040200.exe31⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe32⤵
- Executes dropped EXE
-
\??\c:\4244006.exec:\4244006.exe33⤵
- Executes dropped EXE
-
\??\c:\xflrrxr.exec:\xflrrxr.exe34⤵
- Executes dropped EXE
-
\??\c:\jdddp.exec:\jdddp.exe35⤵
- Executes dropped EXE
-
\??\c:\xfllfff.exec:\xfllfff.exe36⤵
- Executes dropped EXE
-
\??\c:\600044.exec:\600044.exe37⤵
- Executes dropped EXE
-
\??\c:\624848.exec:\624848.exe38⤵
- Executes dropped EXE
-
\??\c:\480060.exec:\480060.exe39⤵
- Executes dropped EXE
-
\??\c:\6068206.exec:\6068206.exe40⤵
- Executes dropped EXE
-
\??\c:\2484444.exec:\2484444.exe41⤵
- Executes dropped EXE
-
\??\c:\484822.exec:\484822.exe42⤵
- Executes dropped EXE
-
\??\c:\0866448.exec:\0866448.exe43⤵
- Executes dropped EXE
-
\??\c:\0288260.exec:\0288260.exe44⤵
- Executes dropped EXE
-
\??\c:\llfxrrr.exec:\llfxrrr.exe45⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe46⤵
- Executes dropped EXE
-
\??\c:\82820.exec:\82820.exe47⤵
- Executes dropped EXE
-
\??\c:\480240.exec:\480240.exe48⤵
- Executes dropped EXE
-
\??\c:\c282660.exec:\c282660.exe49⤵
- Executes dropped EXE
-
\??\c:\tttnnn.exec:\tttnnn.exe50⤵
- Executes dropped EXE
-
\??\c:\4426660.exec:\4426660.exe51⤵
- Executes dropped EXE
-
\??\c:\e00044.exec:\e00044.exe52⤵
- Executes dropped EXE
-
\??\c:\hbhntb.exec:\hbhntb.exe53⤵
- Executes dropped EXE
-
\??\c:\8022600.exec:\8022600.exe54⤵
- Executes dropped EXE
-
\??\c:\7thbtt.exec:\7thbtt.exe55⤵
- Executes dropped EXE
-
\??\c:\xrrrfff.exec:\xrrrfff.exe56⤵
- Executes dropped EXE
-
\??\c:\fxllffl.exec:\fxllffl.exe57⤵
- Executes dropped EXE
-
\??\c:\260200.exec:\260200.exe58⤵
- Executes dropped EXE
-
\??\c:\llfrlff.exec:\llfrlff.exe59⤵
- Executes dropped EXE
-
\??\c:\e28044.exec:\e28044.exe60⤵
- Executes dropped EXE
-
\??\c:\4404200.exec:\4404200.exe61⤵
- Executes dropped EXE
-
\??\c:\46260.exec:\46260.exe62⤵
- Executes dropped EXE
-
\??\c:\dvjdp.exec:\dvjdp.exe63⤵
- Executes dropped EXE
-
\??\c:\fffxrlx.exec:\fffxrlx.exe64⤵
- Executes dropped EXE
-
\??\c:\dpjvj.exec:\dpjvj.exe65⤵
- Executes dropped EXE
-
\??\c:\688688.exec:\688688.exe66⤵
-
\??\c:\9djdv.exec:\9djdv.exe67⤵
-
\??\c:\pvvpd.exec:\pvvpd.exe68⤵
-
\??\c:\xxflrfx.exec:\xxflrfx.exe69⤵
-
\??\c:\q88888.exec:\q88888.exe70⤵
-
\??\c:\jvppj.exec:\jvppj.exe71⤵
-
\??\c:\fflfxrl.exec:\fflfxrl.exe72⤵
-
\??\c:\pppjd.exec:\pppjd.exe73⤵
- System Location Discovery: System Language Discovery
-
\??\c:\4800826.exec:\4800826.exe74⤵
-
\??\c:\m8820.exec:\m8820.exe75⤵
-
\??\c:\rrrllll.exec:\rrrllll.exe76⤵
-
\??\c:\4064888.exec:\4064888.exe77⤵
-
\??\c:\xllrrxx.exec:\xllrrxx.exe78⤵
-
\??\c:\vpvdd.exec:\vpvdd.exe79⤵
-
\??\c:\02882.exec:\02882.exe80⤵
-
\??\c:\842088.exec:\842088.exe81⤵
-
\??\c:\88486.exec:\88486.exe82⤵
-
\??\c:\thtttt.exec:\thtttt.exe83⤵
-
\??\c:\pddpj.exec:\pddpj.exe84⤵
-
\??\c:\60204.exec:\60204.exe85⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe86⤵
-
\??\c:\0400448.exec:\0400448.exe87⤵
-
\??\c:\4824822.exec:\4824822.exe88⤵
-
\??\c:\6044826.exec:\6044826.exe89⤵
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe90⤵
-
\??\c:\3lllfxr.exec:\3lllfxr.exe91⤵
-
\??\c:\k80028.exec:\k80028.exe92⤵
-
\??\c:\jddvv.exec:\jddvv.exe93⤵
-
\??\c:\4004826.exec:\4004826.exe94⤵
-
\??\c:\bbnhhh.exec:\bbnhhh.exe95⤵
-
\??\c:\i248204.exec:\i248204.exe96⤵
-
\??\c:\djddv.exec:\djddv.exe97⤵
-
\??\c:\5jjdv.exec:\5jjdv.exe98⤵
-
\??\c:\q40086.exec:\q40086.exe99⤵
-
\??\c:\pjjvj.exec:\pjjvj.exe100⤵
-
\??\c:\4884260.exec:\4884260.exe101⤵
-
\??\c:\hbtttn.exec:\hbtttn.exe102⤵
-
\??\c:\rxrfrlf.exec:\rxrfrlf.exe103⤵
-
\??\c:\nhbtbb.exec:\nhbtbb.exe104⤵
-
\??\c:\2288662.exec:\2288662.exe105⤵
-
\??\c:\2460004.exec:\2460004.exe106⤵
-
\??\c:\jdddd.exec:\jdddd.exe107⤵
-
\??\c:\vddvj.exec:\vddvj.exe108⤵
-
\??\c:\42222.exec:\42222.exe109⤵
-
\??\c:\08084.exec:\08084.exe110⤵
-
\??\c:\6248660.exec:\6248660.exe111⤵
-
\??\c:\8622888.exec:\8622888.exe112⤵
-
\??\c:\a6044.exec:\a6044.exe113⤵
-
\??\c:\vpjvd.exec:\vpjvd.exe114⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe115⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe116⤵
-
\??\c:\024248.exec:\024248.exe117⤵
-
\??\c:\bnnbnh.exec:\bnnbnh.exe118⤵
-
\??\c:\htnhtn.exec:\htnhtn.exe119⤵
-
\??\c:\42044.exec:\42044.exe120⤵
-
\??\c:\nttnbt.exec:\nttnbt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-