Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-12-2024 20:26
General
-
Target
21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe
-
Size
54KB
-
MD5
b286483fb6d61f417c889121666538d6
-
SHA1
d84d87728b018c74ec989cf5f5b353555b90b678
-
SHA256
21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0
-
SHA512
7890f8e102c7e8d5877661704722c838f9268b3ce18f49ef90b9810f1427ec940c1df24c6c070a2a07e9ad63afafdf396fa897462bb00af084301034a2e79202
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvlNJt:0cdpeeBSHHMHLf9RyIET
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe"C:\Users\Admin\AppData\Local\Temp\21f770bb925e78503e397de3b0d29ad5081d3211abbb57733674fb38c90a14f0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\5hbbtn.exec:\5hbbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppjj.exec:\pppjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxrrl.exec:\fffxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrllfx.exec:\fxrllfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbttt.exec:\bhbttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjv.exec:\dvpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdv.exec:\pjjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhhtb.exec:\nbhhtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbnn.exec:\bhhbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpd.exec:\jpvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfrlfx.exec:\rxfrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrrxr.exec:\lxxrrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhtt.exec:\bnhhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvpj.exec:\jvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppdj.exec:\vppdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffrfrl.exec:\fffrfrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nnnnn.exec:\7nnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjj.exec:\dppjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvp.exec:\dvvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrrlff.exec:\7xrrlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpp.exec:\vjvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpj.exec:\pjvpj.exe23⤵
- Executes dropped EXE
-
\??\c:\xllfxxr.exec:\xllfxxr.exe24⤵
- Executes dropped EXE
-
\??\c:\nnhttn.exec:\nnhttn.exe25⤵
- Executes dropped EXE
-
\??\c:\htbtnb.exec:\htbtnb.exe26⤵
- Executes dropped EXE
-
\??\c:\pjdvp.exec:\pjdvp.exe27⤵
- Executes dropped EXE
-
\??\c:\rrfxlfx.exec:\rrfxlfx.exe28⤵
- Executes dropped EXE
-
\??\c:\fflxfxr.exec:\fflxfxr.exe29⤵
- Executes dropped EXE
-
\??\c:\btttnn.exec:\btttnn.exe30⤵
- Executes dropped EXE
-
\??\c:\xlllfff.exec:\xlllfff.exe31⤵
- Executes dropped EXE
-
\??\c:\lxrrllx.exec:\lxrrllx.exe32⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe33⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe34⤵
- Executes dropped EXE
-
\??\c:\pjjvd.exec:\pjjvd.exe35⤵
- Executes dropped EXE
-
\??\c:\rxffxxx.exec:\rxffxxx.exe36⤵
- Executes dropped EXE
-
\??\c:\ffrlffx.exec:\ffrlffx.exe37⤵
- Executes dropped EXE
-
\??\c:\ttnnnn.exec:\ttnnnn.exe38⤵
- Executes dropped EXE
-
\??\c:\htbhbh.exec:\htbhbh.exe39⤵
- Executes dropped EXE
-
\??\c:\jvpjd.exec:\jvpjd.exe40⤵
- Executes dropped EXE
-
\??\c:\hbhhbb.exec:\hbhhbb.exe41⤵
- Executes dropped EXE
-
\??\c:\hbhbbh.exec:\hbhbbh.exe42⤵
- Executes dropped EXE
-
\??\c:\vjvvj.exec:\vjvvj.exe43⤵
- Executes dropped EXE
-
\??\c:\vvdpv.exec:\vvdpv.exe44⤵
- Executes dropped EXE
-
\??\c:\3llxlff.exec:\3llxlff.exe45⤵
- Executes dropped EXE
-
\??\c:\rlffxrr.exec:\rlffxrr.exe46⤵
- Executes dropped EXE
-
\??\c:\3ntbbb.exec:\3ntbbb.exe47⤵
- Executes dropped EXE
-
\??\c:\tbhhbt.exec:\tbhhbt.exe48⤵
- Executes dropped EXE
-
\??\c:\xrxrrxx.exec:\xrxrrxx.exe49⤵
- Executes dropped EXE
-
\??\c:\nnnnhh.exec:\nnnnhh.exe50⤵
- Executes dropped EXE
-
\??\c:\ppvvv.exec:\ppvvv.exe51⤵
- Executes dropped EXE
-
\??\c:\1rfxfxr.exec:\1rfxfxr.exe52⤵
- Executes dropped EXE
-
\??\c:\bthbtn.exec:\bthbtn.exe53⤵
- Executes dropped EXE
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe54⤵
- Executes dropped EXE
-
\??\c:\bnhhbb.exec:\bnhhbb.exe55⤵
- Executes dropped EXE
-
\??\c:\jddpd.exec:\jddpd.exe56⤵
- Executes dropped EXE
-
\??\c:\xlrrllf.exec:\xlrrllf.exe57⤵
- Executes dropped EXE
-
\??\c:\hhhbnt.exec:\hhhbnt.exe58⤵
- Executes dropped EXE
-
\??\c:\vvdpd.exec:\vvdpd.exe59⤵
- Executes dropped EXE
-
\??\c:\5rrfrrx.exec:\5rrfrrx.exe60⤵
- Executes dropped EXE
-
\??\c:\rrrrxrr.exec:\rrrrxrr.exe61⤵
- Executes dropped EXE
-
\??\c:\7hhbtn.exec:\7hhbtn.exe62⤵
- Executes dropped EXE
-
\??\c:\btnnhb.exec:\btnnhb.exe63⤵
- Executes dropped EXE
-
\??\c:\vpdpp.exec:\vpdpp.exe64⤵
- Executes dropped EXE
-
\??\c:\jdvjv.exec:\jdvjv.exe65⤵
- Executes dropped EXE
-
\??\c:\1llfxrl.exec:\1llfxrl.exe66⤵
-
\??\c:\hbnhtb.exec:\hbnhtb.exe67⤵
-
\??\c:\thhbnb.exec:\thhbnb.exe68⤵
-
\??\c:\jjvvv.exec:\jjvvv.exe69⤵
-
\??\c:\7ffxxxr.exec:\7ffxxxr.exe70⤵
-
\??\c:\lxxrrfx.exec:\lxxrrfx.exe71⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe72⤵
-
\??\c:\rfllfff.exec:\rfllfff.exe73⤵
-
\??\c:\nhnhbh.exec:\nhnhbh.exe74⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe75⤵
-
\??\c:\pjjvj.exec:\pjjvj.exe76⤵
-
\??\c:\pvpjd.exec:\pvpjd.exe77⤵
-
\??\c:\3frlxrl.exec:\3frlxrl.exe78⤵
-
\??\c:\hnnbbt.exec:\hnnbbt.exe79⤵
-
\??\c:\htthtn.exec:\htthtn.exe80⤵
-
\??\c:\pppjd.exec:\pppjd.exe81⤵
-
\??\c:\rxxfrrr.exec:\rxxfrrr.exe82⤵
-
\??\c:\xfrlffx.exec:\xfrlffx.exe83⤵
-
\??\c:\xfxxrlx.exec:\xfxxrlx.exe84⤵
-
\??\c:\5ttttn.exec:\5ttttn.exe85⤵
-
\??\c:\dppjv.exec:\dppjv.exe86⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe87⤵
-
\??\c:\rflfxxr.exec:\rflfxxr.exe88⤵
-
\??\c:\lflrxxx.exec:\lflrxxx.exe89⤵
-
\??\c:\nhbthb.exec:\nhbthb.exe90⤵
-
\??\c:\hbtnnn.exec:\hbtnnn.exe91⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe92⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe93⤵
-
\??\c:\rllfxrl.exec:\rllfxrl.exe94⤵
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe95⤵
-
\??\c:\bhhhhb.exec:\bhhhhb.exe96⤵
-
\??\c:\bhnhbt.exec:\bhnhbt.exe97⤵
-
\??\c:\ppjjd.exec:\ppjjd.exe98⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe99⤵
-
\??\c:\3lrrffl.exec:\3lrrffl.exe100⤵
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe101⤵
-
\??\c:\5nttht.exec:\5nttht.exe102⤵
-
\??\c:\5dpjj.exec:\5dpjj.exe103⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe104⤵
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe105⤵
-
\??\c:\tttnhb.exec:\tttnhb.exe106⤵
-
\??\c:\hhhbnn.exec:\hhhbnn.exe107⤵
-
\??\c:\jppjv.exec:\jppjv.exe108⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe109⤵
-
\??\c:\3lffxrr.exec:\3lffxrr.exe110⤵
-
\??\c:\btnbbt.exec:\btnbbt.exe111⤵
-
\??\c:\1hbtht.exec:\1hbtht.exe112⤵
-
\??\c:\9ppjd.exec:\9ppjd.exe113⤵
-
\??\c:\jvdvp.exec:\jvdvp.exe114⤵
-
\??\c:\lxxrllf.exec:\lxxrllf.exe115⤵
-
\??\c:\9fxxllf.exec:\9fxxllf.exe116⤵
-
\??\c:\thhbtn.exec:\thhbtn.exe117⤵
-
\??\c:\bhthtt.exec:\bhthtt.exe118⤵
-
\??\c:\pvjdp.exec:\pvjdp.exe119⤵
-
\??\c:\vjdvj.exec:\vjdvj.exe120⤵
-
\??\c:\1fffxrr.exec:\1fffxrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-