Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-12-2024 21:12
General
-
Target
37ad94d257ca8b5be88ecb7de8ca42fda589ea307c54d92d0d9abe5646828d4a.exe
-
Size
73KB
-
MD5
75ce39d43ef52bdf3215491a2e294a01
-
SHA1
a5fd26f0887dcbe3b07e039511c6d84839658891
-
SHA256
37ad94d257ca8b5be88ecb7de8ca42fda589ea307c54d92d0d9abe5646828d4a
-
SHA512
d32db1f2f221aaee73a4bc7afdd531226357ab693689ad24e315aa0d6c2afde94c75b4fb4d432a4caa48b6e52fa60566ceab350533ca40b6a7d4ea170ca9971c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUPqrDZ5RxfVK5DTj:ymb3NkkiQ3mdBjF0yUmrfVcr
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\37ad94d257ca8b5be88ecb7de8ca42fda589ea307c54d92d0d9abe5646828d4a.exe"C:\Users\Admin\AppData\Local\Temp\37ad94d257ca8b5be88ecb7de8ca42fda589ea307c54d92d0d9abe5646828d4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnntn.exec:\hbnntn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\204426.exec:\204426.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\062248.exec:\062248.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xlflfr.exec:\9xlflfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9llfrrf.exec:\9llfrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllrlrl.exec:\rllrlrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4444260.exec:\4444260.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k62082.exec:\k62082.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrlxrl.exec:\rxrlxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8426460.exec:\8426460.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u00865l.exec:\u00865l.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtnhh.exec:\nbtnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrfxrl.exec:\lfrfxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g4608.exec:\g4608.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxrxx.exec:\lfxxrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6426260.exec:\6426260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhtb.exec:\tnbhtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\424260.exec:\424260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjv.exec:\jjvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6006488.exec:\6006488.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxrxrl.exec:\xxxrxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6882426.exec:\6882426.exe23⤵
- Executes dropped EXE
-
\??\c:\4866404.exec:\4866404.exe24⤵
- Executes dropped EXE
-
\??\c:\8486048.exec:\8486048.exe25⤵
- Executes dropped EXE
-
\??\c:\rxxlfxr.exec:\rxxlfxr.exe26⤵
- Executes dropped EXE
-
\??\c:\646448.exec:\646448.exe27⤵
- Executes dropped EXE
-
\??\c:\tbthnh.exec:\tbthnh.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fxxlfxl.exec:\fxxlfxl.exe29⤵
- Executes dropped EXE
-
\??\c:\pvpvd.exec:\pvpvd.exe30⤵
- Executes dropped EXE
-
\??\c:\044822.exec:\044822.exe31⤵
- Executes dropped EXE
-
\??\c:\btnhtb.exec:\btnhtb.exe32⤵
- Executes dropped EXE
-
\??\c:\1ntntb.exec:\1ntntb.exe33⤵
- Executes dropped EXE
-
\??\c:\bntnbt.exec:\bntnbt.exe34⤵
- Executes dropped EXE
-
\??\c:\thhbnt.exec:\thhbnt.exe35⤵
- Executes dropped EXE
-
\??\c:\djjdp.exec:\djjdp.exe36⤵
- Executes dropped EXE
-
\??\c:\vvppp.exec:\vvppp.exe37⤵
- Executes dropped EXE
-
\??\c:\nhnnnh.exec:\nhnnnh.exe38⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe39⤵
- Executes dropped EXE
-
\??\c:\002428.exec:\002428.exe40⤵
- Executes dropped EXE
-
\??\c:\606288.exec:\606288.exe41⤵
- Executes dropped EXE
-
\??\c:\4484028.exec:\4484028.exe42⤵
- Executes dropped EXE
-
\??\c:\9nnbtn.exec:\9nnbtn.exe43⤵
- Executes dropped EXE
-
\??\c:\ththtn.exec:\ththtn.exe44⤵
- Executes dropped EXE
-
\??\c:\s2480.exec:\s2480.exe45⤵
- Executes dropped EXE
-
\??\c:\bbttb.exec:\bbttb.exe46⤵
- Executes dropped EXE
-
\??\c:\9xxxrxr.exec:\9xxxrxr.exe47⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe48⤵
- Executes dropped EXE
-
\??\c:\hbbbtt.exec:\hbbbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\htbbtt.exec:\htbbtt.exe50⤵
- Executes dropped EXE
-
\??\c:\040088.exec:\040088.exe51⤵
- Executes dropped EXE
-
\??\c:\ttnhhh.exec:\ttnhhh.exe52⤵
- Executes dropped EXE
-
\??\c:\9xfffff.exec:\9xfffff.exe53⤵
- Executes dropped EXE
-
\??\c:\q68246.exec:\q68246.exe54⤵
- Executes dropped EXE
-
\??\c:\dvvjd.exec:\dvvjd.exe55⤵
- Executes dropped EXE
-
\??\c:\rrxrrfx.exec:\rrxrrfx.exe56⤵
- Executes dropped EXE
-
\??\c:\q00000.exec:\q00000.exe57⤵
- Executes dropped EXE
-
\??\c:\48408.exec:\48408.exe58⤵
- Executes dropped EXE
-
\??\c:\rlrrxrx.exec:\rlrrxrx.exe59⤵
- Executes dropped EXE
-
\??\c:\3nhhbb.exec:\3nhhbb.exe60⤵
- Executes dropped EXE
-
\??\c:\bbhhtt.exec:\bbhhtt.exe61⤵
- Executes dropped EXE
-
\??\c:\frxrrrl.exec:\frxrrrl.exe62⤵
- Executes dropped EXE
-
\??\c:\rllrfxl.exec:\rllrfxl.exe63⤵
- Executes dropped EXE
-
\??\c:\i866222.exec:\i866222.exe64⤵
- Executes dropped EXE
-
\??\c:\c668066.exec:\c668066.exe65⤵
- Executes dropped EXE
-
\??\c:\lxxxxfx.exec:\lxxxxfx.exe66⤵
-
\??\c:\9dddd.exec:\9dddd.exe67⤵
-
\??\c:\8248440.exec:\8248440.exe68⤵
-
\??\c:\m8482.exec:\m8482.exe69⤵
-
\??\c:\402600.exec:\402600.exe70⤵
-
\??\c:\thtnhh.exec:\thtnhh.exe71⤵
-
\??\c:\04008.exec:\04008.exe72⤵
-
\??\c:\e46088.exec:\e46088.exe73⤵
-
\??\c:\46602.exec:\46602.exe74⤵
-
\??\c:\w80444.exec:\w80444.exe75⤵
-
\??\c:\fxffllx.exec:\fxffllx.exe76⤵
-
\??\c:\bnbbbh.exec:\bnbbbh.exe77⤵
-
\??\c:\bhnbnt.exec:\bhnbnt.exe78⤵
-
\??\c:\rrrllll.exec:\rrrllll.exe79⤵
-
\??\c:\vpvpv.exec:\vpvpv.exe80⤵
-
\??\c:\8626060.exec:\8626060.exe81⤵
-
\??\c:\268488.exec:\268488.exe82⤵
-
\??\c:\48208.exec:\48208.exe83⤵
-
\??\c:\ffrfxlf.exec:\ffrfxlf.exe84⤵
-
\??\c:\pvvpd.exec:\pvvpd.exe85⤵
-
\??\c:\42820.exec:\42820.exe86⤵
-
\??\c:\dpdvp.exec:\dpdvp.exe87⤵
-
\??\c:\82848.exec:\82848.exe88⤵
-
\??\c:\rlllfff.exec:\rlllfff.exe89⤵
-
\??\c:\8280066.exec:\8280066.exe90⤵
-
\??\c:\hthhhh.exec:\hthhhh.exe91⤵
-
\??\c:\266666.exec:\266666.exe92⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe93⤵
-
\??\c:\88060.exec:\88060.exe94⤵
-
\??\c:\ddjdd.exec:\ddjdd.exe95⤵
-
\??\c:\s6888.exec:\s6888.exe96⤵
-
\??\c:\0860006.exec:\0860006.exe97⤵
-
\??\c:\400600.exec:\400600.exe98⤵
-
\??\c:\xlfffrl.exec:\xlfffrl.exe99⤵
-
\??\c:\40604.exec:\40604.exe100⤵
-
\??\c:\tttbnb.exec:\tttbnb.exe101⤵
-
\??\c:\hntnnh.exec:\hntnnh.exe102⤵
-
\??\c:\xxlfxxx.exec:\xxlfxxx.exe103⤵
-
\??\c:\rxxfffr.exec:\rxxfffr.exe104⤵
-
\??\c:\q06622.exec:\q06622.exe105⤵
-
\??\c:\jjjpp.exec:\jjjpp.exe106⤵
-
\??\c:\60842.exec:\60842.exe107⤵
-
\??\c:\bhtnhh.exec:\bhtnhh.exe108⤵
-
\??\c:\tttthh.exec:\tttthh.exe109⤵
-
\??\c:\vvjdp.exec:\vvjdp.exe110⤵
-
\??\c:\64048.exec:\64048.exe111⤵
-
\??\c:\0400848.exec:\0400848.exe112⤵
-
\??\c:\bnhhbb.exec:\bnhhbb.exe113⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe114⤵
-
\??\c:\820488.exec:\820488.exe115⤵
-
\??\c:\g0600.exec:\g0600.exe116⤵
-
\??\c:\u066402.exec:\u066402.exe117⤵
-
\??\c:\262828.exec:\262828.exe118⤵
-
\??\c:\828246.exec:\828246.exe119⤵
-
\??\c:\662222.exec:\662222.exe120⤵
-
\??\c:\60026.exec:\60026.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-