Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 07:16
General
-
Target
30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834eN.exe
-
Size
298KB
-
MD5
54df9ac7d36d7ba1259a43c114ec5ce0
-
SHA1
ee9aa1bfbbcf37abe0490c3802099caadd9041ad
-
SHA256
30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834e
-
SHA512
457e144f3402c143fab04b7fdb5cfcd705bc12df45c261c25f716e9b7cd5fe002f53d1d96fa116fd8ff1283e6fd3d76bf9cb54e87c511804f4ffeadf1e0bb9a8
-
SSDEEP
6144:n3C9BRo/AIuuOthLmH403Pyr6UWO6jUl7sPgvs:n3C9uDVOXLmHBKWyn+Pgvs
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834eN.exe"C:\Users\Admin\AppData\Local\Temp\30a3bc79dae20581b18f0e262172570ad2b41614dad616e8475e9314be34834eN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjd.exec:\pjpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjpv.exec:\jdjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8826082.exec:\8826082.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6226600.exec:\6226600.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u866442.exec:\u866442.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02288.exec:\02288.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0662666.exec:\0662666.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\664600.exec:\664600.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ppjd.exec:\3ppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\280488.exec:\280488.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\640460.exec:\640460.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a8482.exec:\a8482.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjj.exec:\vpjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\042622.exec:\042622.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w24448.exec:\w24448.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxxfx.exec:\lffxxfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllfxfr.exec:\lllfxfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnhb.exec:\bntnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtnhh.exec:\bhtnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\288260.exec:\288260.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60842.exec:\60842.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1frlffx.exec:\1frlffx.exe23⤵
- Executes dropped EXE
-
\??\c:\rlrrlrr.exec:\rlrrlrr.exe24⤵
- Executes dropped EXE
-
\??\c:\dpppj.exec:\dpppj.exe25⤵
- Executes dropped EXE
-
\??\c:\jdjdv.exec:\jdjdv.exe26⤵
- Executes dropped EXE
-
\??\c:\tbnnnt.exec:\tbnnnt.exe27⤵
- Executes dropped EXE
-
\??\c:\a2260.exec:\a2260.exe28⤵
- Executes dropped EXE
-
\??\c:\lffxrrl.exec:\lffxrrl.exe29⤵
- Executes dropped EXE
-
\??\c:\djppj.exec:\djppj.exe30⤵
- Executes dropped EXE
-
\??\c:\8444440.exec:\8444440.exe31⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe32⤵
- Executes dropped EXE
-
\??\c:\240426.exec:\240426.exe33⤵
- Executes dropped EXE
-
\??\c:\640848.exec:\640848.exe34⤵
- Executes dropped EXE
-
\??\c:\i464882.exec:\i464882.exe35⤵
- Executes dropped EXE
-
\??\c:\44882.exec:\44882.exe36⤵
- Executes dropped EXE
-
\??\c:\266626.exec:\266626.exe37⤵
- Executes dropped EXE
-
\??\c:\i842660.exec:\i842660.exe38⤵
- Executes dropped EXE
-
\??\c:\u848288.exec:\u848288.exe39⤵
- Executes dropped EXE
-
\??\c:\ddjdd.exec:\ddjdd.exe40⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe41⤵
- Executes dropped EXE
-
\??\c:\1llxlfx.exec:\1llxlfx.exe42⤵
-
\??\c:\26004.exec:\26004.exe43⤵
- Executes dropped EXE
-
\??\c:\dvpjd.exec:\dvpjd.exe44⤵
- Executes dropped EXE
-
\??\c:\6626000.exec:\6626000.exe45⤵
- Executes dropped EXE
-
\??\c:\9pppj.exec:\9pppj.exe46⤵
- Executes dropped EXE
-
\??\c:\bbbtnn.exec:\bbbtnn.exe47⤵
- Executes dropped EXE
-
\??\c:\4000444.exec:\4000444.exe48⤵
- Executes dropped EXE
-
\??\c:\dvvpp.exec:\dvvpp.exe49⤵
- Executes dropped EXE
-
\??\c:\062200.exec:\062200.exe50⤵
- Executes dropped EXE
-
\??\c:\c288266.exec:\c288266.exe51⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe52⤵
- Executes dropped EXE
-
\??\c:\0686046.exec:\0686046.exe53⤵
- Executes dropped EXE
-
\??\c:\rxxxllf.exec:\rxxxllf.exe54⤵
- Executes dropped EXE
-
\??\c:\488266.exec:\488266.exe55⤵
- Executes dropped EXE
-
\??\c:\8828660.exec:\8828660.exe56⤵
- Executes dropped EXE
-
\??\c:\48826.exec:\48826.exe57⤵
- Executes dropped EXE
-
\??\c:\hbtbth.exec:\hbtbth.exe58⤵
- Executes dropped EXE
-
\??\c:\k04044.exec:\k04044.exe59⤵
- Executes dropped EXE
-
\??\c:\04228.exec:\04228.exe60⤵
- Executes dropped EXE
-
\??\c:\bbhbtt.exec:\bbhbtt.exe61⤵
- Executes dropped EXE
-
\??\c:\w84480.exec:\w84480.exe62⤵
- Executes dropped EXE
-
\??\c:\vpvdp.exec:\vpvdp.exe63⤵
- Executes dropped EXE
-
\??\c:\2004488.exec:\2004488.exe64⤵
- Executes dropped EXE
-
\??\c:\5dvvp.exec:\5dvvp.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\a2442.exec:\a2442.exe66⤵
- Executes dropped EXE
-
\??\c:\0686622.exec:\0686622.exe67⤵
-
\??\c:\5lxlxrf.exec:\5lxlxrf.exe68⤵
-
\??\c:\622260.exec:\622260.exe69⤵
-
\??\c:\flffflf.exec:\flffflf.exe70⤵
-
\??\c:\frxlxlf.exec:\frxlxlf.exe71⤵
-
\??\c:\djpvv.exec:\djpvv.exe72⤵
-
\??\c:\204444.exec:\204444.exe73⤵
-
\??\c:\824826.exec:\824826.exe74⤵
-
\??\c:\frlxfxr.exec:\frlxfxr.exe75⤵
-
\??\c:\w84848.exec:\w84848.exe76⤵
-
\??\c:\0644000.exec:\0644000.exe77⤵
-
\??\c:\hbnttt.exec:\hbnttt.exe78⤵
-
\??\c:\484422.exec:\484422.exe79⤵
-
\??\c:\jjpvv.exec:\jjpvv.exe80⤵
-
\??\c:\q46400.exec:\q46400.exe81⤵
-
\??\c:\pddjv.exec:\pddjv.exe82⤵
-
\??\c:\nhnnhh.exec:\nhnnhh.exe83⤵
-
\??\c:\httthh.exec:\httthh.exe84⤵
-
\??\c:\s2260.exec:\s2260.exe85⤵
-
\??\c:\o244440.exec:\o244440.exe86⤵
-
\??\c:\8882608.exec:\8882608.exe87⤵
-
\??\c:\860426.exec:\860426.exe88⤵
-
\??\c:\bhhthb.exec:\bhhthb.exe89⤵
-
\??\c:\6000882.exec:\6000882.exe90⤵
-
\??\c:\pvpvv.exec:\pvpvv.exe91⤵
-
\??\c:\hhhbnt.exec:\hhhbnt.exe92⤵
-
\??\c:\40286.exec:\40286.exe93⤵
-
\??\c:\088044.exec:\088044.exe94⤵
-
\??\c:\9tbbbh.exec:\9tbbbh.exe95⤵
-
\??\c:\o422660.exec:\o422660.exe96⤵
-
\??\c:\ttbthb.exec:\ttbthb.exe97⤵
-
\??\c:\1jppj.exec:\1jppj.exe98⤵
-
\??\c:\1djvd.exec:\1djvd.exe99⤵
-
\??\c:\042222.exec:\042222.exe100⤵
-
\??\c:\dppjj.exec:\dppjj.exe101⤵
-
\??\c:\rrrflxl.exec:\rrrflxl.exe102⤵
-
\??\c:\0842606.exec:\0842606.exe103⤵
-
\??\c:\44082.exec:\44082.exe104⤵
-
\??\c:\9ttnhh.exec:\9ttnhh.exe105⤵
-
\??\c:\3bbnbt.exec:\3bbnbt.exe106⤵
-
\??\c:\480400.exec:\480400.exe107⤵
-
\??\c:\rllfxxx.exec:\rllfxxx.exe108⤵
-
\??\c:\bhhbbt.exec:\bhhbbt.exe109⤵
-
\??\c:\5vpjv.exec:\5vpjv.exe110⤵
-
\??\c:\4082688.exec:\4082688.exe111⤵
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe112⤵
-
\??\c:\jddvj.exec:\jddvj.exe113⤵
-
\??\c:\5jjpd.exec:\5jjpd.exe114⤵
-
\??\c:\xflffff.exec:\xflffff.exe115⤵
-
\??\c:\866488.exec:\866488.exe116⤵
-
\??\c:\vjjjj.exec:\vjjjj.exe117⤵
-
\??\c:\ttntnn.exec:\ttntnn.exe118⤵
-
\??\c:\6844882.exec:\6844882.exe119⤵
-
\??\c:\0026262.exec:\0026262.exe120⤵
-
\??\c:\42204.exec:\42204.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-