Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
18-02-2025 02:28
General
-
Target
8b78e4a870372ede7622c024335bab7c307f61808384034c476dd2440024cc5f.exe
-
Size
61KB
-
MD5
f2c1b49e9873f3f1a4baa2b407b87308
-
SHA1
0f1545db8235abd2602d76bc95d573c59f0001bb
-
SHA256
8b78e4a870372ede7622c024335bab7c307f61808384034c476dd2440024cc5f
-
SHA512
3976b702d5721fb24e52a83fbf7d5d34799f312c80d37d98c3ffcdb925b4cc858f5e9f6bbbd0f4fd060013e6e95e373277e20bede98b0a9fdb677b08e992af7f
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvlNJiT:0cdpeeBSHHMHLf9RyIEQT
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 63 IoCs
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b78e4a870372ede7622c024335bab7c307f61808384034c476dd2440024cc5f.exe"C:\Users\Admin\AppData\Local\Temp\8b78e4a870372ede7622c024335bab7c307f61808384034c476dd2440024cc5f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\04428.exec:\04428.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpd.exec:\dvvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4848600.exec:\4848600.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\262602.exec:\262602.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbbbt.exec:\tbbbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntthb.exec:\bntthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02888.exec:\02888.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrrl.exec:\frxrrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08864.exec:\08864.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4405dj.exec:\4405dj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\044622.exec:\044622.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\84042.exec:\84042.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfxrf.exec:\xrlfxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4422200.exec:\4422200.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k62266.exec:\k62266.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k80422.exec:\k80422.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\442888.exec:\442888.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffffff.exec:\lffffff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6666482.exec:\6666482.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlfxxf.exec:\xxlfxxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8888228.exec:\8888228.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnttnt.exec:\hnttnt.exe23⤵
- Executes dropped EXE
-
\??\c:\024248.exec:\024248.exe24⤵
- Executes dropped EXE
-
\??\c:\dpdjj.exec:\dpdjj.exe25⤵
- Executes dropped EXE
-
\??\c:\440008.exec:\440008.exe26⤵
- Executes dropped EXE
-
\??\c:\dddvd.exec:\dddvd.exe27⤵
- Executes dropped EXE
-
\??\c:\lrrlffr.exec:\lrrlffr.exe28⤵
- Executes dropped EXE
-
\??\c:\ppjdd.exec:\ppjdd.exe29⤵
- Executes dropped EXE
-
\??\c:\nbbhbn.exec:\nbbhbn.exe30⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe31⤵
- Executes dropped EXE
-
\??\c:\646284.exec:\646284.exe32⤵
- Executes dropped EXE
-
\??\c:\thbtnt.exec:\thbtnt.exe33⤵
- Executes dropped EXE
-
\??\c:\hbtnhh.exec:\hbtnhh.exe34⤵
- Executes dropped EXE
-
\??\c:\nbbbnh.exec:\nbbbnh.exe35⤵
- Executes dropped EXE
-
\??\c:\4806806.exec:\4806806.exe36⤵
- Executes dropped EXE
-
\??\c:\xxxxxrx.exec:\xxxxxrx.exe37⤵
- Executes dropped EXE
-
\??\c:\8222626.exec:\8222626.exe38⤵
- Executes dropped EXE
-
\??\c:\48044.exec:\48044.exe39⤵
- Executes dropped EXE
-
\??\c:\20048.exec:\20048.exe40⤵
- Executes dropped EXE
-
\??\c:\ntbbhh.exec:\ntbbhh.exe41⤵
- Executes dropped EXE
-
\??\c:\44608.exec:\44608.exe42⤵
- Executes dropped EXE
-
\??\c:\620422.exec:\620422.exe43⤵
- Executes dropped EXE
-
\??\c:\24622.exec:\24622.exe44⤵
- Executes dropped EXE
-
\??\c:\44442.exec:\44442.exe45⤵
- Executes dropped EXE
-
\??\c:\rrlxrlf.exec:\rrlxrlf.exe46⤵
- Executes dropped EXE
-
\??\c:\bhhhbt.exec:\bhhhbt.exe47⤵
- Executes dropped EXE
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe48⤵
- Executes dropped EXE
-
\??\c:\240448.exec:\240448.exe49⤵
- Executes dropped EXE
-
\??\c:\5flfrxx.exec:\5flfrxx.exe50⤵
- Executes dropped EXE
-
\??\c:\446884.exec:\446884.exe51⤵
- Executes dropped EXE
-
\??\c:\rrlllff.exec:\rrlllff.exe52⤵
- Executes dropped EXE
-
\??\c:\668804.exec:\668804.exe53⤵
- Executes dropped EXE
-
\??\c:\68488.exec:\68488.exe54⤵
- Executes dropped EXE
-
\??\c:\bnthtt.exec:\bnthtt.exe55⤵
- Executes dropped EXE
-
\??\c:\pdvvp.exec:\pdvvp.exe56⤵
- Executes dropped EXE
-
\??\c:\htnnbt.exec:\htnnbt.exe57⤵
- Executes dropped EXE
-
\??\c:\jjdvj.exec:\jjdvj.exe58⤵
- Executes dropped EXE
-
\??\c:\48404.exec:\48404.exe59⤵
- Executes dropped EXE
-
\??\c:\0682860.exec:\0682860.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rfllfff.exec:\rfllfff.exe61⤵
- Executes dropped EXE
-
\??\c:\pvdvp.exec:\pvdvp.exe62⤵
- Executes dropped EXE
-
\??\c:\nnnbnn.exec:\nnnbnn.exe63⤵
- Executes dropped EXE
-
\??\c:\jjpjj.exec:\jjpjj.exe64⤵
- Executes dropped EXE
-
\??\c:\664808.exec:\664808.exe65⤵
- Executes dropped EXE
-
\??\c:\4424680.exec:\4424680.exe66⤵
-
\??\c:\dpvvp.exec:\dpvvp.exe67⤵
-
\??\c:\484826.exec:\484826.exe68⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe69⤵
-
\??\c:\828268.exec:\828268.exe70⤵
-
\??\c:\nbbthh.exec:\nbbthh.exe71⤵
-
\??\c:\62886.exec:\62886.exe72⤵
-
\??\c:\2022044.exec:\2022044.exe73⤵
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe74⤵
-
\??\c:\fffxlff.exec:\fffxlff.exe75⤵
-
\??\c:\4800000.exec:\4800000.exe76⤵
-
\??\c:\04224.exec:\04224.exe77⤵
-
\??\c:\8060886.exec:\8060886.exe78⤵
-
\??\c:\nnnthn.exec:\nnnthn.exe79⤵
-
\??\c:\jdjvp.exec:\jdjvp.exe80⤵
-
\??\c:\k84826.exec:\k84826.exe81⤵
-
\??\c:\262682.exec:\262682.exe82⤵
-
\??\c:\0044664.exec:\0044664.exe83⤵
-
\??\c:\828826.exec:\828826.exe84⤵
-
\??\c:\q28864.exec:\q28864.exe85⤵
-
\??\c:\xxxrflf.exec:\xxxrflf.exe86⤵
-
\??\c:\xrlffxr.exec:\xrlffxr.exe87⤵
-
\??\c:\xxfxrlf.exec:\xxfxrlf.exe88⤵
-
\??\c:\268264.exec:\268264.exe89⤵
-
\??\c:\hnntnb.exec:\hnntnb.exe90⤵
-
\??\c:\4022682.exec:\4022682.exe91⤵
-
\??\c:\044860.exec:\044860.exe92⤵
-
\??\c:\httnbt.exec:\httnbt.exe93⤵
-
\??\c:\9xlfffr.exec:\9xlfffr.exe94⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe95⤵
-
\??\c:\xrffrrx.exec:\xrffrrx.exe96⤵
-
\??\c:\666602.exec:\666602.exe97⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe98⤵
-
\??\c:\ffxrllx.exec:\ffxrllx.exe99⤵
-
\??\c:\xrrlffx.exec:\xrrlffx.exe100⤵
-
\??\c:\i066482.exec:\i066482.exe101⤵
-
\??\c:\ttthbb.exec:\ttthbb.exe102⤵
-
\??\c:\rrflxlx.exec:\rrflxlx.exe103⤵
-
\??\c:\fflfxrl.exec:\fflfxrl.exe104⤵
-
\??\c:\6022628.exec:\6022628.exe105⤵
-
\??\c:\68048.exec:\68048.exe106⤵
-
\??\c:\28280.exec:\28280.exe107⤵
-
\??\c:\btbtnn.exec:\btbtnn.exe108⤵
-
\??\c:\hbbtnn.exec:\hbbtnn.exe109⤵
-
\??\c:\80684.exec:\80684.exe110⤵
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe111⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe112⤵
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe113⤵
-
\??\c:\dppdj.exec:\dppdj.exe114⤵
-
\??\c:\44420.exec:\44420.exe115⤵
-
\??\c:\2886048.exec:\2886048.exe116⤵
-
\??\c:\060000.exec:\060000.exe117⤵
-
\??\c:\frlffxr.exec:\frlffxr.exe118⤵
-
\??\c:\26262.exec:\26262.exe119⤵
-
\??\c:\3vjdp.exec:\3vjdp.exe120⤵
-
\??\c:\ffxrrlf.exec:\ffxrrlf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-