Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
18-02-2025 05:01
General
-
Target
c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf.exe
-
Size
80KB
-
MD5
5c5fde1216ab23c239931ce764ce2f26
-
SHA1
1caaad56944bdb6d603c6664b02a0fbdde78b2ee
-
SHA256
c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf
-
SHA512
162062dfb7d3f11942f8aec171c3be9088c9002841a8366dca2ebe93c2e153f79bbe5935949877ec25d0557bf21613a93ba47790962a6ed3ac2b5396f2ed16e5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLuePjDYlSVeAD:ymb3NkkiQ3mdBjFoLucjDNVD
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf.exe"C:\Users\Admin\AppData\Local\Temp\c254b0af9e560474174484dc4b994fb9b8ff9f1f96cab130826a88b2ee4978cf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7rfrfrf.exec:\7rfrfrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhbt.exec:\nhbhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdpd.exec:\pjdpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjvp.exec:\dpjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlxlfx.exec:\lrlxlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hnhhh.exec:\9hnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbtt.exec:\hbnbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjd.exec:\jjpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlxxl.exec:\lxrlxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhbt.exec:\tnnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbnt.exec:\nbhbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5dvjd.exec:\5dvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrlrr.exec:\lrxrlrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbthh.exec:\nbbthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvpp.exec:\9vvpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvjd.exec:\vjvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rffxfr.exec:\3rffxfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnhbn.exec:\hbnhbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ddpv.exec:\7ddpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdp.exec:\vjjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xrlffx.exec:\9xrlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btnbb.exec:\3btnbb.exe23⤵
- Executes dropped EXE
-
\??\c:\7vpjd.exec:\7vpjd.exe24⤵
- Executes dropped EXE
-
\??\c:\fxxxlfx.exec:\fxxxlfx.exe25⤵
- Executes dropped EXE
-
\??\c:\lxrrffl.exec:\lxrrffl.exe26⤵
- Executes dropped EXE
-
\??\c:\9nbnbt.exec:\9nbnbt.exe27⤵
- Executes dropped EXE
-
\??\c:\ddvjd.exec:\ddvjd.exe28⤵
- Executes dropped EXE
-
\??\c:\3xlrrlx.exec:\3xlrrlx.exe29⤵
- Executes dropped EXE
-
\??\c:\nbthbt.exec:\nbthbt.exe30⤵
- Executes dropped EXE
-
\??\c:\ttbnnh.exec:\ttbnnh.exe31⤵
- Executes dropped EXE
-
\??\c:\dpppj.exec:\dpppj.exe32⤵
- Executes dropped EXE
-
\??\c:\ffllffx.exec:\ffllffx.exe33⤵
- Executes dropped EXE
-
\??\c:\1lxrffx.exec:\1lxrffx.exe34⤵
- Executes dropped EXE
-
\??\c:\7hnntt.exec:\7hnntt.exe35⤵
- Executes dropped EXE
-
\??\c:\hbtnnn.exec:\hbtnnn.exe36⤵
- Executes dropped EXE
-
\??\c:\vjjjp.exec:\vjjjp.exe37⤵
- Executes dropped EXE
-
\??\c:\ddvvp.exec:\ddvvp.exe38⤵
- Executes dropped EXE
-
\??\c:\rxlfxll.exec:\rxlfxll.exe39⤵
- Executes dropped EXE
-
\??\c:\rfffxxr.exec:\rfffxxr.exe40⤵
- Executes dropped EXE
-
\??\c:\3ntntn.exec:\3ntntn.exe41⤵
- Executes dropped EXE
-
\??\c:\tbbttt.exec:\tbbttt.exe42⤵
- Executes dropped EXE
-
\??\c:\hbnhbb.exec:\hbnhbb.exe43⤵
- Executes dropped EXE
-
\??\c:\ppppj.exec:\ppppj.exe44⤵
- Executes dropped EXE
-
\??\c:\3djdv.exec:\3djdv.exe45⤵
- Executes dropped EXE
-
\??\c:\rrrxxlf.exec:\rrrxxlf.exe46⤵
- Executes dropped EXE
-
\??\c:\1fxrxfx.exec:\1fxrxfx.exe47⤵
- Executes dropped EXE
-
\??\c:\7nnttt.exec:\7nnttt.exe48⤵
- Executes dropped EXE
-
\??\c:\thnhhh.exec:\thnhhh.exe49⤵
- Executes dropped EXE
-
\??\c:\djpvp.exec:\djpvp.exe50⤵
- Executes dropped EXE
-
\??\c:\ppppv.exec:\ppppv.exe51⤵
- Executes dropped EXE
-
\??\c:\lxrllrl.exec:\lxrllrl.exe52⤵
- Executes dropped EXE
-
\??\c:\9nnnnn.exec:\9nnnnn.exe53⤵
- Executes dropped EXE
-
\??\c:\1vdvd.exec:\1vdvd.exe54⤵
- Executes dropped EXE
-
\??\c:\3fxxrrr.exec:\3fxxrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\nhhbtb.exec:\nhhbtb.exe56⤵
- Executes dropped EXE
-
\??\c:\jvjjv.exec:\jvjjv.exe57⤵
- Executes dropped EXE
-
\??\c:\1xxlfxr.exec:\1xxlfxr.exe58⤵
- Executes dropped EXE
-
\??\c:\nnbhtb.exec:\nnbhtb.exe59⤵
- Executes dropped EXE
-
\??\c:\vdjpv.exec:\vdjpv.exe60⤵
- Executes dropped EXE
-
\??\c:\ddpjj.exec:\ddpjj.exe61⤵
- Executes dropped EXE
-
\??\c:\xlfxllf.exec:\xlfxllf.exe62⤵
- Executes dropped EXE
-
\??\c:\rlrlffl.exec:\rlrlffl.exe63⤵
- Executes dropped EXE
-
\??\c:\hhnhnh.exec:\hhnhnh.exe64⤵
- Executes dropped EXE
-
\??\c:\5btnhh.exec:\5btnhh.exe65⤵
- Executes dropped EXE
-
\??\c:\ppjdp.exec:\ppjdp.exe66⤵
-
\??\c:\jdvpd.exec:\jdvpd.exe67⤵
-
\??\c:\xrfrrlx.exec:\xrfrrlx.exe68⤵
-
\??\c:\9flxlfr.exec:\9flxlfr.exe69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tthbnh.exec:\tthbnh.exe70⤵
-
\??\c:\7jvpp.exec:\7jvpp.exe71⤵
-
\??\c:\lfrlxxl.exec:\lfrlxxl.exe72⤵
-
\??\c:\7bbthh.exec:\7bbthh.exe73⤵
-
\??\c:\jvvjv.exec:\jvvjv.exe74⤵
-
\??\c:\9jdvp.exec:\9jdvp.exe75⤵
-
\??\c:\xfxxxxr.exec:\xfxxxxr.exe76⤵
-
\??\c:\5bnnbh.exec:\5bnnbh.exe77⤵
-
\??\c:\pdppj.exec:\pdppj.exe78⤵
-
\??\c:\xllfxxx.exec:\xllfxxx.exe79⤵
-
\??\c:\ntthbt.exec:\ntthbt.exe80⤵
-
\??\c:\1bbtnn.exec:\1bbtnn.exe81⤵
-
\??\c:\7jvjd.exec:\7jvjd.exe82⤵
-
\??\c:\jjdpj.exec:\jjdpj.exe83⤵
-
\??\c:\5xxrlfx.exec:\5xxrlfx.exe84⤵
-
\??\c:\fxlfxrf.exec:\fxlfxrf.exe85⤵
-
\??\c:\tbbthb.exec:\tbbthb.exe86⤵
-
\??\c:\nbtnbt.exec:\nbtnbt.exe87⤵
-
\??\c:\vddvp.exec:\vddvp.exe88⤵
-
\??\c:\1xxrxxx.exec:\1xxrxxx.exe89⤵
-
\??\c:\ffxlfxl.exec:\ffxlfxl.exe90⤵
-
\??\c:\nttnnt.exec:\nttnnt.exe91⤵
-
\??\c:\hhhtbb.exec:\hhhtbb.exe92⤵
-
\??\c:\dvddd.exec:\dvddd.exe93⤵
-
\??\c:\pvdvv.exec:\pvdvv.exe94⤵
-
\??\c:\3xxlxrf.exec:\3xxlxrf.exe95⤵
-
\??\c:\1fllfll.exec:\1fllfll.exe96⤵
-
\??\c:\hbhbhb.exec:\hbhbhb.exe97⤵
-
\??\c:\jppdv.exec:\jppdv.exe98⤵
-
\??\c:\xffrlfr.exec:\xffrlfr.exe99⤵
-
\??\c:\5thhnn.exec:\5thhnn.exe100⤵
-
\??\c:\ppvpj.exec:\ppvpj.exe101⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe102⤵
-
\??\c:\frlffxl.exec:\frlffxl.exe103⤵
-
\??\c:\fxxrllf.exec:\fxxrllf.exe104⤵
-
\??\c:\bnnhtt.exec:\bnnhtt.exe105⤵
-
\??\c:\nttnbt.exec:\nttnbt.exe106⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe107⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe108⤵
-
\??\c:\rxrrllr.exec:\rxrrllr.exe109⤵
-
\??\c:\nhnhbb.exec:\nhnhbb.exe110⤵
-
\??\c:\7bhnbh.exec:\7bhnbh.exe111⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe112⤵
-
\??\c:\fflflxr.exec:\fflflxr.exe113⤵
-
\??\c:\3rlfxxx.exec:\3rlfxxx.exe114⤵
-
\??\c:\tttthh.exec:\tttthh.exe115⤵
-
\??\c:\pvvpj.exec:\pvvpj.exe116⤵
-
\??\c:\9jjdp.exec:\9jjdp.exe117⤵
-
\??\c:\7llxrlf.exec:\7llxrlf.exe118⤵
-
\??\c:\hnhhbb.exec:\hnhhbb.exe119⤵
-
\??\c:\nhbbtn.exec:\nhbbtn.exe120⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-