Analysis
-
max time kernel
150s -
max time network
79s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
18-02-2025 08:39
General
-
Target
ffd15ef8cf01ab7ba5b87476727acfc8b23da2e30cb4d4e0aceae387f69b8308.exe
-
Size
52KB
-
MD5
7c714b0617dad817c42df4d2241f4ee8
-
SHA1
3c82ee424a84c05339e8cd205b341c44aa376117
-
SHA256
ffd15ef8cf01ab7ba5b87476727acfc8b23da2e30cb4d4e0aceae387f69b8308
-
SHA512
cf4278e4168267a9d84ed128000c7dcc54d64017ebe47b1b3b5241f0ba547965139226fa4e790c7422de3967c1550e5de44d71c026ed6fff0ba7954d1c3fa137
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0ysbe:ymb3NkkiQ3mdBjF0yee
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd15ef8cf01ab7ba5b87476727acfc8b23da2e30cb4d4e0aceae387f69b8308.exe"C:\Users\Admin\AppData\Local\Temp\ffd15ef8cf01ab7ba5b87476727acfc8b23da2e30cb4d4e0aceae387f69b8308.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrxlfr.exec:\rrrxlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjj.exec:\pjdjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxlxrf.exec:\llxlxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlrfxl.exec:\lxlrfxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxfrfr.exec:\lrxfrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhnh.exec:\ttnhnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvjv.exec:\djvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxlfr.exec:\lffxlfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbth.exec:\nhbbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhtbt.exec:\thhtbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjddp.exec:\vjddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfrffr.exec:\flfrffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnbnh.exec:\nbnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbthtn.exec:\nbthtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvjv.exec:\ppvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvjv.exec:\9vvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxlxl.exec:\rfrxlxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfrrll.exec:\rxfrrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbthth.exec:\tbthth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhtnb.exec:\thhtnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvjp.exec:\pdvjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rxlrlx.exec:\5rxlrlx.exe23⤵
- Executes dropped EXE
-
\??\c:\rffrfrr.exec:\rffrfrr.exe24⤵
- Executes dropped EXE
-
\??\c:\htbnhb.exec:\htbnhb.exe25⤵
- Executes dropped EXE
-
\??\c:\vvpjv.exec:\vvpjv.exe26⤵
- Executes dropped EXE
-
\??\c:\vjdvj.exec:\vjdvj.exe27⤵
- Executes dropped EXE
-
\??\c:\3lxlrlx.exec:\3lxlrlx.exe28⤵
- Executes dropped EXE
-
\??\c:\rxrlxrl.exec:\rxrlxrl.exe29⤵
- Executes dropped EXE
-
\??\c:\nbthth.exec:\nbthth.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nbbhtn.exec:\nbbhtn.exe31⤵
- Executes dropped EXE
-
\??\c:\vpdpv.exec:\vpdpv.exe32⤵
- Executes dropped EXE
-
\??\c:\xrrrxrf.exec:\xrrrxrf.exe33⤵
- Executes dropped EXE
-
\??\c:\xlrrfrl.exec:\xlrrfrl.exe34⤵
- Executes dropped EXE
-
\??\c:\hbntht.exec:\hbntht.exe35⤵
- Executes dropped EXE
-
\??\c:\pjvjv.exec:\pjvjv.exe36⤵
- Executes dropped EXE
-
\??\c:\dvvjp.exec:\dvvjp.exe37⤵
- Executes dropped EXE
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe38⤵
- Executes dropped EXE
-
\??\c:\7flflxf.exec:\7flflxf.exe39⤵
- Executes dropped EXE
-
\??\c:\xfrlxxr.exec:\xfrlxxr.exe40⤵
- Executes dropped EXE
-
\??\c:\htbthn.exec:\htbthn.exe41⤵
- Executes dropped EXE
-
\??\c:\tbhhbt.exec:\tbhhbt.exe42⤵
- Executes dropped EXE
-
\??\c:\jpdpv.exec:\jpdpv.exe43⤵
- Executes dropped EXE
-
\??\c:\dpdpv.exec:\dpdpv.exe44⤵
- Executes dropped EXE
-
\??\c:\flflrxl.exec:\flflrxl.exe45⤵
- Executes dropped EXE
-
\??\c:\lxrlffr.exec:\lxrlffr.exe46⤵
- Executes dropped EXE
-
\??\c:\tnntht.exec:\tnntht.exe47⤵
- Executes dropped EXE
-
\??\c:\bnthnb.exec:\bnthnb.exe48⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe49⤵
- Executes dropped EXE
-
\??\c:\djvpd.exec:\djvpd.exe50⤵
- Executes dropped EXE
-
\??\c:\thbnbt.exec:\thbnbt.exe51⤵
- Executes dropped EXE
-
\??\c:\bhnhbn.exec:\bhnhbn.exe52⤵
- Executes dropped EXE
-
\??\c:\pppjj.exec:\pppjj.exe53⤵
- Executes dropped EXE
-
\??\c:\vjdjj.exec:\vjdjj.exe54⤵
- Executes dropped EXE
-
\??\c:\7frlrlx.exec:\7frlrlx.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\lrfxlfr.exec:\lrfxlfr.exe56⤵
- Executes dropped EXE
-
\??\c:\9nbthb.exec:\9nbthb.exe57⤵
- Executes dropped EXE
-
\??\c:\vjdvd.exec:\vjdvd.exe58⤵
- Executes dropped EXE
-
\??\c:\3vjjp.exec:\3vjjp.exe59⤵
- Executes dropped EXE
-
\??\c:\xflfrxr.exec:\xflfrxr.exe60⤵
- Executes dropped EXE
-
\??\c:\htbbbn.exec:\htbbbn.exe61⤵
- Executes dropped EXE
-
\??\c:\vjjdd.exec:\vjjdd.exe62⤵
- Executes dropped EXE
-
\??\c:\vppvj.exec:\vppvj.exe63⤵
- Executes dropped EXE
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe64⤵
- Executes dropped EXE
-
\??\c:\nntnbh.exec:\nntnbh.exe65⤵
- Executes dropped EXE
-
\??\c:\ttnhnh.exec:\ttnhnh.exe66⤵
-
\??\c:\vvddd.exec:\vvddd.exe67⤵
-
\??\c:\pdpdp.exec:\pdpdp.exe68⤵
-
\??\c:\vjvjp.exec:\vjvjp.exe69⤵
-
\??\c:\flfrxlf.exec:\flfrxlf.exe70⤵
-
\??\c:\nhnhtt.exec:\nhnhtt.exe71⤵
-
\??\c:\nbnhbt.exec:\nbnhbt.exe72⤵
-
\??\c:\jvvjp.exec:\jvvjp.exe73⤵
-
\??\c:\vpdpp.exec:\vpdpp.exe74⤵
-
\??\c:\llxrxrf.exec:\llxrxrf.exe75⤵
-
\??\c:\xrrllxr.exec:\xrrllxr.exe76⤵
-
\??\c:\frrlfxx.exec:\frrlfxx.exe77⤵
-
\??\c:\thbbtt.exec:\thbbtt.exe78⤵
-
\??\c:\djvpv.exec:\djvpv.exe79⤵
-
\??\c:\vjjvd.exec:\vjjvd.exe80⤵
-
\??\c:\ppdvd.exec:\ppdvd.exe81⤵
-
\??\c:\9llfrlx.exec:\9llfrlx.exe82⤵
-
\??\c:\5lfrfxr.exec:\5lfrfxr.exe83⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe84⤵
-
\??\c:\thnhhb.exec:\thnhhb.exe85⤵
-
\??\c:\pjjdj.exec:\pjjdj.exe86⤵
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe87⤵
-
\??\c:\9rllffr.exec:\9rllffr.exe88⤵
-
\??\c:\tnnbbt.exec:\tnnbbt.exe89⤵
-
\??\c:\9tthth.exec:\9tthth.exe90⤵
-
\??\c:\5jdpd.exec:\5jdpd.exe91⤵
-
\??\c:\ppvvj.exec:\ppvvj.exe92⤵
-
\??\c:\rlfrxrr.exec:\rlfrxrr.exe93⤵
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe94⤵
-
\??\c:\xxxxrll.exec:\xxxxrll.exe95⤵
-
\??\c:\nbtnbt.exec:\nbtnbt.exe96⤵
-
\??\c:\dvpjj.exec:\dvpjj.exe97⤵
-
\??\c:\jdvjv.exec:\jdvjv.exe98⤵
-
\??\c:\flfrxrf.exec:\flfrxrf.exe99⤵
-
\??\c:\tbttnh.exec:\tbttnh.exe100⤵
-
\??\c:\nhbnbt.exec:\nhbnbt.exe101⤵
-
\??\c:\7nbnht.exec:\7nbnht.exe102⤵
-
\??\c:\dpvdj.exec:\dpvdj.exe103⤵
-
\??\c:\xllxfxl.exec:\xllxfxl.exe104⤵
-
\??\c:\rxflfff.exec:\rxflfff.exe105⤵
-
\??\c:\tbthtn.exec:\tbthtn.exe106⤵
-
\??\c:\htnnbt.exec:\htnnbt.exe107⤵
-
\??\c:\1pjvj.exec:\1pjvj.exe108⤵
-
\??\c:\pjdvj.exec:\pjdvj.exe109⤵
-
\??\c:\rlllxxr.exec:\rlllxxr.exe110⤵
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe111⤵
-
\??\c:\nhthbt.exec:\nhthbt.exe112⤵
-
\??\c:\hnbthb.exec:\hnbthb.exe113⤵
-
\??\c:\jvpjv.exec:\jvpjv.exe114⤵
-
\??\c:\djddd.exec:\djddd.exe115⤵
-
\??\c:\xrrrlll.exec:\xrrrlll.exe116⤵
-
\??\c:\rrrrrxl.exec:\rrrrrxl.exe117⤵
-
\??\c:\ntnhbn.exec:\ntnhbn.exe118⤵
-
\??\c:\jpppp.exec:\jpppp.exe119⤵
-
\??\c:\jdvvp.exec:\jdvvp.exe120⤵
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-