Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
15/10/2023, 18:02
General
-
Target
1d20477eb21a16b0c4612a1351486f00_exe32_JC.exe
-
Size
353KB
-
MD5
1d20477eb21a16b0c4612a1351486f00
-
SHA1
28500d7700b9a76d02055a92f6c480f707627eed
-
SHA256
579eb1bfd3bb9501d935659fa81c41ffb9d63bcb08bab36299be679396f42f86
-
SHA512
943809f6a343823629a335f8daa7eef788b7dd275b4baf42d79823166882f836aa4be6391a1633d8129ae7c88c34ea78b8db6d5c164665059cf9ba5881e1c22f
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp9FrHSwh/c/hdTWGIaxJ8TN005pWmjVwdSs7:n3C9BRo7tvnJ9Fywhk/T7xyTpShZ7
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 37 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 61 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d20477eb21a16b0c4612a1351486f00_exe32_JC.exe"C:\Users\Admin\AppData\Local\Temp\1d20477eb21a16b0c4612a1351486f00_exe32_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\8v64816.exec:\8v64816.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\eursk.exec:\eursk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4j9837.exec:\4j9837.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7o73c2.exec:\7o73c2.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
\??\c:\q9ne7n.exec:\q9ne7n.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\gggwula.exec:\gggwula.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\140gn0b.exec:\140gn0b.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\285it37.exec:\285it37.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5t703.exec:\5t703.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0i97oxp.exec:\0i97oxp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\685jj.exec:\685jj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
-
\??\c:\ff951tw.exec:\ff951tw.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\854mm.exec:\854mm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4aa41.exec:\4aa41.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c6lj278.exec:\c6lj278.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\j2957.exec:\j2957.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nb0iu.exec:\5nb0iu.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pqu6k15.exec:\pqu6k15.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7qn7o.exec:\7qn7o.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20mgn.exec:\20mgn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\up742fv.exec:\up742fv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\27sde30.exec:\27sde30.exe11⤵
- Executes dropped EXE
-
\??\c:\6g4x3k.exec:\6g4x3k.exe12⤵
- Executes dropped EXE
-
\??\c:\49120k.exec:\49120k.exe13⤵
- Executes dropped EXE
-
\??\c:\4t901.exec:\4t901.exe14⤵
- Executes dropped EXE
-
\??\c:\4xeiv.exec:\4xeiv.exe15⤵
- Executes dropped EXE
-
\??\c:\d6hww.exec:\d6hww.exe16⤵
- Executes dropped EXE
-
\??\c:\63m06.exec:\63m06.exe17⤵
- Executes dropped EXE
-
\??\c:\nce800.exec:\nce800.exe18⤵
- Executes dropped EXE
-
\??\c:\07667qw.exec:\07667qw.exe19⤵
- Executes dropped EXE
-
\??\c:\9g70f.exec:\9g70f.exe20⤵
- Executes dropped EXE
-
\??\c:\t0kw6.exec:\t0kw6.exe21⤵
- Executes dropped EXE
-
\??\c:\47vvv.exec:\47vvv.exe22⤵
- Executes dropped EXE
-
\??\c:\dm8910.exec:\dm8910.exe23⤵
- Executes dropped EXE
-
\??\c:\4u23uxd.exec:\4u23uxd.exe24⤵
- Executes dropped EXE
-
\??\c:\hk5b2.exec:\hk5b2.exe25⤵
- Executes dropped EXE
-
\??\c:\2sb645.exec:\2sb645.exe26⤵
- Executes dropped EXE
-
\??\c:\09r9k58.exec:\09r9k58.exe27⤵
- Executes dropped EXE
-
\??\c:\co0793.exec:\co0793.exe28⤵
- Executes dropped EXE
-
\??\c:\6a173.exec:\6a173.exe29⤵
- Executes dropped EXE
-
\??\c:\t1750l0.exec:\t1750l0.exe30⤵
- Executes dropped EXE
-
\??\c:\s8x5gp7.exec:\s8x5gp7.exe31⤵
- Executes dropped EXE
-
\??\c:\86d4c9.exec:\86d4c9.exe32⤵
- Executes dropped EXE
-
\??\c:\60u9w.exec:\60u9w.exe33⤵
- Executes dropped EXE
-
\??\c:\g3tt3.exec:\g3tt3.exe34⤵
- Executes dropped EXE
-
\??\c:\0e3bkh.exec:\0e3bkh.exe35⤵
- Executes dropped EXE
-
\??\c:\53lxm.exec:\53lxm.exe36⤵
- Executes dropped EXE
-
\??\c:\396kil.exec:\396kil.exe37⤵
- Executes dropped EXE
-
\??\c:\a3h70e3.exec:\a3h70e3.exe38⤵
- Executes dropped EXE
-
\??\c:\8mo6363.exec:\8mo6363.exe39⤵
- Executes dropped EXE
-
\??\c:\gv5a5b.exec:\gv5a5b.exe40⤵
- Executes dropped EXE
-
\??\c:\8772n8.exec:\8772n8.exe41⤵
- Executes dropped EXE
-
\??\c:\80h7l.exec:\80h7l.exe42⤵
- Executes dropped EXE
-
\??\c:\kj1856.exec:\kj1856.exe43⤵
- Executes dropped EXE
-
\??\c:\h14p4ok.exec:\h14p4ok.exe44⤵
- Executes dropped EXE
-
\??\c:\spv5x2g.exec:\spv5x2g.exe45⤵
- Executes dropped EXE
-
\??\c:\u0166i.exec:\u0166i.exe46⤵
- Executes dropped EXE
-
\??\c:\9w050h3.exec:\9w050h3.exe47⤵
- Executes dropped EXE
-
\??\c:\4lqx090.exec:\4lqx090.exe48⤵
- Executes dropped EXE
-
\??\c:\9bx04wu.exec:\9bx04wu.exe49⤵
- Executes dropped EXE
-
\??\c:\11516wi.exec:\11516wi.exe50⤵
- Executes dropped EXE
-
\??\c:\334bo8.exec:\334bo8.exe51⤵
- Executes dropped EXE
-
\??\c:\ta531n.exec:\ta531n.exe52⤵
- Executes dropped EXE
-
\??\c:\k3kt8.exec:\k3kt8.exe53⤵
- Executes dropped EXE
-
\??\c:\hok15.exec:\hok15.exe54⤵
-
\??\c:\qdq239.exec:\qdq239.exe55⤵
-
\??\c:\cmm177.exec:\cmm177.exe56⤵
-
\??\c:\fa1kn19.exec:\fa1kn19.exe57⤵
-
\??\c:\8121703.exec:\8121703.exe58⤵
-
\??\c:\sl1n2.exec:\sl1n2.exe59⤵
-
\??\c:\498puc.exec:\498puc.exe60⤵
-
\??\c:\gp9n1.exec:\gp9n1.exe61⤵
-
\??\c:\vbqhbc6.exec:\vbqhbc6.exe62⤵
-
\??\c:\rarp6j.exec:\rarp6j.exe63⤵
-
\??\c:\057rake.exec:\057rake.exe64⤵
-
\??\c:\cr875.exec:\cr875.exe65⤵
-
\??\c:\85296c.exec:\85296c.exe66⤵
-
\??\c:\h1m8awu.exec:\h1m8awu.exe67⤵
-
\??\c:\cq0roj.exec:\cq0roj.exe68⤵
-
\??\c:\l7341.exec:\l7341.exe69⤵
-
\??\c:\d68l34.exec:\d68l34.exe70⤵
-
\??\c:\4v3gv.exec:\4v3gv.exe71⤵
-
\??\c:\8jaq31g.exec:\8jaq31g.exe72⤵
-
\??\c:\39g5jp.exec:\39g5jp.exe73⤵
-
\??\c:\461kq.exec:\461kq.exe74⤵
-
\??\c:\e3a69.exec:\e3a69.exe75⤵
-
\??\c:\s47g94d.exec:\s47g94d.exe76⤵
-
\??\c:\f439j.exec:\f439j.exe77⤵
-
\??\c:\km414nu.exec:\km414nu.exe78⤵
-
\??\c:\4w2e85.exec:\4w2e85.exe79⤵
-
\??\c:\qktef.exec:\qktef.exe80⤵
-
\??\c:\8q1brug.exec:\8q1brug.exe81⤵
-
\??\c:\3biig9.exec:\3biig9.exe82⤵
-
\??\c:\mwqqbfm.exec:\mwqqbfm.exe83⤵
-
\??\c:\19m7b35.exec:\19m7b35.exe84⤵
-
\??\c:\p6s7e.exec:\p6s7e.exe85⤵
-
\??\c:\t157w65.exec:\t157w65.exe86⤵
-
\??\c:\86839.exec:\86839.exe87⤵
-
\??\c:\6u8co9e.exec:\6u8co9e.exe88⤵
-
\??\c:\c46gsw.exec:\c46gsw.exe89⤵
-
\??\c:\5ddqg.exec:\5ddqg.exe90⤵
-
\??\c:\kk8vkc5.exec:\kk8vkc5.exe91⤵
-
\??\c:\89gwf8.exec:\89gwf8.exe92⤵
-
\??\c:\n43ke.exec:\n43ke.exe93⤵
-
\??\c:\65a95e2.exec:\65a95e2.exe94⤵
-
\??\c:\9r25b.exec:\9r25b.exe95⤵
-
\??\c:\109ben.exec:\109ben.exe96⤵
-
\??\c:\s027o7e.exec:\s027o7e.exe97⤵
-
\??\c:\bf92eug.exec:\bf92eug.exe98⤵
-
\??\c:\vr7ul.exec:\vr7ul.exe99⤵
-
\??\c:\v4ww9.exec:\v4ww9.exe100⤵
-
\??\c:\384lq.exec:\384lq.exe101⤵
-
\??\c:\5vl0d8l.exec:\5vl0d8l.exe102⤵
-
\??\c:\367xe.exec:\367xe.exe103⤵
-
\??\c:\dnw3rf.exec:\dnw3rf.exe104⤵
-
\??\c:\cbaw489.exec:\cbaw489.exe105⤵
-
\??\c:\0l470.exec:\0l470.exe106⤵
-
\??\c:\5129a.exec:\5129a.exe107⤵
-
\??\c:\x8080h6.exec:\x8080h6.exe108⤵
-
\??\c:\s9ekc.exec:\s9ekc.exe109⤵
-
\??\c:\numkr.exec:\numkr.exe110⤵
-
\??\c:\dmw781.exec:\dmw781.exe111⤵
-
\??\c:\a6f4ica.exec:\a6f4ica.exe112⤵
-
\??\c:\5ku9s.exec:\5ku9s.exe113⤵
-
\??\c:\6s8sh.exec:\6s8sh.exe114⤵
-
\??\c:\vd9oe.exec:\vd9oe.exe115⤵
-
\??\c:\3xp6b6.exec:\3xp6b6.exe116⤵
-
\??\c:\c335m09.exec:\c335m09.exe117⤵
-
\??\c:\8vk8s.exec:\8vk8s.exe118⤵
-
\??\c:\jk2p96r.exec:\jk2p96r.exe119⤵
-
\??\c:\r7261v.exec:\r7261v.exe120⤵
-
\??\c:\8kooc7k.exec:\8kooc7k.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-