Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
15/10/2023, 19:37
General
-
Target
4a2b1358e4cb33f55c8df200648c0ef0_exe32.exe
-
Size
351KB
-
MD5
4a2b1358e4cb33f55c8df200648c0ef0
-
SHA1
6391cbee6cdff7bbcb15c3ec9771530f0049cbc8
-
SHA256
9fbd158fe59f7344fe12196ba1440c0fdaa8eebee2e2088eb94b8682e0fc152a
-
SHA512
c95da8e96f81fac7ca20c0865ca30c70a87c6fff3c1982dee47464fd12c23df66b995c001a20e9aee2ba6051fc50d90b8119431266721252f22744a33451aa10
-
SSDEEP
6144:ccm4FmowdHoS5ddWhROAGwdZopQUeh5nR:K4wFHoS5ddWhRtHAQUejR
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a2b1358e4cb33f55c8df200648c0ef0_exe32.exe"C:\Users\Admin\AppData\Local\Temp\4a2b1358e4cb33f55c8df200648c0ef0_exe32.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vbntlp.exec:\vbntlp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tlnxbh.exec:\tlnxbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hpxvt.exec:\hpxvt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tpjpfj.exec:\tpjpfj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xjdfdnj.exec:\xjdfdnj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hlffhpj.exec:\hlffhpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjfrn.exec:\ppjfrn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nltrhj.exec:\nltrhj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dxxhhhj.exec:\dxxhhhj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rjrjd.exec:\rjrjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvllt.exec:\jvllt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fvrjnb.exec:\fvrjnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vrpfnd.exec:\vrpfnd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tpvdn.exec:\tpvdn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\brvvlnn.exec:\brvvlnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jxlvnv.exec:\jxlvnv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bdvhx.exec:\bdvhx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ndrfr.exec:\ndrfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbfvnp.exec:\nbfvnp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dnbdfn.exec:\dnbdfn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vlfdv.exec:\vlfdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hvtpbv.exec:\hvtpbv.exe23⤵
- Executes dropped EXE
-
\??\c:\bhjvhpv.exec:\bhjvhpv.exe24⤵
- Executes dropped EXE
-
\??\c:\tjxpdvr.exec:\tjxpdvr.exe25⤵
- Executes dropped EXE
-
\??\c:\btrpxxf.exec:\btrpxxf.exe26⤵
- Executes dropped EXE
-
\??\c:\djbxlbv.exec:\djbxlbv.exe27⤵
- Executes dropped EXE
-
\??\c:\jlphrn.exec:\jlphrn.exe28⤵
- Executes dropped EXE
-
\??\c:\fvlfbx.exec:\fvlfbx.exe29⤵
- Executes dropped EXE
-
\??\c:\dllbvnf.exec:\dllbvnf.exe30⤵
- Executes dropped EXE
-
\??\c:\tbtfxfj.exec:\tbtfxfj.exe31⤵
- Executes dropped EXE
-
\??\c:\pxjxr.exec:\pxjxr.exe32⤵
- Executes dropped EXE
-
\??\c:\tbvdd.exec:\tbvdd.exe33⤵
- Executes dropped EXE
-
\??\c:\trjdlx.exec:\trjdlx.exe34⤵
- Executes dropped EXE
-
\??\c:\rpjrr.exec:\rpjrr.exe35⤵
- Executes dropped EXE
-
\??\c:\ldfftdd.exec:\ldfftdd.exe36⤵
- Executes dropped EXE
-
\??\c:\vhxvlv.exec:\vhxvlv.exe37⤵
- Executes dropped EXE
-
\??\c:\fpfnjj.exec:\fpfnjj.exe38⤵
- Executes dropped EXE
-
\??\c:\lndpt.exec:\lndpt.exe39⤵
- Executes dropped EXE
-
\??\c:\xtxbh.exec:\xtxbh.exe40⤵
- Executes dropped EXE
-
\??\c:\vrfjxll.exec:\vrfjxll.exe41⤵
- Executes dropped EXE
-
\??\c:\fblht.exec:\fblht.exe42⤵
- Executes dropped EXE
-
\??\c:\jpxflf.exec:\jpxflf.exe43⤵
- Executes dropped EXE
-
\??\c:\tlhpjbp.exec:\tlhpjbp.exe44⤵
- Executes dropped EXE
-
\??\c:\nbtxbd.exec:\nbtxbd.exe45⤵
- Executes dropped EXE
-
\??\c:\ttfbfr.exec:\ttfbfr.exe46⤵
- Executes dropped EXE
-
\??\c:\nxndnfj.exec:\nxndnfj.exe47⤵
- Executes dropped EXE
-
\??\c:\dxpldn.exec:\dxpldn.exe48⤵
- Executes dropped EXE
-
\??\c:\tprrnfh.exec:\tprrnfh.exe49⤵
- Executes dropped EXE
-
\??\c:\tjlvdj.exec:\tjlvdj.exe50⤵
- Executes dropped EXE
-
\??\c:\pxnrtdh.exec:\pxnrtdh.exe51⤵
- Executes dropped EXE
-
\??\c:\dfblr.exec:\dfblr.exe52⤵
- Executes dropped EXE
-
\??\c:\tvvnvpl.exec:\tvvnvpl.exe53⤵
- Executes dropped EXE
-
\??\c:\xrxtl.exec:\xrxtl.exe54⤵
- Executes dropped EXE
-
\??\c:\hxpfjjv.exec:\hxpfjjv.exe55⤵
- Executes dropped EXE
-
\??\c:\vvlhv.exec:\vvlhv.exe56⤵
- Executes dropped EXE
-
\??\c:\xltxntl.exec:\xltxntl.exe57⤵
- Executes dropped EXE
-
\??\c:\jltflld.exec:\jltflld.exe58⤵
- Executes dropped EXE
-
\??\c:\ftxlbb.exec:\ftxlbb.exe59⤵
- Executes dropped EXE
-
\??\c:\pxbfjdd.exec:\pxbfjdd.exe60⤵
- Executes dropped EXE
-
\??\c:\xrvdvt.exec:\xrvdvt.exe61⤵
- Executes dropped EXE
-
\??\c:\dfdrr.exec:\dfdrr.exe62⤵
- Executes dropped EXE
-
\??\c:\dpfhxvv.exec:\dpfhxvv.exe63⤵
- Executes dropped EXE
-
\??\c:\hvnltlr.exec:\hvnltlr.exe64⤵
- Executes dropped EXE
-
\??\c:\lhjtbj.exec:\lhjtbj.exe65⤵
- Executes dropped EXE
-
\??\c:\hjbdhxf.exec:\hjbdhxf.exe66⤵
-
\??\c:\jbtjbj.exec:\jbtjbj.exe67⤵
-
\??\c:\prlbrf.exec:\prlbrf.exe68⤵
-
\??\c:\lhhfxv.exec:\lhhfxv.exe69⤵
-
\??\c:\ptrlf.exec:\ptrlf.exe70⤵
-
\??\c:\hhjndn.exec:\hhjndn.exe71⤵
-
\??\c:\xlrrjp.exec:\xlrrjp.exe72⤵
-
\??\c:\hjbhp.exec:\hjbhp.exe73⤵
-
\??\c:\frxnf.exec:\frxnf.exe74⤵
-
\??\c:\bfxnfdx.exec:\bfxnfdx.exe75⤵
-
\??\c:\dvrnxh.exec:\dvrnxh.exe76⤵
-
\??\c:\rxbtxvd.exec:\rxbtxvd.exe77⤵
-
\??\c:\jjvljtt.exec:\jjvljtt.exe78⤵
-
\??\c:\ttjbrf.exec:\ttjbrf.exe79⤵
-
\??\c:\vlbnph.exec:\vlbnph.exe80⤵
-
\??\c:\nbjvjrd.exec:\nbjvjrd.exe81⤵
-
\??\c:\tbpjb.exec:\tbpjb.exe82⤵
-
\??\c:\vvnpprl.exec:\vvnpprl.exe83⤵
-
\??\c:\ljvrjnt.exec:\ljvrjnt.exe84⤵
-
\??\c:\bprntjf.exec:\bprntjf.exe85⤵
-
\??\c:\plrflhd.exec:\plrflhd.exe86⤵
-
\??\c:\pfhhdv.exec:\pfhhdv.exe87⤵
-
\??\c:\vjxldvt.exec:\vjxldvt.exe88⤵
-
\??\c:\rllhlf.exec:\rllhlf.exe89⤵
-
\??\c:\xjjnnl.exec:\xjjnnl.exe90⤵
-
\??\c:\xtplfd.exec:\xtplfd.exe91⤵
-
\??\c:\pjftxt.exec:\pjftxt.exe92⤵
-
\??\c:\xhltj.exec:\xhltj.exe93⤵
-
\??\c:\vfnlrtf.exec:\vfnlrtf.exe94⤵
-
\??\c:\bpjplt.exec:\bpjplt.exe95⤵
-
\??\c:\rbjjf.exec:\rbjjf.exe96⤵
-
\??\c:\htdxdtf.exec:\htdxdtf.exe97⤵
-
\??\c:\bdhrbj.exec:\bdhrbj.exe98⤵
-
\??\c:\rvvfrr.exec:\rvvfrr.exe99⤵
-
\??\c:\fnxbft.exec:\fnxbft.exe100⤵
-
\??\c:\lxnnx.exec:\lxnnx.exe101⤵
-
\??\c:\vpdbbp.exec:\vpdbbp.exe102⤵
-
\??\c:\pfdfv.exec:\pfdfv.exe103⤵
-
\??\c:\pxpbvj.exec:\pxpbvj.exe104⤵
-
\??\c:\dnvpld.exec:\dnvpld.exe105⤵
-
\??\c:\plvbxfv.exec:\plvbxfv.exe106⤵
-
\??\c:\dtntrx.exec:\dtntrx.exe107⤵
-
\??\c:\rtlpnnp.exec:\rtlpnnp.exe108⤵
-
\??\c:\hnffrr.exec:\hnffrr.exe109⤵
-
\??\c:\vrpdj.exec:\vrpdj.exe110⤵
-
\??\c:\bhtpbd.exec:\bhtpbd.exe111⤵
-
\??\c:\dxjrt.exec:\dxjrt.exe112⤵
-
\??\c:\ftpdvxb.exec:\ftpdvxb.exe113⤵
-
\??\c:\flrrv.exec:\flrrv.exe114⤵
-
\??\c:\ptfnh.exec:\ptfnh.exe115⤵
-
\??\c:\nlfjvt.exec:\nlfjvt.exe116⤵
-
\??\c:\bhtjr.exec:\bhtjr.exe117⤵
-
\??\c:\nltnn.exec:\nltnn.exe118⤵
-
\??\c:\njpbldv.exec:\njpbldv.exe119⤵
-
\??\c:\hpplxtt.exec:\hpplxtt.exe120⤵
-
\??\c:\xjfdrtn.exec:\xjfdrtn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-