Analysis
-
max time kernel
49s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
07/03/2024, 20:43
General
-
Target
66974914a9028ffd691ee8db0742a8fcade7a6b6def94360633e860b2b8170e2.exe
-
Size
257KB
-
MD5
05e4f35911955afea6e4c2b6f348e428
-
SHA1
ceb8209b0f2e88ab8f82ae29df5a2658c6d6ab63
-
SHA256
66974914a9028ffd691ee8db0742a8fcade7a6b6def94360633e860b2b8170e2
-
SHA512
131385ef0c52dcde53d7b05a3e96873f9ee76c003e29cd33a9da7d5f1b3e49a7f0a825b212d2e2a0506c1202d7e4f922fd071d5d90a5e9e70eb6496420fd3f05
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp9FrHSwh/c/hdTWG4lmb37K3BoKLbCZ0N:n3C9BRo7tvnJ9Fywhk/T4i37K3BoKg0N
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 33 IoCs
-
UPX dump on OEP (original entry point) 60 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 60 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\66974914a9028ffd691ee8db0742a8fcade7a6b6def94360633e860b2b8170e2.exe"C:\Users\Admin\AppData\Local\Temp\66974914a9028ffd691ee8db0742a8fcade7a6b6def94360633e860b2b8170e2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7rxfflr.exec:\7rxfflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdjj.exec:\vvdjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bntth.exec:\3bntth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjppj.exec:\jjppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbntbh.exec:\bbntbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vpvj.exec:\7vpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxxfl.exec:\rfxxxfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpj.exec:\ddvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfflf.exec:\rlxfflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jvdd.exec:\7jvdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlflll.exec:\lxlflll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdjp.exec:\ppdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbnh.exec:\btbbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpvv.exec:\pdpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnntn.exec:\htnntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pddd.exec:\5pddd.exe17⤵
- Executes dropped EXE
-
\??\c:\lfllxxf.exec:\lfllxxf.exe18⤵
- Executes dropped EXE
-
\??\c:\jdjdd.exec:\jdjdd.exe19⤵
- Executes dropped EXE
-
\??\c:\fxlxllr.exec:\fxlxllr.exe20⤵
- Executes dropped EXE
-
\??\c:\pdjvv.exec:\pdjvv.exe21⤵
- Executes dropped EXE
-
\??\c:\7bhnth.exec:\7bhnth.exe22⤵
- Executes dropped EXE
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe23⤵
- Executes dropped EXE
-
\??\c:\btbbhb.exec:\btbbhb.exe24⤵
- Executes dropped EXE
-
\??\c:\lxllllx.exec:\lxllllx.exe25⤵
- Executes dropped EXE
-
\??\c:\jjvdj.exec:\jjvdj.exe26⤵
- Executes dropped EXE
-
\??\c:\tnbbhn.exec:\tnbbhn.exe27⤵
- Executes dropped EXE
-
\??\c:\pjdpd.exec:\pjdpd.exe28⤵
- Executes dropped EXE
-
\??\c:\tthnbh.exec:\tthnbh.exe29⤵
- Executes dropped EXE
-
\??\c:\lxlrxxf.exec:\lxlrxxf.exe30⤵
- Executes dropped EXE
-
\??\c:\bhnbnb.exec:\bhnbnb.exe31⤵
- Executes dropped EXE
-
\??\c:\lflrxfl.exec:\lflrxfl.exe32⤵
- Executes dropped EXE
-
\??\c:\nhntbb.exec:\nhntbb.exe33⤵
- Executes dropped EXE
-
\??\c:\llrxllf.exec:\llrxllf.exe34⤵
- Executes dropped EXE
-
\??\c:\dpdjp.exec:\dpdjp.exe35⤵
- Executes dropped EXE
-
\??\c:\5bnttb.exec:\5bnttb.exe36⤵
- Executes dropped EXE
-
\??\c:\1jjpp.exec:\1jjpp.exe37⤵
- Executes dropped EXE
-
\??\c:\7nnntt.exec:\7nnntt.exe38⤵
- Executes dropped EXE
-
\??\c:\xxfrxfr.exec:\xxfrxfr.exe39⤵
- Executes dropped EXE
-
\??\c:\tnhnnn.exec:\tnhnnn.exe40⤵
- Executes dropped EXE
-
\??\c:\rlrxffl.exec:\rlrxffl.exe41⤵
- Executes dropped EXE
-
\??\c:\ttnnbt.exec:\ttnnbt.exe42⤵
- Executes dropped EXE
-
\??\c:\xrrrflx.exec:\xrrrflx.exe43⤵
- Executes dropped EXE
-
\??\c:\btntbh.exec:\btntbh.exe44⤵
- Executes dropped EXE
-
\??\c:\xrflxrx.exec:\xrflxrx.exe45⤵
- Executes dropped EXE
-
\??\c:\htbnhb.exec:\htbnhb.exe46⤵
- Executes dropped EXE
-
\??\c:\3lffrrx.exec:\3lffrrx.exe47⤵
- Executes dropped EXE
-
\??\c:\nhtbnn.exec:\nhtbnn.exe48⤵
- Executes dropped EXE
-
\??\c:\7rflxfl.exec:\7rflxfl.exe49⤵
- Executes dropped EXE
-
\??\c:\nnhbbt.exec:\nnhbbt.exe50⤵
- Executes dropped EXE
-
\??\c:\rlfflrl.exec:\rlfflrl.exe51⤵
- Executes dropped EXE
-
\??\c:\bthnnh.exec:\bthnnh.exe52⤵
- Executes dropped EXE
-
\??\c:\llfffrf.exec:\llfffrf.exe53⤵
- Executes dropped EXE
-
\??\c:\tnttbt.exec:\tnttbt.exe54⤵
- Executes dropped EXE
-
\??\c:\9pdpd.exec:\9pdpd.exe55⤵
- Executes dropped EXE
-
\??\c:\3bntbb.exec:\3bntbb.exe56⤵
- Executes dropped EXE
-
\??\c:\vpdjv.exec:\vpdjv.exe57⤵
- Executes dropped EXE
-
\??\c:\nhtthh.exec:\nhtthh.exe58⤵
- Executes dropped EXE
-
\??\c:\frxxfxl.exec:\frxxfxl.exe59⤵
- Executes dropped EXE
-
\??\c:\nnnhtt.exec:\nnnhtt.exe60⤵
- Executes dropped EXE
-
\??\c:\lxrfrxr.exec:\lxrfrxr.exe61⤵
- Executes dropped EXE
-
\??\c:\tnttbh.exec:\tnttbh.exe62⤵
- Executes dropped EXE
-
\??\c:\pvvjp.exec:\pvvjp.exe63⤵
- Executes dropped EXE
-
\??\c:\btbbhn.exec:\btbbhn.exe64⤵
- Executes dropped EXE
-
\??\c:\fflrffr.exec:\fflrffr.exe65⤵
- Executes dropped EXE
-
\??\c:\9nhntt.exec:\9nhntt.exe66⤵
-
\??\c:\fxrflfr.exec:\fxrflfr.exe67⤵
-
\??\c:\htbbhn.exec:\htbbhn.exe68⤵
-
\??\c:\ppddp.exec:\ppddp.exe69⤵
-
\??\c:\rrlrflr.exec:\rrlrflr.exe70⤵
-
\??\c:\9xllrxf.exec:\9xllrxf.exe71⤵
-
\??\c:\ntnbnt.exec:\ntnbnt.exe72⤵
-
\??\c:\xxlrflx.exec:\xxlrflx.exe73⤵
-
\??\c:\9bnthn.exec:\9bnthn.exe74⤵
-
\??\c:\pjddj.exec:\pjddj.exe75⤵
-
\??\c:\5ttbnt.exec:\5ttbnt.exe76⤵
-
\??\c:\vjppp.exec:\vjppp.exe77⤵
-
\??\c:\5nhbnn.exec:\5nhbnn.exe78⤵
-
\??\c:\5vjpv.exec:\5vjpv.exe79⤵
-
\??\c:\hbthth.exec:\hbthth.exe80⤵
-
\??\c:\pjdpd.exec:\pjdpd.exe81⤵
-
\??\c:\tntttb.exec:\tntttb.exe82⤵
-
\??\c:\frxlrxl.exec:\frxlrxl.exe83⤵
-
\??\c:\tnhbbt.exec:\tnhbbt.exe84⤵
-
\??\c:\7xlllff.exec:\7xlllff.exe85⤵
-
\??\c:\nhhbbt.exec:\nhhbbt.exe86⤵
-
\??\c:\rlxlllr.exec:\rlxlllr.exe87⤵
-
\??\c:\tnnbhn.exec:\tnnbhn.exe88⤵
-
\??\c:\lxxflxl.exec:\lxxflxl.exe89⤵
-
\??\c:\htntnt.exec:\htntnt.exe90⤵
-
\??\c:\rxrrlrl.exec:\rxrrlrl.exe91⤵
-
\??\c:\hbhbbn.exec:\hbhbbn.exe92⤵
-
\??\c:\9pddj.exec:\9pddj.exe93⤵
-
\??\c:\rllfflr.exec:\rllfflr.exe94⤵
-
\??\c:\hthhtb.exec:\hthhtb.exe95⤵
-
\??\c:\frfxxrr.exec:\frfxxrr.exe96⤵
-
\??\c:\hbbnhh.exec:\hbbnhh.exe97⤵
-
\??\c:\lfrllfl.exec:\lfrllfl.exe98⤵
-
\??\c:\3bnnbh.exec:\3bnnbh.exe99⤵
-
\??\c:\lfxxlrx.exec:\lfxxlrx.exe100⤵
-
\??\c:\1nhbtb.exec:\1nhbtb.exe101⤵
-
\??\c:\7frrlrr.exec:\7frrlrr.exe102⤵
-
\??\c:\tnbnbh.exec:\tnbnbh.exe103⤵
-
\??\c:\1lrlffl.exec:\1lrlffl.exe104⤵
-
\??\c:\tnttht.exec:\tnttht.exe105⤵
-
\??\c:\lxlxxfr.exec:\lxlxxfr.exe106⤵
-
\??\c:\nbnhnt.exec:\nbnhnt.exe107⤵
-
\??\c:\dvdpv.exec:\dvdpv.exe108⤵
-
\??\c:\nnnbnb.exec:\nnnbnb.exe109⤵
-
\??\c:\7djpv.exec:\7djpv.exe110⤵
-
\??\c:\thtbhn.exec:\thtbhn.exe111⤵
-
\??\c:\dpvjj.exec:\dpvjj.exe112⤵
-
\??\c:\1lxrrfl.exec:\1lxrrfl.exe113⤵
-
\??\c:\9vpvd.exec:\9vpvd.exe114⤵
-
\??\c:\1lflllx.exec:\1lflllx.exe115⤵
-
\??\c:\dpdpv.exec:\dpdpv.exe116⤵
-
\??\c:\3lrlrlx.exec:\3lrlrlx.exe117⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe118⤵
-
\??\c:\1xllllr.exec:\1xllllr.exe119⤵
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe120⤵
-
\??\c:\jdppd.exec:\jdppd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-