Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10/03/2024, 23:45
General
-
Target
ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a.exe
-
Size
391KB
-
MD5
cf0eb360c1aa2e54e46b230e0808d2b4
-
SHA1
ae873ff1b99738889f3a626590f649b83cb3bfc7
-
SHA256
ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a
-
SHA512
ca7c7dd86c6ead051b7c2e5dfc2628e4c66901d2fb784c4b7fdd8b9cd68790e6bc628754675796e4fcfffed5f9971401ead914f829335c4fe9c0b3093c83e567
-
SSDEEP
6144:n3C9BRo7tvnJ9oH0IRgZvjkobjcSbcY+CaQdaFOY4iGFYtRdu/W:n3C9ytvngQjZbz+xt4vFBu
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
UPX dump on OEP (original entry point) 45 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 45 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a.exe"C:\Users\Admin\AppData\Local\Temp\ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hxnrnv.exec:\hxnrnv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlnvj.exec:\xlnvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tvjvll.exec:\tvjvll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrptn.exec:\lrptn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hptfnth.exec:\hptfnth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pnxrb.exec:\pnxrb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvhnrt.exec:\jvhnrt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xvhnjdf.exec:\xvhnjdf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xnddb.exec:\xnddb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tprln.exec:\tprln.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fpnffh.exec:\fpnffh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nfbffvf.exec:\nfbffvf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dfljjbr.exec:\dfljjbr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbndd.exec:\nbndd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dlnrj.exec:\dlnrj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\blhpxfx.exec:\blhpxfx.exe17⤵
- Executes dropped EXE
-
\??\c:\hhptrx.exec:\hhptrx.exe18⤵
- Executes dropped EXE
-
\??\c:\vhjjn.exec:\vhjjn.exe19⤵
- Executes dropped EXE
-
\??\c:\pxftxv.exec:\pxftxv.exe20⤵
- Executes dropped EXE
-
\??\c:\tfvtbbb.exec:\tfvtbbb.exe21⤵
- Executes dropped EXE
-
\??\c:\lrhpvjn.exec:\lrhpvjn.exe22⤵
- Executes dropped EXE
-
\??\c:\bblxfdn.exec:\bblxfdn.exe23⤵
- Executes dropped EXE
-
\??\c:\pbnpp.exec:\pbnpp.exe24⤵
- Executes dropped EXE
-
\??\c:\lxxvptn.exec:\lxxvptn.exe25⤵
- Executes dropped EXE
-
\??\c:\btpvnf.exec:\btpvnf.exe26⤵
- Executes dropped EXE
-
\??\c:\brbtxff.exec:\brbtxff.exe27⤵
- Executes dropped EXE
-
\??\c:\llphjf.exec:\llphjf.exe28⤵
- Executes dropped EXE
-
\??\c:\xxplp.exec:\xxplp.exe29⤵
- Executes dropped EXE
-
\??\c:\ntjxf.exec:\ntjxf.exe30⤵
- Executes dropped EXE
-
\??\c:\drlbnrd.exec:\drlbnrd.exe31⤵
- Executes dropped EXE
-
\??\c:\tvphjnx.exec:\tvphjnx.exe32⤵
- Executes dropped EXE
-
\??\c:\plbdvp.exec:\plbdvp.exe33⤵
- Executes dropped EXE
-
\??\c:\nnrjnvx.exec:\nnrjnvx.exe34⤵
- Executes dropped EXE
-
\??\c:\bnbxltf.exec:\bnbxltf.exe35⤵
- Executes dropped EXE
-
\??\c:\htllxnn.exec:\htllxnn.exe36⤵
- Executes dropped EXE
-
\??\c:\jnlprxp.exec:\jnlprxp.exe37⤵
- Executes dropped EXE
-
\??\c:\xfhrx.exec:\xfhrx.exe38⤵
- Executes dropped EXE
-
\??\c:\njrdb.exec:\njrdb.exe39⤵
- Executes dropped EXE
-
\??\c:\vjfvpn.exec:\vjfvpn.exe40⤵
- Executes dropped EXE
-
\??\c:\vvfxv.exec:\vvfxv.exe41⤵
- Executes dropped EXE
-
\??\c:\tdnfbnj.exec:\tdnfbnj.exe42⤵
- Executes dropped EXE
-
\??\c:\xfhpxbn.exec:\xfhpxbn.exe43⤵
- Executes dropped EXE
-
\??\c:\pttnx.exec:\pttnx.exe44⤵
- Executes dropped EXE
-
\??\c:\djpplt.exec:\djpplt.exe45⤵
- Executes dropped EXE
-
\??\c:\nvfjv.exec:\nvfjv.exe46⤵
- Executes dropped EXE
-
\??\c:\phttfj.exec:\phttfj.exe47⤵
- Executes dropped EXE
-
\??\c:\hfxhxn.exec:\hfxhxn.exe48⤵
- Executes dropped EXE
-
\??\c:\fpbhlv.exec:\fpbhlv.exe49⤵
- Executes dropped EXE
-
\??\c:\pbblfv.exec:\pbblfv.exe50⤵
- Executes dropped EXE
-
\??\c:\vfljh.exec:\vfljh.exe51⤵
- Executes dropped EXE
-
\??\c:\xbtrn.exec:\xbtrn.exe52⤵
- Executes dropped EXE
-
\??\c:\lnvjbrh.exec:\lnvjbrh.exe53⤵
- Executes dropped EXE
-
\??\c:\trjtbtx.exec:\trjtbtx.exe54⤵
- Executes dropped EXE
-
\??\c:\lrhfv.exec:\lrhfv.exe55⤵
- Executes dropped EXE
-
\??\c:\rvxjnb.exec:\rvxjnb.exe56⤵
- Executes dropped EXE
-
\??\c:\dvnjd.exec:\dvnjd.exe57⤵
- Executes dropped EXE
-
\??\c:\jndvpjn.exec:\jndvpjn.exe58⤵
- Executes dropped EXE
-
\??\c:\lrnfxh.exec:\lrnfxh.exe59⤵
- Executes dropped EXE
-
\??\c:\rjfpj.exec:\rjfpj.exe60⤵
- Executes dropped EXE
-
\??\c:\rfvxfjh.exec:\rfvxfjh.exe61⤵
- Executes dropped EXE
-
\??\c:\vlvxjlb.exec:\vlvxjlb.exe62⤵
- Executes dropped EXE
-
\??\c:\dnpvvv.exec:\dnpvvv.exe63⤵
- Executes dropped EXE
-
\??\c:\bffbjv.exec:\bffbjv.exe64⤵
- Executes dropped EXE
-
\??\c:\jlvrjb.exec:\jlvrjb.exe65⤵
- Executes dropped EXE
-
\??\c:\tdpxr.exec:\tdpxr.exe66⤵
-
\??\c:\jptfj.exec:\jptfj.exe67⤵
-
\??\c:\frddltt.exec:\frddltt.exe68⤵
-
\??\c:\vpnvdr.exec:\vpnvdr.exe69⤵
-
\??\c:\rjrrtj.exec:\rjrrtj.exe70⤵
-
\??\c:\frnbbb.exec:\frnbbb.exe71⤵
-
\??\c:\xxxbnhj.exec:\xxxbnhj.exe72⤵
-
\??\c:\tnvjlvd.exec:\tnvjlvd.exe73⤵
-
\??\c:\vrvdtp.exec:\vrvdtp.exe74⤵
-
\??\c:\rtnjl.exec:\rtnjl.exe75⤵
-
\??\c:\nptbrbv.exec:\nptbrbv.exe76⤵
-
\??\c:\jvfnv.exec:\jvfnv.exe77⤵
-
\??\c:\rjvrvnn.exec:\rjvrvnn.exe78⤵
-
\??\c:\bbhprjp.exec:\bbhprjp.exe79⤵
-
\??\c:\lffjrnv.exec:\lffjrnv.exe80⤵
-
\??\c:\lvnpf.exec:\lvnpf.exe81⤵
-
\??\c:\rjbjtb.exec:\rjbjtb.exe82⤵
-
\??\c:\xxltxp.exec:\xxltxp.exe83⤵
-
\??\c:\jlplxn.exec:\jlplxn.exe84⤵
-
\??\c:\lblxpf.exec:\lblxpf.exe85⤵
-
\??\c:\lpxhr.exec:\lpxhr.exe86⤵
-
\??\c:\hlrjr.exec:\hlrjr.exe87⤵
-
\??\c:\dvdtnjp.exec:\dvdtnjp.exe88⤵
-
\??\c:\htdpvv.exec:\htdpvv.exe89⤵
-
\??\c:\nvbbpv.exec:\nvbbpv.exe90⤵
-
\??\c:\fvjhd.exec:\fvjhd.exe91⤵
-
\??\c:\pvpvd.exec:\pvpvd.exe92⤵
-
\??\c:\dnnpvj.exec:\dnnpvj.exe93⤵
-
\??\c:\nvvdtv.exec:\nvvdtv.exe94⤵
-
\??\c:\djfhvdx.exec:\djfhvdx.exe95⤵
-
\??\c:\dprbxpf.exec:\dprbxpf.exe96⤵
-
\??\c:\tnhbvnl.exec:\tnhbvnl.exe97⤵
-
\??\c:\dbvvfj.exec:\dbvvfj.exe98⤵
-
\??\c:\jttlbx.exec:\jttlbx.exe99⤵
-
\??\c:\xfxxtn.exec:\xfxxtn.exe100⤵
-
\??\c:\nxxvhp.exec:\nxxvhp.exe101⤵
-
\??\c:\jhnhpdr.exec:\jhnhpdr.exe102⤵
-
\??\c:\bfthlh.exec:\bfthlh.exe103⤵
-
\??\c:\dvhndb.exec:\dvhndb.exe104⤵
-
\??\c:\rhtnt.exec:\rhtnt.exe105⤵
-
\??\c:\tblxlrj.exec:\tblxlrj.exe106⤵
-
\??\c:\jtdrh.exec:\jtdrh.exe107⤵
-
\??\c:\lbxbfl.exec:\lbxbfl.exe108⤵
-
\??\c:\xlbxnd.exec:\xlbxnd.exe109⤵
-
\??\c:\hnbttjb.exec:\hnbttjb.exe110⤵
-
\??\c:\bfjlvfl.exec:\bfjlvfl.exe111⤵
-
\??\c:\ttpbj.exec:\ttpbj.exe112⤵
-
\??\c:\vrfrbvx.exec:\vrfrbvx.exe113⤵
-
\??\c:\tbjlx.exec:\tbjlx.exe114⤵
-
\??\c:\hjdfhxp.exec:\hjdfhxp.exe115⤵
-
\??\c:\jvvlxrb.exec:\jvvlxrb.exe116⤵
-
\??\c:\nrdvf.exec:\nrdvf.exe117⤵
-
\??\c:\xnvjbth.exec:\xnvjbth.exe118⤵
-
\??\c:\dhnbn.exec:\dhnbn.exe119⤵
-
\??\c:\rrvdb.exec:\rrvdb.exe120⤵
-
\??\c:\bfxxpd.exec:\bfxxpd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-