Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10/03/2024, 23:45
General
-
Target
ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a.exe
-
Size
391KB
-
MD5
cf0eb360c1aa2e54e46b230e0808d2b4
-
SHA1
ae873ff1b99738889f3a626590f649b83cb3bfc7
-
SHA256
ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a
-
SHA512
ca7c7dd86c6ead051b7c2e5dfc2628e4c66901d2fb784c4b7fdd8b9cd68790e6bc628754675796e4fcfffed5f9971401ead914f829335c4fe9c0b3093c83e567
-
SSDEEP
6144:n3C9BRo7tvnJ9oH0IRgZvjkobjcSbcY+CaQdaFOY4iGFYtRdu/W:n3C9ytvngQjZbz+xt4vFBu
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 44 IoCs
-
UPX dump on OEP (original entry point) 52 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 52 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a.exe"C:\Users\Admin\AppData\Local\Temp\ac4f321efe49526a1d6c815859a0125f4d6b97ed726b8329bf68732b74d6a02a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnntt.exec:\hbnntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxllf.exec:\rxfxllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlllll.exec:\lrlllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbtnn.exec:\ntbtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflfffx.exec:\fflfffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nbtbb.exec:\1nbtbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtnbb.exec:\nhtnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpjv.exec:\vdpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbbb.exec:\nbhbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlffr.exec:\lfrlffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppdd.exec:\pppdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxfrrr.exec:\llxfrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjj.exec:\dvpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxffrrx.exec:\fxffrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djddj.exec:\djddj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtnbb.exec:\bbtnbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjv.exec:\jdjjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvj.exec:\dvvvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tbbnn.exec:\3tbbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrlfx.exec:\xrfrlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dpdv.exec:\9dpdv.exe23⤵
- Executes dropped EXE
-
\??\c:\5jdvp.exec:\5jdvp.exe24⤵
- Executes dropped EXE
-
\??\c:\ffrxxxl.exec:\ffrxxxl.exe25⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe26⤵
- Executes dropped EXE
-
\??\c:\3hbthh.exec:\3hbthh.exe27⤵
- Executes dropped EXE
-
\??\c:\7xrffxr.exec:\7xrffxr.exe28⤵
- Executes dropped EXE
-
\??\c:\9dvjd.exec:\9dvjd.exe29⤵
- Executes dropped EXE
-
\??\c:\3hhbnh.exec:\3hhbnh.exe30⤵
- Executes dropped EXE
-
\??\c:\rxxlrxx.exec:\rxxlrxx.exe31⤵
- Executes dropped EXE
-
\??\c:\vpjdp.exec:\vpjdp.exe32⤵
- Executes dropped EXE
-
\??\c:\3hbthb.exec:\3hbthb.exe33⤵
- Executes dropped EXE
-
\??\c:\3xrfrlf.exec:\3xrfrlf.exe34⤵
- Executes dropped EXE
-
\??\c:\jpvdp.exec:\jpvdp.exe35⤵
- Executes dropped EXE
-
\??\c:\xllfrlf.exec:\xllfrlf.exe36⤵
- Executes dropped EXE
-
\??\c:\vdvjd.exec:\vdvjd.exe37⤵
- Executes dropped EXE
-
\??\c:\xrxlffx.exec:\xrxlffx.exe38⤵
- Executes dropped EXE
-
\??\c:\1pppd.exec:\1pppd.exe39⤵
- Executes dropped EXE
-
\??\c:\xflflff.exec:\xflflff.exe40⤵
- Executes dropped EXE
-
\??\c:\7pjdp.exec:\7pjdp.exe41⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe42⤵
- Executes dropped EXE
-
\??\c:\ddjjd.exec:\ddjjd.exe43⤵
- Executes dropped EXE
-
\??\c:\htnbtn.exec:\htnbtn.exe44⤵
- Executes dropped EXE
-
\??\c:\xrrffxr.exec:\xrrffxr.exe45⤵
- Executes dropped EXE
-
\??\c:\nhbthh.exec:\nhbthh.exe46⤵
- Executes dropped EXE
-
\??\c:\pdpdd.exec:\pdpdd.exe47⤵
- Executes dropped EXE
-
\??\c:\tnnhbt.exec:\tnnhbt.exe48⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe49⤵
- Executes dropped EXE
-
\??\c:\hbbtnb.exec:\hbbtnb.exe50⤵
- Executes dropped EXE
-
\??\c:\dpdpp.exec:\dpdpp.exe51⤵
- Executes dropped EXE
-
\??\c:\bbbthh.exec:\bbbthh.exe52⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe53⤵
- Executes dropped EXE
-
\??\c:\bnhbhb.exec:\bnhbhb.exe54⤵
- Executes dropped EXE
-
\??\c:\jvpdp.exec:\jvpdp.exe55⤵
- Executes dropped EXE
-
\??\c:\nbbthb.exec:\nbbthb.exe56⤵
- Executes dropped EXE
-
\??\c:\dpppj.exec:\dpppj.exe57⤵
- Executes dropped EXE
-
\??\c:\1rrfrlf.exec:\1rrfrlf.exe58⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe59⤵
- Executes dropped EXE
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe60⤵
- Executes dropped EXE
-
\??\c:\3tbtnh.exec:\3tbtnh.exe61⤵
- Executes dropped EXE
-
\??\c:\bnhhbb.exec:\bnhhbb.exe62⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe63⤵
- Executes dropped EXE
-
\??\c:\nnhbbt.exec:\nnhbbt.exe64⤵
- Executes dropped EXE
-
\??\c:\ppvjv.exec:\ppvjv.exe65⤵
- Executes dropped EXE
-
\??\c:\rrlffxx.exec:\rrlffxx.exe66⤵
-
\??\c:\5ddvp.exec:\5ddvp.exe67⤵
-
\??\c:\flrrlxx.exec:\flrrlxx.exe68⤵
-
\??\c:\hnbnhh.exec:\hnbnhh.exe69⤵
-
\??\c:\lflxrlf.exec:\lflxrlf.exe70⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe71⤵
-
\??\c:\jpvpd.exec:\jpvpd.exe72⤵
-
\??\c:\bbhbnt.exec:\bbhbnt.exe73⤵
-
\??\c:\jpdpv.exec:\jpdpv.exe74⤵
-
\??\c:\btnhnn.exec:\btnhnn.exe75⤵
-
\??\c:\frrfrxl.exec:\frrfrxl.exe76⤵
-
\??\c:\5lrfrlr.exec:\5lrfrlr.exe77⤵
-
\??\c:\3dvpj.exec:\3dvpj.exe78⤵
-
\??\c:\3htbnh.exec:\3htbnh.exe79⤵
-
\??\c:\3vjjv.exec:\3vjjv.exe80⤵
-
\??\c:\3bbnhb.exec:\3bbnhb.exe81⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe82⤵
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe83⤵
-
\??\c:\hbtbth.exec:\hbtbth.exe84⤵
-
\??\c:\5vpdv.exec:\5vpdv.exe85⤵
-
\??\c:\9lxrxlx.exec:\9lxrxlx.exe86⤵
-
\??\c:\dddvv.exec:\dddvv.exe87⤵
-
\??\c:\7rlxfxl.exec:\7rlxfxl.exe88⤵
-
\??\c:\3btnbt.exec:\3btnbt.exe89⤵
-
\??\c:\1vpjd.exec:\1vpjd.exe90⤵
-
\??\c:\fffxlfr.exec:\fffxlfr.exe91⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe92⤵
-
\??\c:\3ffxxrr.exec:\3ffxxrr.exe93⤵
-
\??\c:\7pjjj.exec:\7pjjj.exe94⤵
-
\??\c:\3flfxrr.exec:\3flfxrr.exe95⤵
-
\??\c:\bhhtnh.exec:\bhhtnh.exe96⤵
-
\??\c:\xllfxrl.exec:\xllfxrl.exe97⤵
-
\??\c:\jdjdp.exec:\jdjdp.exe98⤵
-
\??\c:\rffrlfx.exec:\rffrlfx.exe99⤵
-
\??\c:\pddvv.exec:\pddvv.exe100⤵
-
\??\c:\lxrxxxr.exec:\lxrxxxr.exe101⤵
-
\??\c:\vdvvv.exec:\vdvvv.exe102⤵
-
\??\c:\lfrlxff.exec:\lfrlxff.exe103⤵
-
\??\c:\hbhbbt.exec:\hbhbbt.exe104⤵
-
\??\c:\fxxrfff.exec:\fxxrfff.exe105⤵
-
\??\c:\frfxfff.exec:\frfxfff.exe106⤵
-
\??\c:\7hnnnn.exec:\7hnnnn.exe107⤵
-
\??\c:\rfrlfff.exec:\rfrlfff.exe108⤵
-
\??\c:\hnthtb.exec:\hnthtb.exe109⤵
-
\??\c:\9dpjd.exec:\9dpjd.exe110⤵
-
\??\c:\htttnt.exec:\htttnt.exe111⤵
-
\??\c:\vjpjp.exec:\vjpjp.exe112⤵
-
\??\c:\rrllllr.exec:\rrllllr.exe113⤵
-
\??\c:\hnhhhh.exec:\hnhhhh.exe114⤵
-
\??\c:\fxxxlll.exec:\fxxxlll.exe115⤵
-
\??\c:\3nhbtt.exec:\3nhbtt.exe116⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe117⤵
-
\??\c:\hhtthh.exec:\hhtthh.exe118⤵
-
\??\c:\vvjpp.exec:\vvjpp.exe119⤵
-
\??\c:\rlllxxx.exec:\rlllxxx.exe120⤵
-
\??\c:\bbbtnh.exec:\bbbtnh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-