Analysis
-
max time kernel
159s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
19/03/2024, 22:18
General
-
Target
89fab9ea5f88c99202d11d1f697209d4fbe2e7acdb016a4a02356a884933a5cf.exe
-
Size
455KB
-
MD5
d3100fce72ab3aa8984443cea36fb20b
-
SHA1
6fb81919095ec0a2ccdaa6a4ed05841aa5d9a18c
-
SHA256
89fab9ea5f88c99202d11d1f697209d4fbe2e7acdb016a4a02356a884933a5cf
-
SHA512
1ebc89b736e0cf432e49e08f4833893640f4376a33e8ebad570306f30a01e3994f7299e2ed24c66a5165855c4e252a0a33c1891fa69b35a1630aaccadc9ef456
-
SSDEEP
12288:n3C9uDIPh2kkkkK4kXkkkkkkkkl888888888888888888nQJ:ShPh2kkkkK4kXkkkkkkkkSJ
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 44 IoCs
-
UPX dump on OEP (original entry point) 57 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 57 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\89fab9ea5f88c99202d11d1f697209d4fbe2e7acdb016a4a02356a884933a5cf.exe"C:\Users\Admin\AppData\Local\Temp\89fab9ea5f88c99202d11d1f697209d4fbe2e7acdb016a4a02356a884933a5cf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\91gno.exec:\91gno.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\r321ut5.exec:\r321ut5.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\x9ab8a.exec:\x9ab8a.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7n7kj97.exec:\7n7kj97.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\l975uu3.exec:\l975uu3.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\qe97ke.exec:\qe97ke.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2g5b54w.exec:\2g5b54w.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\n70d17n.exec:\n70d17n.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\n5i153.exec:\n5i153.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\j5dbn.exec:\j5dbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4cx3we1.exec:\4cx3we1.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\gq34k.exec:\gq34k.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1117kqu.exec:\1117kqu.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9wln05.exec:\9wln05.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\91ql9.exec:\91ql9.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tka5mk.exec:\tka5mk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0e157sm.exec:\0e157sm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6gua98g.exec:\6gua98g.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\d6mqcc.exec:\d6mqcc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1u75o.exec:\1u75o.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hw4897r.exec:\hw4897r.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8337p1.exec:\8337p1.exe23⤵
- Executes dropped EXE
-
\??\c:\xd2os.exec:\xd2os.exe24⤵
- Executes dropped EXE
-
\??\c:\81vf10.exec:\81vf10.exe25⤵
- Executes dropped EXE
-
\??\c:\c75138.exec:\c75138.exe26⤵
- Executes dropped EXE
-
\??\c:\86k3f.exec:\86k3f.exe27⤵
- Executes dropped EXE
-
\??\c:\fqwma53.exec:\fqwma53.exe28⤵
- Executes dropped EXE
-
\??\c:\ien9e.exec:\ien9e.exe29⤵
- Executes dropped EXE
-
\??\c:\iar8iv.exec:\iar8iv.exe30⤵
- Executes dropped EXE
-
\??\c:\6l712.exec:\6l712.exe31⤵
- Executes dropped EXE
-
\??\c:\2a5ow.exec:\2a5ow.exe32⤵
- Executes dropped EXE
-
\??\c:\59911.exec:\59911.exe33⤵
- Executes dropped EXE
-
\??\c:\8ksii.exec:\8ksii.exe34⤵
- Executes dropped EXE
-
\??\c:\13ip1xa.exec:\13ip1xa.exe35⤵
- Executes dropped EXE
-
\??\c:\6693f.exec:\6693f.exe36⤵
- Executes dropped EXE
-
\??\c:\0e0pa.exec:\0e0pa.exe37⤵
- Executes dropped EXE
-
\??\c:\mqqw6uo.exec:\mqqw6uo.exe38⤵
- Executes dropped EXE
-
\??\c:\6aakq53.exec:\6aakq53.exe39⤵
- Executes dropped EXE
-
\??\c:\4inxuq.exec:\4inxuq.exe40⤵
- Executes dropped EXE
-
\??\c:\l955673.exec:\l955673.exe41⤵
- Executes dropped EXE
-
\??\c:\h9033hx.exec:\h9033hx.exe42⤵
- Executes dropped EXE
-
\??\c:\sl93d.exec:\sl93d.exe43⤵
- Executes dropped EXE
-
\??\c:\72sj5ea.exec:\72sj5ea.exe44⤵
- Executes dropped EXE
-
\??\c:\33qh59.exec:\33qh59.exe45⤵
- Executes dropped EXE
-
\??\c:\8w31795.exec:\8w31795.exe46⤵
- Executes dropped EXE
-
\??\c:\ue59379.exec:\ue59379.exe47⤵
- Executes dropped EXE
-
\??\c:\wmsk293.exec:\wmsk293.exe48⤵
- Executes dropped EXE
-
\??\c:\31wr2.exec:\31wr2.exe49⤵
- Executes dropped EXE
-
\??\c:\4wqouuu.exec:\4wqouuu.exe50⤵
- Executes dropped EXE
-
\??\c:\97w2r3.exec:\97w2r3.exe51⤵
- Executes dropped EXE
-
\??\c:\897191.exec:\897191.exe52⤵
- Executes dropped EXE
-
\??\c:\dcmsuiu.exec:\dcmsuiu.exe53⤵
- Executes dropped EXE
-
\??\c:\2g7575.exec:\2g7575.exe54⤵
- Executes dropped EXE
-
\??\c:\r398a6b.exec:\r398a6b.exe55⤵
- Executes dropped EXE
-
\??\c:\97mm75.exec:\97mm75.exe56⤵
- Executes dropped EXE
-
\??\c:\4915999.exec:\4915999.exe57⤵
- Executes dropped EXE
-
\??\c:\33815oo.exec:\33815oo.exe58⤵
- Executes dropped EXE
-
\??\c:\1j16d.exec:\1j16d.exe59⤵
- Executes dropped EXE
-
\??\c:\950q97s.exec:\950q97s.exe60⤵
- Executes dropped EXE
-
\??\c:\9r334i.exec:\9r334i.exe61⤵
- Executes dropped EXE
-
\??\c:\ml151.exec:\ml151.exe62⤵
- Executes dropped EXE
-
\??\c:\ck551.exec:\ck551.exe63⤵
- Executes dropped EXE
-
\??\c:\v56st.exec:\v56st.exe64⤵
- Executes dropped EXE
-
\??\c:\h110k.exec:\h110k.exe65⤵
- Executes dropped EXE
-
\??\c:\wql3o.exec:\wql3o.exe66⤵
-
\??\c:\8th1k0.exec:\8th1k0.exe67⤵
-
\??\c:\b5j5f.exec:\b5j5f.exe68⤵
-
\??\c:\6r5ea5.exec:\6r5ea5.exe69⤵
-
\??\c:\7910p7.exec:\7910p7.exe70⤵
-
\??\c:\bjed962.exec:\bjed962.exe71⤵
-
\??\c:\22ii96e.exec:\22ii96e.exe72⤵
-
\??\c:\8cns9.exec:\8cns9.exe73⤵
-
\??\c:\6isu8.exec:\6isu8.exe74⤵
-
\??\c:\6sagcg.exec:\6sagcg.exe75⤵
-
\??\c:\7d9ne.exec:\7d9ne.exe76⤵
-
\??\c:\r4d96kh.exec:\r4d96kh.exe77⤵
-
\??\c:\5g9sx.exec:\5g9sx.exe78⤵
-
\??\c:\13www.exec:\13www.exe79⤵
-
\??\c:\05w610s.exec:\05w610s.exe80⤵
-
\??\c:\ckmscag.exec:\ckmscag.exe81⤵
-
\??\c:\1a37es.exec:\1a37es.exe82⤵
-
\??\c:\2aacqa.exec:\2aacqa.exe83⤵
-
\??\c:\r8f6ml.exec:\r8f6ml.exe84⤵
-
\??\c:\nsf34h.exec:\nsf34h.exe85⤵
-
\??\c:\ma777.exec:\ma777.exe86⤵
-
\??\c:\f91733.exec:\f91733.exe87⤵
-
\??\c:\93immmm.exec:\93immmm.exe88⤵
-
\??\c:\5078k8.exec:\5078k8.exe89⤵
-
\??\c:\8p7em.exec:\8p7em.exe90⤵
-
\??\c:\w17593.exec:\w17593.exe91⤵
-
\??\c:\55315q.exec:\55315q.exe92⤵
-
\??\c:\m8qsk.exec:\m8qsk.exe93⤵
-
\??\c:\e9axc.exec:\e9axc.exe94⤵
-
\??\c:\gq754k.exec:\gq754k.exe95⤵
-
\??\c:\9kwvc9.exec:\9kwvc9.exe96⤵
-
\??\c:\8s9sx.exec:\8s9sx.exe97⤵
-
\??\c:\1ik0a.exec:\1ik0a.exe98⤵
-
\??\c:\0ub9kr8.exec:\0ub9kr8.exe99⤵
-
\??\c:\95r94s7.exec:\95r94s7.exe100⤵
-
\??\c:\297a5.exec:\297a5.exe101⤵
-
\??\c:\0m7165j.exec:\0m7165j.exe102⤵
-
\??\c:\ia7q52.exec:\ia7q52.exe103⤵
-
\??\c:\d3ur1k9.exec:\d3ur1k9.exe104⤵
-
\??\c:\b53551.exec:\b53551.exe105⤵
-
\??\c:\8i74c9j.exec:\8i74c9j.exe106⤵
-
\??\c:\je5uc5.exec:\je5uc5.exe107⤵
-
\??\c:\spa3g58.exec:\spa3g58.exe108⤵
-
\??\c:\0ed7or.exec:\0ed7or.exe109⤵
-
\??\c:\1dtg6.exec:\1dtg6.exe110⤵
-
\??\c:\2k9355.exec:\2k9355.exe111⤵
-
\??\c:\ukjg0g.exec:\ukjg0g.exe112⤵
-
\??\c:\taw3a1.exec:\taw3a1.exe113⤵
-
\??\c:\r2o1259.exec:\r2o1259.exe114⤵
-
\??\c:\7xoeg.exec:\7xoeg.exe115⤵
-
\??\c:\4x1me12.exec:\4x1me12.exe116⤵
-
\??\c:\euxoiws.exec:\euxoiws.exe117⤵
-
\??\c:\1a7cp.exec:\1a7cp.exe118⤵
-
\??\c:\x27cg4.exec:\x27cg4.exe119⤵
-
\??\c:\w825j.exec:\w825j.exe120⤵
-
\??\c:\6ri698.exec:\6ri698.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-