Analysis
-
max time kernel
127s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04/04/2024, 19:57
General
-
Target
3905604c9050878c5639ed77a50b2136718fc319bc17d0f65c0f54395823b7d1.exe
-
Size
342KB
-
MD5
4cefa7ae5ef3bc4816b17d1730724c6d
-
SHA1
9c3c3fe87dbe80bb2445c6c772f913bc9ef17243
-
SHA256
3905604c9050878c5639ed77a50b2136718fc319bc17d0f65c0f54395823b7d1
-
SHA512
953aabb632260ed767962065c0412aa53598f14aa2c4e409283bb9efb57755488b7c64dcda9fbfdb31c2b32ae4381863dc4fca8c47b669f61b97f4894d17a7b6
-
SSDEEP
6144:n3C9BRo/AIX2MUXownfWQkyCpxwJz9e0pQowLh3EhToK9cT085mnFhXjmnwJQyIl:n3C9uDnUXoSWlnwJv90aKToFqwfIBr
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 31 IoCs
-
UPX dump on OEP (original entry point) 61 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 61 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3905604c9050878c5639ed77a50b2136718fc319bc17d0f65c0f54395823b7d1.exe"C:\Users\Admin\AppData\Local\Temp\3905604c9050878c5639ed77a50b2136718fc319bc17d0f65c0f54395823b7d1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vdnlr.exec:\vdnlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrpdtx.exec:\xrpdtx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jtfbld.exec:\jtfbld.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hvtrd.exec:\hvtrd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btlvv.exec:\btlvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xvnllb.exec:\xvnllb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bdrhlrx.exec:\bdrhlrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vxdnpxl.exec:\vxdnpxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ptprhp.exec:\ptprhp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pndhvfn.exec:\pndhvfn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frpft.exec:\frpft.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tjnvhfh.exec:\tjnvhfh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvprrf.exec:\dvprrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttvjld.exec:\nttvjld.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rjlvhtr.exec:\rjlvhtr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvfrv.exec:\pvfrv.exe17⤵
- Executes dropped EXE
-
\??\c:\vxdxft.exec:\vxdxft.exe18⤵
- Executes dropped EXE
-
\??\c:\vbfjbft.exec:\vbfjbft.exe19⤵
- Executes dropped EXE
-
\??\c:\xhlvp.exec:\xhlvp.exe20⤵
- Executes dropped EXE
-
\??\c:\rhltpbh.exec:\rhltpbh.exe21⤵
- Executes dropped EXE
-
\??\c:\lfpprr.exec:\lfpprr.exe22⤵
- Executes dropped EXE
-
\??\c:\vfnpv.exec:\vfnpv.exe23⤵
- Executes dropped EXE
-
\??\c:\vldhp.exec:\vldhp.exe24⤵
- Executes dropped EXE
-
\??\c:\bxdvpvl.exec:\bxdvpvl.exe25⤵
- Executes dropped EXE
-
\??\c:\pjrtprb.exec:\pjrtprb.exe26⤵
- Executes dropped EXE
-
\??\c:\pxdjnn.exec:\pxdjnn.exe27⤵
- Executes dropped EXE
-
\??\c:\blptrhj.exec:\blptrhj.exe28⤵
- Executes dropped EXE
-
\??\c:\nlfhhll.exec:\nlfhhll.exe29⤵
- Executes dropped EXE
-
\??\c:\tbjxf.exec:\tbjxf.exe30⤵
- Executes dropped EXE
-
\??\c:\vvjxpn.exec:\vvjxpn.exe31⤵
- Executes dropped EXE
-
\??\c:\phxlpp.exec:\phxlpp.exe32⤵
- Executes dropped EXE
-
\??\c:\ptnrjbb.exec:\ptnrjbb.exe33⤵
- Executes dropped EXE
-
\??\c:\vtvxfh.exec:\vtvxfh.exe34⤵
- Executes dropped EXE
-
\??\c:\fjbnnn.exec:\fjbnnn.exe35⤵
- Executes dropped EXE
-
\??\c:\fxvbh.exec:\fxvbh.exe36⤵
- Executes dropped EXE
-
\??\c:\jftpvnl.exec:\jftpvnl.exe37⤵
- Executes dropped EXE
-
\??\c:\dvxvl.exec:\dvxvl.exe38⤵
- Executes dropped EXE
-
\??\c:\lbjdntp.exec:\lbjdntp.exe39⤵
- Executes dropped EXE
-
\??\c:\xlxhvpx.exec:\xlxhvpx.exe40⤵
- Executes dropped EXE
-
\??\c:\lhjlxdf.exec:\lhjlxdf.exe41⤵
- Executes dropped EXE
-
\??\c:\lrhfnr.exec:\lrhfnr.exe42⤵
- Executes dropped EXE
-
\??\c:\djntpv.exec:\djntpv.exe43⤵
- Executes dropped EXE
-
\??\c:\hprtrxt.exec:\hprtrxt.exe44⤵
- Executes dropped EXE
-
\??\c:\xhvxx.exec:\xhvxx.exe45⤵
- Executes dropped EXE
-
\??\c:\fbtbx.exec:\fbtbx.exe46⤵
- Executes dropped EXE
-
\??\c:\tllhbrd.exec:\tllhbrd.exe47⤵
- Executes dropped EXE
-
\??\c:\hfbvp.exec:\hfbvp.exe48⤵
- Executes dropped EXE
-
\??\c:\tbvdpvd.exec:\tbvdpvd.exe49⤵
- Executes dropped EXE
-
\??\c:\dvnxv.exec:\dvnxv.exe50⤵
- Executes dropped EXE
-
\??\c:\lbpnb.exec:\lbpnb.exe51⤵
- Executes dropped EXE
-
\??\c:\pfbpr.exec:\pfbpr.exe52⤵
- Executes dropped EXE
-
\??\c:\dxdhr.exec:\dxdhr.exe53⤵
- Executes dropped EXE
-
\??\c:\vrldpn.exec:\vrldpn.exe54⤵
- Executes dropped EXE
-
\??\c:\vjjthb.exec:\vjjthb.exe55⤵
- Executes dropped EXE
-
\??\c:\nfddthj.exec:\nfddthj.exe56⤵
- Executes dropped EXE
-
\??\c:\thtpx.exec:\thtpx.exe57⤵
- Executes dropped EXE
-
\??\c:\hjxnt.exec:\hjxnt.exe58⤵
- Executes dropped EXE
-
\??\c:\btdhh.exec:\btdhh.exe59⤵
- Executes dropped EXE
-
\??\c:\hjlhfnh.exec:\hjlhfnh.exe60⤵
- Executes dropped EXE
-
\??\c:\htxdjxb.exec:\htxdjxb.exe61⤵
- Executes dropped EXE
-
\??\c:\vnddpv.exec:\vnddpv.exe62⤵
- Executes dropped EXE
-
\??\c:\nxxjdbh.exec:\nxxjdbh.exe63⤵
- Executes dropped EXE
-
\??\c:\ljvnl.exec:\ljvnl.exe64⤵
- Executes dropped EXE
-
\??\c:\htvxdbx.exec:\htvxdbx.exe65⤵
- Executes dropped EXE
-
\??\c:\tbdhlt.exec:\tbdhlt.exe66⤵
-
\??\c:\fpvjt.exec:\fpvjt.exe67⤵
-
\??\c:\bnphn.exec:\bnphn.exe68⤵
-
\??\c:\ttjtn.exec:\ttjtn.exe69⤵
-
\??\c:\tjfxprn.exec:\tjfxprn.exe70⤵
-
\??\c:\dvxrrdp.exec:\dvxrrdp.exe71⤵
-
\??\c:\blplvn.exec:\blplvn.exe72⤵
-
\??\c:\lhhbv.exec:\lhhbv.exe73⤵
-
\??\c:\rxjhx.exec:\rxjhx.exe74⤵
-
\??\c:\hvdrf.exec:\hvdrf.exe75⤵
-
\??\c:\bnbdvff.exec:\bnbdvff.exe76⤵
-
\??\c:\lnnnn.exec:\lnnnn.exe77⤵
-
\??\c:\xtlfv.exec:\xtlfv.exe78⤵
-
\??\c:\rbfnf.exec:\rbfnf.exe79⤵
-
\??\c:\xttxhbb.exec:\xttxhbb.exe80⤵
-
\??\c:\ltjtbjt.exec:\ltjtbjt.exe81⤵
-
\??\c:\jlnnpxr.exec:\jlnnpxr.exe82⤵
-
\??\c:\jtdrjpf.exec:\jtdrjpf.exe83⤵
-
\??\c:\dhbjlt.exec:\dhbjlt.exe84⤵
-
\??\c:\ljdbjr.exec:\ljdbjr.exe85⤵
-
\??\c:\rxxnjlh.exec:\rxxnjlh.exe86⤵
-
\??\c:\nvxjhf.exec:\nvxjhf.exe87⤵
-
\??\c:\vnjhvrb.exec:\vnjhvrb.exe88⤵
-
\??\c:\bptln.exec:\bptln.exe89⤵
-
\??\c:\jtrrn.exec:\jtrrn.exe90⤵
-
\??\c:\vdnjjvf.exec:\vdnjjvf.exe91⤵
-
\??\c:\bvvphpf.exec:\bvvphpf.exe92⤵
-
\??\c:\dpljdh.exec:\dpljdh.exe93⤵
-
\??\c:\jtlbrjn.exec:\jtlbrjn.exe94⤵
-
\??\c:\dhrjtj.exec:\dhrjtj.exe95⤵
-
\??\c:\pfrbrtj.exec:\pfrbrtj.exe96⤵
-
\??\c:\drxjh.exec:\drxjh.exe97⤵
-
\??\c:\hpldvj.exec:\hpldvj.exe98⤵
-
\??\c:\nxltdbb.exec:\nxltdbb.exe99⤵
-
\??\c:\jhpfl.exec:\jhpfl.exe100⤵
-
\??\c:\fvbxrp.exec:\fvbxrp.exe101⤵
-
\??\c:\vdxfnrf.exec:\vdxfnrf.exe102⤵
-
\??\c:\bxnbpb.exec:\bxnbpb.exe103⤵
-
\??\c:\ldnrxbt.exec:\ldnrxbt.exe104⤵
-
\??\c:\hrjbt.exec:\hrjbt.exe105⤵
-
\??\c:\xhlhthn.exec:\xhlhthn.exe106⤵
-
\??\c:\rvttvb.exec:\rvttvb.exe107⤵
-
\??\c:\dxxjtt.exec:\dxxjtt.exe108⤵
-
\??\c:\rpvlvd.exec:\rpvlvd.exe109⤵
-
\??\c:\tbbpvj.exec:\tbbpvj.exe110⤵
-
\??\c:\ptnxvld.exec:\ptnxvld.exe111⤵
-
\??\c:\njvfnd.exec:\njvfnd.exe112⤵
-
\??\c:\ftbht.exec:\ftbht.exe113⤵
-
\??\c:\nhbtn.exec:\nhbtn.exe114⤵
-
\??\c:\nrvftt.exec:\nrvftt.exe115⤵
-
\??\c:\vfttp.exec:\vfttp.exe116⤵
-
\??\c:\hrfrhbl.exec:\hrfrhbl.exe117⤵
-
\??\c:\llfdv.exec:\llfdv.exe118⤵
-
\??\c:\trnllv.exec:\trnllv.exe119⤵
-
\??\c:\fvlvh.exec:\fvlvh.exe120⤵
-
\??\c:\nrvprx.exec:\nrvprx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-