Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
05-04-2024 21:33
General
-
Target
539162b8cb67fedd37b9a100ee4726f29e247b4508e38c7f15ecb0cf97854994.exe
-
Size
88KB
-
MD5
6cfc779b04fce1fdd01d26f556ce007b
-
SHA1
42cf6538f8ba94392183890f98041d23674c3caa
-
SHA256
539162b8cb67fedd37b9a100ee4726f29e247b4508e38c7f15ecb0cf97854994
-
SHA512
382ec0b9cf8623a806e54e5008d610d7dd7b87182783ac7674e62a0b5a281531b15c11f148959c50af14f4044ec799469abc2be522c937cfb59ed027fa1a98d4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDISoFGDvPGB1haZJK:ymb3NkkiQ3mdBjFIk7+czK
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 43 IoCs
-
UPX dump on OEP (original entry point) 51 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 51 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\539162b8cb67fedd37b9a100ee4726f29e247b4508e38c7f15ecb0cf97854994.exe"C:\Users\Admin\AppData\Local\Temp\539162b8cb67fedd37b9a100ee4726f29e247b4508e38c7f15ecb0cf97854994.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtbhn.exec:\hbtbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlrrx.exec:\fxrlrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbnn.exec:\nnhbnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrfxrl.exec:\lxrfxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtnb.exec:\nbbtnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnhh.exec:\hbtnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rrfrlx.exec:\1rrfrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnhbt.exec:\htnhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlxrfl.exec:\lrlxrfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpp.exec:\pdvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdp.exec:\vjjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrxrf.exec:\xrxrxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhhbt.exec:\bhhhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjpj.exec:\jpjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbnhb.exec:\tbbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrrxfr.exec:\rrrrxfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbnhb.exec:\5tbnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ddvj.exec:\5ddvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnhb.exec:\httnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllfxrl.exec:\fllfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjpv.exec:\pdjpv.exe23⤵
- Executes dropped EXE
-
\??\c:\lllxllf.exec:\lllxllf.exe24⤵
- Executes dropped EXE
-
\??\c:\nhbtnh.exec:\nhbtnh.exe25⤵
- Executes dropped EXE
-
\??\c:\9lfrfxr.exec:\9lfrfxr.exe26⤵
- Executes dropped EXE
-
\??\c:\7vvpd.exec:\7vvpd.exe27⤵
- Executes dropped EXE
-
\??\c:\5bhhbh.exec:\5bhhbh.exe28⤵
- Executes dropped EXE
-
\??\c:\rlxllfl.exec:\rlxllfl.exe29⤵
- Executes dropped EXE
-
\??\c:\thbbtn.exec:\thbbtn.exe30⤵
- Executes dropped EXE
-
\??\c:\pdpjj.exec:\pdpjj.exe31⤵
- Executes dropped EXE
-
\??\c:\1flxxrr.exec:\1flxxrr.exe32⤵
- Executes dropped EXE
-
\??\c:\vvpjv.exec:\vvpjv.exe33⤵
- Executes dropped EXE
-
\??\c:\3bhttt.exec:\3bhttt.exe34⤵
- Executes dropped EXE
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe35⤵
- Executes dropped EXE
-
\??\c:\tnbtnh.exec:\tnbtnh.exe36⤵
- Executes dropped EXE
-
\??\c:\pjjvv.exec:\pjjvv.exe37⤵
- Executes dropped EXE
-
\??\c:\hhtnhh.exec:\hhtnhh.exe38⤵
- Executes dropped EXE
-
\??\c:\hhntht.exec:\hhntht.exe39⤵
- Executes dropped EXE
-
\??\c:\rlxfrrr.exec:\rlxfrrr.exe40⤵
- Executes dropped EXE
-
\??\c:\rfxxlxr.exec:\rfxxlxr.exe41⤵
- Executes dropped EXE
-
\??\c:\3vdvd.exec:\3vdvd.exe42⤵
- Executes dropped EXE
-
\??\c:\hbtntn.exec:\hbtntn.exe43⤵
- Executes dropped EXE
-
\??\c:\dddvj.exec:\dddvj.exe44⤵
- Executes dropped EXE
-
\??\c:\3ttbtn.exec:\3ttbtn.exe45⤵
- Executes dropped EXE
-
\??\c:\5xrfrll.exec:\5xrfrll.exe46⤵
- Executes dropped EXE
-
\??\c:\3hbnhb.exec:\3hbnhb.exe47⤵
- Executes dropped EXE
-
\??\c:\1lfrllf.exec:\1lfrllf.exe48⤵
- Executes dropped EXE
-
\??\c:\ttnbtn.exec:\ttnbtn.exe49⤵
- Executes dropped EXE
-
\??\c:\9lffrll.exec:\9lffrll.exe50⤵
- Executes dropped EXE
-
\??\c:\djpjv.exec:\djpjv.exe51⤵
- Executes dropped EXE
-
\??\c:\ntnthh.exec:\ntnthh.exe52⤵
- Executes dropped EXE
-
\??\c:\1ddpp.exec:\1ddpp.exe53⤵
- Executes dropped EXE
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe54⤵
- Executes dropped EXE
-
\??\c:\9tbnhh.exec:\9tbnhh.exe55⤵
- Executes dropped EXE
-
\??\c:\3pvpd.exec:\3pvpd.exe56⤵
- Executes dropped EXE
-
\??\c:\bnnhbt.exec:\bnnhbt.exe57⤵
- Executes dropped EXE
-
\??\c:\9vppv.exec:\9vppv.exe58⤵
- Executes dropped EXE
-
\??\c:\1ffrfxx.exec:\1ffrfxx.exe59⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe60⤵
- Executes dropped EXE
-
\??\c:\rfrlfff.exec:\rfrlfff.exe61⤵
- Executes dropped EXE
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe62⤵
- Executes dropped EXE
-
\??\c:\djjjd.exec:\djjjd.exe63⤵
- Executes dropped EXE
-
\??\c:\tnnnnb.exec:\tnnnnb.exe64⤵
- Executes dropped EXE
-
\??\c:\9rrllll.exec:\9rrllll.exe65⤵
- Executes dropped EXE
-
\??\c:\hhttnt.exec:\hhttnt.exe66⤵
-
\??\c:\pdvjv.exec:\pdvjv.exe67⤵
-
\??\c:\9fxlfxf.exec:\9fxlfxf.exe68⤵
-
\??\c:\hbtbbn.exec:\hbtbbn.exe69⤵
-
\??\c:\frfrlfx.exec:\frfrlfx.exe70⤵
-
\??\c:\9xrlxrr.exec:\9xrlxrr.exe71⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe72⤵
-
\??\c:\fllxlfr.exec:\fllxlfr.exe73⤵
-
\??\c:\1bnhbt.exec:\1bnhbt.exe74⤵
-
\??\c:\jjjvj.exec:\jjjvj.exe75⤵
-
\??\c:\lrxrflf.exec:\lrxrflf.exe76⤵
-
\??\c:\tbnhtt.exec:\tbnhtt.exe77⤵
-
\??\c:\btnntb.exec:\btnntb.exe78⤵
-
\??\c:\xrxrlxl.exec:\xrxrlxl.exe79⤵
-
\??\c:\1ppdv.exec:\1ppdv.exe80⤵
-
\??\c:\rlfxlff.exec:\rlfxlff.exe81⤵
-
\??\c:\jdjdp.exec:\jdjdp.exe82⤵
-
\??\c:\bthntb.exec:\bthntb.exe83⤵
-
\??\c:\bbnhnn.exec:\bbnhnn.exe84⤵
-
\??\c:\llxllxl.exec:\llxllxl.exe85⤵
-
\??\c:\btnhbt.exec:\btnhbt.exe86⤵
-
\??\c:\jvpdp.exec:\jvpdp.exe87⤵
-
\??\c:\1bbbnn.exec:\1bbbnn.exe88⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe89⤵
-
\??\c:\1bbnbt.exec:\1bbnbt.exe90⤵
-
\??\c:\djvdj.exec:\djvdj.exe91⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe92⤵
-
\??\c:\7vvpv.exec:\7vvpv.exe93⤵
-
\??\c:\btthbb.exec:\btthbb.exe94⤵
-
\??\c:\3jjdv.exec:\3jjdv.exe95⤵
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe96⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe97⤵
-
\??\c:\fxrlrrl.exec:\fxrlrrl.exe98⤵
-
\??\c:\thbbtn.exec:\thbbtn.exe99⤵
-
\??\c:\pjppd.exec:\pjppd.exe100⤵
-
\??\c:\fxxrllf.exec:\fxxrllf.exe101⤵
-
\??\c:\3tnnbh.exec:\3tnnbh.exe102⤵
-
\??\c:\lrrlxrr.exec:\lrrlxrr.exe103⤵
-
\??\c:\hbthbb.exec:\hbthbb.exe104⤵
-
\??\c:\3pvpj.exec:\3pvpj.exe105⤵
-
\??\c:\htbtnn.exec:\htbtnn.exe106⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe107⤵
-
\??\c:\xfrrlxf.exec:\xfrrlxf.exe108⤵
-
\??\c:\7tnhbb.exec:\7tnhbb.exe109⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe110⤵
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe111⤵
-
\??\c:\hbbthb.exec:\hbbthb.exe112⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe113⤵
-
\??\c:\tnhthb.exec:\tnhthb.exe114⤵
-
\??\c:\djpjd.exec:\djpjd.exe115⤵
-
\??\c:\flfxffr.exec:\flfxffr.exe116⤵
-
\??\c:\7jjdp.exec:\7jjdp.exe117⤵
-
\??\c:\rrfxxrr.exec:\rrfxxrr.exe118⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe119⤵
-
\??\c:\1llxlfl.exec:\1llxlfl.exe120⤵
-
\??\c:\pddvp.exec:\pddvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-