Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09/04/2024, 23:32
General
-
Target
d70fdd19f78860fa05e1a6b94d01cd42.exe
-
Size
339KB
-
MD5
d70fdd19f78860fa05e1a6b94d01cd42
-
SHA1
367333ab63c2787ab56503a5e5f16c1393fe6048
-
SHA256
a8280dd1c76136b0579ae65d0e2347685892a91d401e6885cd3304b441118a67
-
SHA512
ad3b1bc092ce969e8fa9baea3ffe2ca39bbf415c400ea43860d5f01aaa9de87860ed444b46d6a6cb5195d01ab072dcc9b4e02bc01e0f0d825145e8e461ae7aed
-
SSDEEP
3072:mhOm2sI93UufdC67ci8M/n5fmCiiiXAsACF486jNaAJ:mcm7ImGddXv/VWrXD486jNaY
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d70fdd19f78860fa05e1a6b94d01cd42.exe"C:\Users\Admin\AppData\Local\Temp\d70fdd19f78860fa05e1a6b94d01cd42.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\5bhbhh.exec:\5bhbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfrlxrl.exec:\xfrlxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbthh.exec:\hnbthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lxrlrl.exec:\1lxrlrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvv.exec:\pvdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffxxxx.exec:\xffxxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdv.exec:\pvjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tbnhb.exec:\7tbnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfrxlx.exec:\lrfrxlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppdp.exec:\jppdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jjpd.exec:\5jjpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djdpd.exec:\djdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fflfll.exec:\7fflfll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxxxx.exec:\lfxxxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5btbbb.exec:\5btbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvj.exec:\dvvvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xxrllr.exec:\5xxrllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpvj.exec:\djpvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bhhbb.exec:\3bhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpj.exec:\vvvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bbttt.exec:\1bbttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjvd.exec:\pvjvd.exe23⤵
- Executes dropped EXE
-
\??\c:\frxxxll.exec:\frxxxll.exe24⤵
- Executes dropped EXE
-
\??\c:\5jjjd.exec:\5jjjd.exe25⤵
- Executes dropped EXE
-
\??\c:\nbhhbb.exec:\nbhhbb.exe26⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe27⤵
- Executes dropped EXE
-
\??\c:\jpdpv.exec:\jpdpv.exe28⤵
- Executes dropped EXE
-
\??\c:\ddvdv.exec:\ddvdv.exe29⤵
- Executes dropped EXE
-
\??\c:\1lllflf.exec:\1lllflf.exe30⤵
- Executes dropped EXE
-
\??\c:\5frllll.exec:\5frllll.exe31⤵
- Executes dropped EXE
-
\??\c:\bbhbtt.exec:\bbhbtt.exe32⤵
- Executes dropped EXE
-
\??\c:\vvppj.exec:\vvppj.exe33⤵
- Executes dropped EXE
-
\??\c:\fffxrrl.exec:\fffxrrl.exe34⤵
- Executes dropped EXE
-
\??\c:\jpjjj.exec:\jpjjj.exe35⤵
- Executes dropped EXE
-
\??\c:\lrflxxl.exec:\lrflxxl.exe36⤵
- Executes dropped EXE
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe37⤵
- Executes dropped EXE
-
\??\c:\bnbhbb.exec:\bnbhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\lrrfrfl.exec:\lrrfrfl.exe39⤵
- Executes dropped EXE
-
\??\c:\1tbbhh.exec:\1tbbhh.exe40⤵
- Executes dropped EXE
-
\??\c:\bhtnht.exec:\bhtnht.exe41⤵
- Executes dropped EXE
-
\??\c:\vpdvp.exec:\vpdvp.exe42⤵
- Executes dropped EXE
-
\??\c:\bnthhh.exec:\bnthhh.exe43⤵
-
\??\c:\ttnnhh.exec:\ttnnhh.exe44⤵
- Executes dropped EXE
-
\??\c:\3rfrfxr.exec:\3rfrfxr.exe45⤵
- Executes dropped EXE
-
\??\c:\hbnhbb.exec:\hbnhbb.exe46⤵
- Executes dropped EXE
-
\??\c:\jdvjj.exec:\jdvjj.exe47⤵
- Executes dropped EXE
-
\??\c:\9pvpj.exec:\9pvpj.exe48⤵
- Executes dropped EXE
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe49⤵
- Executes dropped EXE
-
\??\c:\djpvd.exec:\djpvd.exe50⤵
- Executes dropped EXE
-
\??\c:\ddppv.exec:\ddppv.exe51⤵
- Executes dropped EXE
-
\??\c:\flxrllf.exec:\flxrllf.exe52⤵
- Executes dropped EXE
-
\??\c:\ttbhnn.exec:\ttbhnn.exe53⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe54⤵
- Executes dropped EXE
-
\??\c:\tbnntb.exec:\tbnntb.exe55⤵
- Executes dropped EXE
-
\??\c:\ppdjd.exec:\ppdjd.exe56⤵
- Executes dropped EXE
-
\??\c:\fxlrrxr.exec:\fxlrrxr.exe57⤵
- Executes dropped EXE
-
\??\c:\tnnhnn.exec:\tnnhnn.exe58⤵
- Executes dropped EXE
-
\??\c:\vvjpv.exec:\vvjpv.exe59⤵
- Executes dropped EXE
-
\??\c:\rflllll.exec:\rflllll.exe60⤵
- Executes dropped EXE
-
\??\c:\htbhhn.exec:\htbhhn.exe61⤵
- Executes dropped EXE
-
\??\c:\ddvdj.exec:\ddvdj.exe62⤵
- Executes dropped EXE
-
\??\c:\flllfff.exec:\flllfff.exe63⤵
- Executes dropped EXE
-
\??\c:\nnnnnn.exec:\nnnnnn.exe64⤵
- Executes dropped EXE
-
\??\c:\pdjpj.exec:\pdjpj.exe65⤵
- Executes dropped EXE
-
\??\c:\7bhbhh.exec:\7bhbhh.exe66⤵
- Executes dropped EXE
-
\??\c:\5pjdv.exec:\5pjdv.exe67⤵
-
\??\c:\lfxrllf.exec:\lfxrllf.exe68⤵
-
\??\c:\frfxxxr.exec:\frfxxxr.exe69⤵
-
\??\c:\7hhnnt.exec:\7hhnnt.exe70⤵
-
\??\c:\pvdvp.exec:\pvdvp.exe71⤵
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe72⤵
-
\??\c:\htnbtn.exec:\htnbtn.exe73⤵
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe74⤵
-
\??\c:\nnnnbb.exec:\nnnnbb.exe75⤵
-
\??\c:\hntnhh.exec:\hntnhh.exe76⤵
-
\??\c:\vpvpv.exec:\vpvpv.exe77⤵
-
\??\c:\xrlfxxl.exec:\xrlfxxl.exe78⤵
-
\??\c:\tnnhbb.exec:\tnnhbb.exe79⤵
-
\??\c:\llxxrrl.exec:\llxxrrl.exe80⤵
-
\??\c:\lrxrllf.exec:\lrxrllf.exe81⤵
-
\??\c:\thttnn.exec:\thttnn.exe82⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe83⤵
-
\??\c:\rffxrxr.exec:\rffxrxr.exe84⤵
-
\??\c:\bthbnn.exec:\bthbnn.exe85⤵
-
\??\c:\vpddj.exec:\vpddj.exe86⤵
-
\??\c:\xfrflrr.exec:\xfrflrr.exe87⤵
-
\??\c:\1fllfff.exec:\1fllfff.exe88⤵
-
\??\c:\nhtnnn.exec:\nhtnnn.exe89⤵
-
\??\c:\nbnthb.exec:\nbnthb.exe90⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe91⤵
-
\??\c:\rrxfrrr.exec:\rrxfrrr.exe92⤵
-
\??\c:\rfrlffl.exec:\rfrlffl.exe93⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe94⤵
-
\??\c:\dpdvp.exec:\dpdvp.exe95⤵
-
\??\c:\rllfxrr.exec:\rllfxrr.exe96⤵
-
\??\c:\nbhnhh.exec:\nbhnhh.exe97⤵
-
\??\c:\ppddd.exec:\ppddd.exe98⤵
-
\??\c:\xrxrffx.exec:\xrxrffx.exe99⤵
-
\??\c:\nnnhnh.exec:\nnnhnh.exe100⤵
-
\??\c:\thbnhh.exec:\thbnhh.exe101⤵
-
\??\c:\vdppd.exec:\vdppd.exe102⤵
-
\??\c:\7pvjj.exec:\7pvjj.exe103⤵
-
\??\c:\rlxxxff.exec:\rlxxxff.exe104⤵
-
\??\c:\nbbbnn.exec:\nbbbnn.exe105⤵
-
\??\c:\tnbhbb.exec:\tnbhbb.exe106⤵
-
\??\c:\dvdjv.exec:\dvdjv.exe107⤵
-
\??\c:\1lrrffl.exec:\1lrrffl.exe108⤵
-
\??\c:\hnnhhh.exec:\hnnhhh.exe109⤵
-
\??\c:\vdjvd.exec:\vdjvd.exe110⤵
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe111⤵
-
\??\c:\lxxrlrr.exec:\lxxrlrr.exe112⤵
-
\??\c:\3btnnn.exec:\3btnnn.exe113⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe114⤵
-
\??\c:\lrxrrxx.exec:\lrxrrxx.exe115⤵
-
\??\c:\rfxlrlx.exec:\rfxlrlx.exe116⤵
-
\??\c:\bbhbbb.exec:\bbhbbb.exe117⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe118⤵
-
\??\c:\xrxrllf.exec:\xrxrllf.exe119⤵
-
\??\c:\rrxrllf.exec:\rrxrllf.exe120⤵
-
\??\c:\tbhtbh.exec:\tbhtbh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-