Analysis
-
max time kernel
82s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19/04/2024, 04:32
Errors
Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T04:34:13Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_6-dirty.qcow2\"}"
General
-
Target
ee57dfea020cb207864180c82500f663d8ac7dc69754c474b8460b93a29feba6.exe
-
Size
103KB
-
MD5
17e82e53d9eee1d556bf3da76088065b
-
SHA1
15d8c89fd1b7a73cf0070588f63f789a89121aea
-
SHA256
ee57dfea020cb207864180c82500f663d8ac7dc69754c474b8460b93a29feba6
-
SHA512
0915581485ff238881fc0c6b3682ebecb29eb5c2d991315753db5ebba95e8154e2b7ad38e9a7624f888673e11898c2e413ddc0d891718bd881eb1b0e89146459
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoTNKDeS98hPUdHV7RNzfnLnN3oh:ymb3NkkiQ3mdBjFo5KDe88g1fR8r
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 44 IoCs
-
UPX dump on OEP (original entry point) 61 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 62 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee57dfea020cb207864180c82500f663d8ac7dc69754c474b8460b93a29feba6.exe"C:\Users\Admin\AppData\Local\Temp\ee57dfea020cb207864180c82500f663d8ac7dc69754c474b8460b93a29feba6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppj.exec:\pdppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vpvv.exec:\9vpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\640804.exec:\640804.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdvd.exec:\jjdvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04084.exec:\04084.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\462600.exec:\462600.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtbb.exec:\tnbtbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpp.exec:\dvvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i264204.exec:\i264204.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrfxlf.exec:\rrrfxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2842604.exec:\2842604.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0008248.exec:\0008248.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjd.exec:\pjjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnbn.exec:\hbtnbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbtn.exec:\nnhbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a0668.exec:\a0668.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbtnn.exec:\bhbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxlxrx.exec:\rrxlxrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4864860.exec:\4864860.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\840864.exec:\840864.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8620040.exec:\8620040.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbnh.exec:\btnbnh.exe23⤵
- Executes dropped EXE
-
\??\c:\4644226.exec:\4644226.exe24⤵
- Executes dropped EXE
-
\??\c:\nnbtnh.exec:\nnbtnh.exe25⤵
- Executes dropped EXE
-
\??\c:\8404044.exec:\8404044.exe26⤵
- Executes dropped EXE
-
\??\c:\vjdpj.exec:\vjdpj.exe27⤵
- Executes dropped EXE
-
\??\c:\bththh.exec:\bththh.exe28⤵
- Executes dropped EXE
-
\??\c:\64860.exec:\64860.exe29⤵
- Executes dropped EXE
-
\??\c:\80480.exec:\80480.exe30⤵
- Executes dropped EXE
-
\??\c:\2280820.exec:\2280820.exe31⤵
- Executes dropped EXE
-
\??\c:\vpvjd.exec:\vpvjd.exe32⤵
- Executes dropped EXE
-
\??\c:\9ffxllf.exec:\9ffxllf.exe33⤵
- Executes dropped EXE
-
\??\c:\4622604.exec:\4622604.exe34⤵
- Executes dropped EXE
-
\??\c:\08822.exec:\08822.exe35⤵
- Executes dropped EXE
-
\??\c:\22826.exec:\22826.exe36⤵
- Executes dropped EXE
-
\??\c:\08268.exec:\08268.exe37⤵
- Executes dropped EXE
-
\??\c:\620086.exec:\620086.exe38⤵
- Executes dropped EXE
-
\??\c:\08620.exec:\08620.exe39⤵
- Executes dropped EXE
-
\??\c:\nnthnh.exec:\nnthnh.exe40⤵
- Executes dropped EXE
-
\??\c:\7thbbt.exec:\7thbbt.exe41⤵
- Executes dropped EXE
-
\??\c:\084688.exec:\084688.exe42⤵
- Executes dropped EXE
-
\??\c:\hnbtnn.exec:\hnbtnn.exe43⤵
- Executes dropped EXE
-
\??\c:\64608.exec:\64608.exe44⤵
- Executes dropped EXE
-
\??\c:\422080.exec:\422080.exe45⤵
- Executes dropped EXE
-
\??\c:\bhtbtn.exec:\bhtbtn.exe46⤵
- Executes dropped EXE
-
\??\c:\bthttn.exec:\bthttn.exe47⤵
- Executes dropped EXE
-
\??\c:\u688804.exec:\u688804.exe48⤵
- Executes dropped EXE
-
\??\c:\2004860.exec:\2004860.exe49⤵
- Executes dropped EXE
-
\??\c:\rxfrllr.exec:\rxfrllr.exe50⤵
- Executes dropped EXE
-
\??\c:\lflffff.exec:\lflffff.exe51⤵
- Executes dropped EXE
-
\??\c:\rrfxllx.exec:\rrfxllx.exe52⤵
- Executes dropped EXE
-
\??\c:\g8004.exec:\g8004.exe53⤵
- Executes dropped EXE
-
\??\c:\2020826.exec:\2020826.exe54⤵
- Executes dropped EXE
-
\??\c:\04644.exec:\04644.exe55⤵
- Executes dropped EXE
-
\??\c:\jvvpd.exec:\jvvpd.exe56⤵
- Executes dropped EXE
-
\??\c:\nbhthb.exec:\nbhthb.exe57⤵
- Executes dropped EXE
-
\??\c:\280860.exec:\280860.exe58⤵
- Executes dropped EXE
-
\??\c:\0886048.exec:\0886048.exe59⤵
- Executes dropped EXE
-
\??\c:\lfxfxxl.exec:\lfxfxxl.exe60⤵
- Executes dropped EXE
-
\??\c:\pppjp.exec:\pppjp.exe61⤵
- Executes dropped EXE
-
\??\c:\rxrrfxl.exec:\rxrrfxl.exe62⤵
- Executes dropped EXE
-
\??\c:\2808204.exec:\2808204.exe63⤵
- Executes dropped EXE
-
\??\c:\2626666.exec:\2626666.exe64⤵
- Executes dropped EXE
-
\??\c:\bnttnn.exec:\bnttnn.exe65⤵
- Executes dropped EXE
-
\??\c:\804864.exec:\804864.exe66⤵
-
\??\c:\jpvjp.exec:\jpvjp.exe67⤵
-
\??\c:\6008264.exec:\6008264.exe68⤵
-
\??\c:\hthbhb.exec:\hthbhb.exe69⤵
-
\??\c:\20488.exec:\20488.exe70⤵
-
\??\c:\3bhhbt.exec:\3bhhbt.exe71⤵
-
\??\c:\vddvj.exec:\vddvj.exe72⤵
-
\??\c:\2404204.exec:\2404204.exe73⤵
-
\??\c:\hhhthb.exec:\hhhthb.exe74⤵
-
\??\c:\g6640.exec:\g6640.exe75⤵
-
\??\c:\u804822.exec:\u804822.exe76⤵
-
\??\c:\664826.exec:\664826.exe77⤵
-
\??\c:\bbbtbb.exec:\bbbtbb.exe78⤵
-
\??\c:\4226662.exec:\4226662.exe79⤵
-
\??\c:\4004822.exec:\4004822.exe80⤵
-
\??\c:\4226048.exec:\4226048.exe81⤵
-
\??\c:\pddvp.exec:\pddvp.exe82⤵
-
\??\c:\1djjd.exec:\1djjd.exe83⤵
-
\??\c:\682042.exec:\682042.exe84⤵
-
\??\c:\8662660.exec:\8662660.exe85⤵
-
\??\c:\048226.exec:\048226.exe86⤵
-
\??\c:\jdddj.exec:\jdddj.exe87⤵
-
\??\c:\44088.exec:\44088.exe88⤵
-
\??\c:\a0408.exec:\a0408.exe89⤵
-
\??\c:\jdvdp.exec:\jdvdp.exe90⤵
-
\??\c:\xffxrrx.exec:\xffxrrx.exe91⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe92⤵
-
\??\c:\o682484.exec:\o682484.exe93⤵
-
\??\c:\fxflfff.exec:\fxflfff.exe94⤵
-
\??\c:\5ttnnn.exec:\5ttnnn.exe95⤵
-
\??\c:\dpjdp.exec:\dpjdp.exe96⤵
-
\??\c:\26042.exec:\26042.exe97⤵
-
\??\c:\5ddjd.exec:\5ddjd.exe98⤵
-
\??\c:\462202.exec:\462202.exe99⤵
-
\??\c:\vjpdp.exec:\vjpdp.exe100⤵
-
\??\c:\3nbtnh.exec:\3nbtnh.exe101⤵
-
\??\c:\pdpvp.exec:\pdpvp.exe102⤵
-
\??\c:\4066882.exec:\4066882.exe103⤵
-
\??\c:\a0020.exec:\a0020.exe104⤵
-
\??\c:\488266.exec:\488266.exe105⤵
-
\??\c:\64600.exec:\64600.exe106⤵
-
\??\c:\42266.exec:\42266.exe107⤵
-
\??\c:\rffxrlf.exec:\rffxrlf.exe108⤵
-
\??\c:\frrxrrl.exec:\frrxrrl.exe109⤵
-
\??\c:\660268.exec:\660268.exe110⤵
-
\??\c:\420488.exec:\420488.exe111⤵
-
\??\c:\0804488.exec:\0804488.exe112⤵
-
\??\c:\42604.exec:\42604.exe113⤵
-
\??\c:\4842604.exec:\4842604.exe114⤵
-
\??\c:\4260606.exec:\4260606.exe115⤵
-
\??\c:\28826.exec:\28826.exe116⤵
-
\??\c:\3bhhnn.exec:\3bhhnn.exe117⤵
-
\??\c:\7llfxxx.exec:\7llfxxx.exe118⤵
-
\??\c:\7jdpj.exec:\7jdpj.exe119⤵
-
\??\c:\6282228.exec:\6282228.exe120⤵
-
\??\c:\26626.exec:\26626.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-