Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02/05/2024, 00:05
General
-
Target
865467ee3318bc9f8cb2364bc4b645d994db0a486c6d102de93fad3ee79b95e4.exe
-
Size
388KB
-
MD5
2dfc6ef866db9ea7735c18042a27a4b8
-
SHA1
bf147188a25dcc668e28cee06792bc248a20eb6b
-
SHA256
865467ee3318bc9f8cb2364bc4b645d994db0a486c6d102de93fad3ee79b95e4
-
SHA512
dbfe0d298b68c790477a9520bd2e51f0fc1079d48bc9782f7cdaa3020ad9159b298c75052a0fad63f83ce76f4aa80d5b683507d94b4c4a26260be3191a9c0309
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfI:SgdnJVU4TlnwJ6Gof
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
UPX dump on OEP (original entry point) 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\865467ee3318bc9f8cb2364bc4b645d994db0a486c6d102de93fad3ee79b95e4.exe"C:\Users\Admin\AppData\Local\Temp\865467ee3318bc9f8cb2364bc4b645d994db0a486c6d102de93fad3ee79b95e4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lllrrrf.exec:\lllrrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxxxx.exec:\lxxxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7htnhh.exec:\7htnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbnhb.exec:\btbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdpj.exec:\jjdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxlfxf.exec:\lrxlfxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffrrlr.exec:\lffrrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffffll.exec:\fffffll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppj.exec:\dvppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbtb.exec:\nhbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjp.exec:\pjjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxffxrl.exec:\rxffxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjv.exec:\jdjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrrrrr.exec:\7rrrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhnnb.exec:\nbhnnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jdvp.exec:\9jdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrxxx.exec:\rlxrxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbbt.exec:\tbhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhhb.exec:\btnhhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pjdv.exec:\9pjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrll.exec:\frxrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvppv.exec:\pvppv.exe23⤵
- Executes dropped EXE
-
\??\c:\xlfxrll.exec:\xlfxrll.exe24⤵
- Executes dropped EXE
-
\??\c:\btnbht.exec:\btnbht.exe25⤵
- Executes dropped EXE
-
\??\c:\dvvjj.exec:\dvvjj.exe26⤵
- Executes dropped EXE
-
\??\c:\thhbnh.exec:\thhbnh.exe27⤵
- Executes dropped EXE
-
\??\c:\9ffxllf.exec:\9ffxllf.exe28⤵
- Executes dropped EXE
-
\??\c:\nhnhnh.exec:\nhnhnh.exe29⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe30⤵
- Executes dropped EXE
-
\??\c:\bbbnhb.exec:\bbbnhb.exe31⤵
- Executes dropped EXE
-
\??\c:\vvpjj.exec:\vvpjj.exe32⤵
- Executes dropped EXE
-
\??\c:\nbhbhb.exec:\nbhbhb.exe33⤵
- Executes dropped EXE
-
\??\c:\9xxlxrl.exec:\9xxlxrl.exe34⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\rlfxlll.exec:\rlfxlll.exe36⤵
- Executes dropped EXE
-
\??\c:\thnbhb.exec:\thnbhb.exe37⤵
- Executes dropped EXE
-
\??\c:\hntttn.exec:\hntttn.exe38⤵
- Executes dropped EXE
-
\??\c:\1vpvv.exec:\1vpvv.exe39⤵
- Executes dropped EXE
-
\??\c:\xxxxxfx.exec:\xxxxxfx.exe40⤵
- Executes dropped EXE
-
\??\c:\1thbtt.exec:\1thbtt.exe41⤵
- Executes dropped EXE
-
\??\c:\ddpdd.exec:\ddpdd.exe42⤵
- Executes dropped EXE
-
\??\c:\rrrrrfl.exec:\rrrrrfl.exe43⤵
- Executes dropped EXE
-
\??\c:\xxrxxxr.exec:\xxrxxxr.exe44⤵
- Executes dropped EXE
-
\??\c:\hbnnhb.exec:\hbnnhb.exe45⤵
- Executes dropped EXE
-
\??\c:\ppvpp.exec:\ppvpp.exe46⤵
- Executes dropped EXE
-
\??\c:\1fffxfr.exec:\1fffxfr.exe47⤵
- Executes dropped EXE
-
\??\c:\llxrfxf.exec:\llxrfxf.exe48⤵
- Executes dropped EXE
-
\??\c:\ttnhhb.exec:\ttnhhb.exe49⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe50⤵
- Executes dropped EXE
-
\??\c:\1xxlfff.exec:\1xxlfff.exe51⤵
- Executes dropped EXE
-
\??\c:\tbnnhh.exec:\tbnnhh.exe52⤵
- Executes dropped EXE
-
\??\c:\djpjd.exec:\djpjd.exe53⤵
- Executes dropped EXE
-
\??\c:\5xxfxxf.exec:\5xxfxxf.exe54⤵
- Executes dropped EXE
-
\??\c:\lllfffl.exec:\lllfffl.exe55⤵
- Executes dropped EXE
-
\??\c:\htbbbn.exec:\htbbbn.exe56⤵
- Executes dropped EXE
-
\??\c:\jvjvp.exec:\jvjvp.exe57⤵
- Executes dropped EXE
-
\??\c:\ffrrlll.exec:\ffrrlll.exe58⤵
- Executes dropped EXE
-
\??\c:\lflffxx.exec:\lflffxx.exe59⤵
- Executes dropped EXE
-
\??\c:\ttbbbt.exec:\ttbbbt.exe60⤵
- Executes dropped EXE
-
\??\c:\1vpjv.exec:\1vpjv.exe61⤵
- Executes dropped EXE
-
\??\c:\rlxxxxr.exec:\rlxxxxr.exe62⤵
- Executes dropped EXE
-
\??\c:\1tnhbb.exec:\1tnhbb.exe63⤵
- Executes dropped EXE
-
\??\c:\jjpjd.exec:\jjpjd.exe64⤵
- Executes dropped EXE
-
\??\c:\pjdpj.exec:\pjdpj.exe65⤵
- Executes dropped EXE
-
\??\c:\fxrlfxl.exec:\fxrlfxl.exe66⤵
-
\??\c:\hbhnht.exec:\hbhnht.exe67⤵
-
\??\c:\jjpdv.exec:\jjpdv.exe68⤵
-
\??\c:\pjvpj.exec:\pjvpj.exe69⤵
-
\??\c:\lxlxrlf.exec:\lxlxrlf.exe70⤵
-
\??\c:\9xlxlfx.exec:\9xlxlfx.exe71⤵
-
\??\c:\bnbtnn.exec:\bnbtnn.exe72⤵
-
\??\c:\dppdd.exec:\dppdd.exe73⤵
-
\??\c:\xfrxxxx.exec:\xfrxxxx.exe74⤵
-
\??\c:\btnnnh.exec:\btnnnh.exe75⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe76⤵
-
\??\c:\pppjv.exec:\pppjv.exe77⤵
-
\??\c:\xllfxxr.exec:\xllfxxr.exe78⤵
-
\??\c:\thttnn.exec:\thttnn.exe79⤵
-
\??\c:\nnbbtn.exec:\nnbbtn.exe80⤵
-
\??\c:\3ddvp.exec:\3ddvp.exe81⤵
-
\??\c:\rrllfrl.exec:\rrllfrl.exe82⤵
-
\??\c:\hhnhhn.exec:\hhnhhn.exe83⤵
-
\??\c:\ntbntt.exec:\ntbntt.exe84⤵
-
\??\c:\jddvj.exec:\jddvj.exe85⤵
-
\??\c:\xlrlxrr.exec:\xlrlxrr.exe86⤵
-
\??\c:\fllxrlr.exec:\fllxrlr.exe87⤵
-
\??\c:\hntbtb.exec:\hntbtb.exe88⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe89⤵
-
\??\c:\dvdvd.exec:\dvdvd.exe90⤵
-
\??\c:\flffxxx.exec:\flffxxx.exe91⤵
-
\??\c:\nbbnnh.exec:\nbbnnh.exe92⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe93⤵
-
\??\c:\3jpjv.exec:\3jpjv.exe94⤵
-
\??\c:\xlrfxxf.exec:\xlrfxxf.exe95⤵
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe96⤵
-
\??\c:\bbhbnh.exec:\bbhbnh.exe97⤵
-
\??\c:\1jdpd.exec:\1jdpd.exe98⤵
-
\??\c:\vvjvj.exec:\vvjvj.exe99⤵
-
\??\c:\fffxrxr.exec:\fffxrxr.exe100⤵
-
\??\c:\hbbthn.exec:\hbbthn.exe101⤵
-
\??\c:\djddd.exec:\djddd.exe102⤵
-
\??\c:\pdpjv.exec:\pdpjv.exe103⤵
-
\??\c:\frrlrlf.exec:\frrlrlf.exe104⤵
-
\??\c:\bhtnhh.exec:\bhtnhh.exe105⤵
-
\??\c:\ttbtnn.exec:\ttbtnn.exe106⤵
-
\??\c:\9pvpj.exec:\9pvpj.exe107⤵
-
\??\c:\lrxrrxr.exec:\lrxrrxr.exe108⤵
-
\??\c:\flfxrrl.exec:\flfxrrl.exe109⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe110⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe111⤵
-
\??\c:\xfxrffr.exec:\xfxrffr.exe112⤵
-
\??\c:\btbtnh.exec:\btbtnh.exe113⤵
-
\??\c:\3xlxxxf.exec:\3xlxxxf.exe114⤵
-
\??\c:\nhtttb.exec:\nhtttb.exe115⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe116⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe117⤵
-
\??\c:\rxxllrr.exec:\rxxllrr.exe118⤵
-
\??\c:\thnnnt.exec:\thnnnt.exe119⤵
-
\??\c:\vddvp.exec:\vddvp.exe120⤵
-
\??\c:\rxfrlll.exec:\rxfrlll.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-