Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
02/05/2024, 05:56
General
-
Target
fde1db7cb69fb22b8b7421d61ac8bc58bfd7fd2ad13daf614299441dc0302cce.exe
-
Size
61KB
-
MD5
d7efd1ba109c208083f1ade1bdd94323
-
SHA1
5c6825e692d6249541683b012499498ee6d3f351
-
SHA256
fde1db7cb69fb22b8b7421d61ac8bc58bfd7fd2ad13daf614299441dc0302cce
-
SHA512
a45b2cd51c76b23a4b86b1f8a48c76f3fb88fdef61ff97edfa650d17acba5678a77e0ca0f4bad3f9f56b4fbecb3b32c5952b5c9316ad37997a01e8c860ea6c64
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDII9ZvHKEo:ymb3NkkiQ3mdBjFII9ZvHKEo
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
UPX dump on OEP (original entry point) 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fde1db7cb69fb22b8b7421d61ac8bc58bfd7fd2ad13daf614299441dc0302cce.exe"C:\Users\Admin\AppData\Local\Temp\fde1db7cb69fb22b8b7421d61ac8bc58bfd7fd2ad13daf614299441dc0302cce.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhbtb.exec:\hnhbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtbnh.exec:\nbtbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjp.exec:\jdvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxflfl.exec:\xrxflfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrfrfx.exec:\lfrfrfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhtnb.exec:\nnhtnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtbnh.exec:\hhtbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvvj.exec:\jjvvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrrll.exec:\llfrrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbthht.exec:\hbthht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttntbh.exec:\ttntbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdjd.exec:\vvdjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pdpv.exec:\3pdpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxflrx.exec:\rlxflrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rxfxxr.exec:\1rxfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tbnnb.exec:\3tbnnb.exe17⤵
- Executes dropped EXE
-
\??\c:\pjjvd.exec:\pjjvd.exe18⤵
- Executes dropped EXE
-
\??\c:\9pvvj.exec:\9pvvj.exe19⤵
- Executes dropped EXE
-
\??\c:\fxlfrxl.exec:\fxlfrxl.exe20⤵
- Executes dropped EXE
-
\??\c:\frxrrrr.exec:\frxrrrr.exe21⤵
- Executes dropped EXE
-
\??\c:\tnhhnn.exec:\tnhhnn.exe22⤵
- Executes dropped EXE
-
\??\c:\9thnbb.exec:\9thnbb.exe23⤵
- Executes dropped EXE
-
\??\c:\9dvdp.exec:\9dvdp.exe24⤵
- Executes dropped EXE
-
\??\c:\rlffxff.exec:\rlffxff.exe25⤵
- Executes dropped EXE
-
\??\c:\llfxlfl.exec:\llfxlfl.exe26⤵
- Executes dropped EXE
-
\??\c:\thttbb.exec:\thttbb.exe27⤵
- Executes dropped EXE
-
\??\c:\pddpd.exec:\pddpd.exe28⤵
- Executes dropped EXE
-
\??\c:\pdjjd.exec:\pdjjd.exe29⤵
- Executes dropped EXE
-
\??\c:\lfflrlr.exec:\lfflrlr.exe30⤵
- Executes dropped EXE
-
\??\c:\thnthn.exec:\thnthn.exe31⤵
- Executes dropped EXE
-
\??\c:\nbhbbt.exec:\nbhbbt.exe32⤵
- Executes dropped EXE
-
\??\c:\pdppv.exec:\pdppv.exe33⤵
- Executes dropped EXE
-
\??\c:\3jvjj.exec:\3jvjj.exe34⤵
- Executes dropped EXE
-
\??\c:\xxxrrfr.exec:\xxxrrfr.exe35⤵
- Executes dropped EXE
-
\??\c:\rxllrrx.exec:\rxllrrx.exe36⤵
- Executes dropped EXE
-
\??\c:\tnbhnn.exec:\tnbhnn.exe37⤵
- Executes dropped EXE
-
\??\c:\9vjvp.exec:\9vjvp.exe38⤵
- Executes dropped EXE
-
\??\c:\7vdjd.exec:\7vdjd.exe39⤵
- Executes dropped EXE
-
\??\c:\lxlrxfx.exec:\lxlrxfx.exe40⤵
- Executes dropped EXE
-
\??\c:\xllrrrr.exec:\xllrrrr.exe41⤵
- Executes dropped EXE
-
\??\c:\rfxlrxl.exec:\rfxlrxl.exe42⤵
- Executes dropped EXE
-
\??\c:\tnbbtt.exec:\tnbbtt.exe43⤵
- Executes dropped EXE
-
\??\c:\hhtbnn.exec:\hhtbnn.exe44⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe45⤵
- Executes dropped EXE
-
\??\c:\7rffffx.exec:\7rffffx.exe46⤵
- Executes dropped EXE
-
\??\c:\rfxrrll.exec:\rfxrrll.exe47⤵
- Executes dropped EXE
-
\??\c:\xlrrflx.exec:\xlrrflx.exe48⤵
- Executes dropped EXE
-
\??\c:\nbhbhb.exec:\nbhbhb.exe49⤵
- Executes dropped EXE
-
\??\c:\9bbbbn.exec:\9bbbbn.exe50⤵
- Executes dropped EXE
-
\??\c:\ppjjp.exec:\ppjjp.exe51⤵
- Executes dropped EXE
-
\??\c:\ddjdv.exec:\ddjdv.exe52⤵
- Executes dropped EXE
-
\??\c:\xlrllff.exec:\xlrllff.exe53⤵
- Executes dropped EXE
-
\??\c:\lxllrrr.exec:\lxllrrr.exe54⤵
- Executes dropped EXE
-
\??\c:\hbhtbb.exec:\hbhtbb.exe55⤵
- Executes dropped EXE
-
\??\c:\nhnnbb.exec:\nhnnbb.exe56⤵
- Executes dropped EXE
-
\??\c:\djjdd.exec:\djjdd.exe57⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe58⤵
- Executes dropped EXE
-
\??\c:\rfxxxxl.exec:\rfxxxxl.exe59⤵
- Executes dropped EXE
-
\??\c:\7lfxxlr.exec:\7lfxxlr.exe60⤵
- Executes dropped EXE
-
\??\c:\9nnbtt.exec:\9nnbtt.exe61⤵
- Executes dropped EXE
-
\??\c:\thtthh.exec:\thtthh.exe62⤵
- Executes dropped EXE
-
\??\c:\7dppv.exec:\7dppv.exe63⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe64⤵
- Executes dropped EXE
-
\??\c:\1lffffr.exec:\1lffffr.exe65⤵
- Executes dropped EXE
-
\??\c:\xrrrffl.exec:\xrrrffl.exe66⤵
-
\??\c:\nbthhn.exec:\nbthhn.exe67⤵
-
\??\c:\nhtthn.exec:\nhtthn.exe68⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe69⤵
-
\??\c:\jdpdv.exec:\jdpdv.exe70⤵
-
\??\c:\xlrlllf.exec:\xlrlllf.exe71⤵
-
\??\c:\tthntb.exec:\tthntb.exe72⤵
-
\??\c:\tnthnh.exec:\tnthnh.exe73⤵
-
\??\c:\jvddp.exec:\jvddp.exe74⤵
-
\??\c:\vjvpv.exec:\vjvpv.exe75⤵
-
\??\c:\ffrrlrf.exec:\ffrrlrf.exe76⤵
-
\??\c:\9rrfrlr.exec:\9rrfrlr.exe77⤵
-
\??\c:\btbbnh.exec:\btbbnh.exe78⤵
-
\??\c:\tnhhhn.exec:\tnhhhn.exe79⤵
-
\??\c:\djpvv.exec:\djpvv.exe80⤵
-
\??\c:\5dddj.exec:\5dddj.exe81⤵
-
\??\c:\fxfrxlr.exec:\fxfrxlr.exe82⤵
-
\??\c:\1ffllff.exec:\1ffllff.exe83⤵
-
\??\c:\hbtbhn.exec:\hbtbhn.exe84⤵
-
\??\c:\dvvjd.exec:\dvvjd.exe85⤵
-
\??\c:\dvjdj.exec:\dvjdj.exe86⤵
-
\??\c:\xlfflrx.exec:\xlfflrx.exe87⤵
-
\??\c:\frlxllx.exec:\frlxllx.exe88⤵
-
\??\c:\nbhttt.exec:\nbhttt.exe89⤵
-
\??\c:\thhtbn.exec:\thhtbn.exe90⤵
-
\??\c:\hbttbh.exec:\hbttbh.exe91⤵
-
\??\c:\7ppvd.exec:\7ppvd.exe92⤵
-
\??\c:\xxrflxl.exec:\xxrflxl.exe93⤵
-
\??\c:\rffllfr.exec:\rffllfr.exe94⤵
-
\??\c:\nnbhnn.exec:\nnbhnn.exe95⤵
-
\??\c:\tnbnth.exec:\tnbnth.exe96⤵
-
\??\c:\ddpvj.exec:\ddpvj.exe97⤵
-
\??\c:\pjjvd.exec:\pjjvd.exe98⤵
-
\??\c:\fxlrffx.exec:\fxlrffx.exe99⤵
-
\??\c:\xxlflrx.exec:\xxlflrx.exe100⤵
-
\??\c:\tttbbn.exec:\tttbbn.exe101⤵
-
\??\c:\bnbntt.exec:\bnbntt.exe102⤵
-
\??\c:\vdvjv.exec:\vdvjv.exe103⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe104⤵
-
\??\c:\7lfxfxf.exec:\7lfxfxf.exe105⤵
-
\??\c:\xrffrxl.exec:\xrffrxl.exe106⤵
-
\??\c:\tnhtbb.exec:\tnhtbb.exe107⤵
-
\??\c:\5bhthn.exec:\5bhthn.exe108⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe109⤵
-
\??\c:\vpppv.exec:\vpppv.exe110⤵
-
\??\c:\xlrxllr.exec:\xlrxllr.exe111⤵
-
\??\c:\lxrrxxf.exec:\lxrrxxf.exe112⤵
-
\??\c:\btbhtb.exec:\btbhtb.exe113⤵
-
\??\c:\nhnnnt.exec:\nhnnnt.exe114⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe115⤵
-
\??\c:\ppdjv.exec:\ppdjv.exe116⤵
-
\??\c:\9xxrxfl.exec:\9xxrxfl.exe117⤵
-
\??\c:\3fxxlrf.exec:\3fxxlrf.exe118⤵
-
\??\c:\hbhnbb.exec:\hbhnbb.exe119⤵
-
\??\c:\btnhnn.exec:\btnhnn.exe120⤵
-
\??\c:\pjppd.exec:\pjppd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-