Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
03/05/2024, 03:14
General
-
Target
c63bf72692227a41ce8fe959f180cd5fa41398a3fc2805dae4efe27ec8e7eb4b.exe
-
Size
94KB
-
MD5
591f4c813a1550115d6abde7275f67d8
-
SHA1
71912b44d723e1041f8eba334dbe773d39ca47e8
-
SHA256
c63bf72692227a41ce8fe959f180cd5fa41398a3fc2805dae4efe27ec8e7eb4b
-
SHA512
55a59b34f1765e3e8e4fd5073feeac1ef0091361f079e55a9bdf9e437162b16fdd1ae2ec789d2fe4c90112a2eca93dbd8259e70ba177c86d575d4cad3d046266
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo7NANTBuQG1np24+2OXRj:ymb3NkkiQ3mdBjFo7NguQG1n0USZ
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
UPX dump on OEP (original entry point) 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c63bf72692227a41ce8fe959f180cd5fa41398a3fc2805dae4efe27ec8e7eb4b.exe"C:\Users\Admin\AppData\Local\Temp\c63bf72692227a41ce8fe959f180cd5fa41398a3fc2805dae4efe27ec8e7eb4b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlxrr.exec:\frrlxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ntthh.exec:\7ntthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vvpj.exec:\5vvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxffx.exec:\rlrxffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlfxr.exec:\frrlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnhhb.exec:\5tnhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppj.exec:\ppppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvv.exec:\dvvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lrlffx.exec:\9lrlffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvd.exec:\vddvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xxxrrl.exec:\9xxxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbbb.exec:\nhbbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdd.exec:\jdjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfffff.exec:\rlfffff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhhhn.exec:\nhhhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pppd.exec:\7pppd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3flflll.exec:\3flflll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnhnb.exec:\hbnhnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppj.exec:\vjppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfllxlx.exec:\rfllxlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbbt.exec:\btnbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdpp.exec:\dvdpp.exe23⤵
- Executes dropped EXE
-
\??\c:\9flfxxf.exec:\9flfxxf.exe24⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe25⤵
- Executes dropped EXE
-
\??\c:\hbnhbh.exec:\hbnhbh.exe26⤵
- Executes dropped EXE
-
\??\c:\1ddpp.exec:\1ddpp.exe27⤵
- Executes dropped EXE
-
\??\c:\7jppv.exec:\7jppv.exe28⤵
- Executes dropped EXE
-
\??\c:\rffxrrr.exec:\rffxrrr.exe29⤵
- Executes dropped EXE
-
\??\c:\lxxrrlf.exec:\lxxrrlf.exe30⤵
- Executes dropped EXE
-
\??\c:\tttbbb.exec:\tttbbb.exe31⤵
- Executes dropped EXE
-
\??\c:\pdjjp.exec:\pdjjp.exe32⤵
- Executes dropped EXE
-
\??\c:\9pdvp.exec:\9pdvp.exe33⤵
- Executes dropped EXE
-
\??\c:\lfflrxr.exec:\lfflrxr.exe34⤵
- Executes dropped EXE
-
\??\c:\7flrlxx.exec:\7flrlxx.exe35⤵
- Executes dropped EXE
-
\??\c:\btbttt.exec:\btbttt.exe36⤵
- Executes dropped EXE
-
\??\c:\jjpvj.exec:\jjpvj.exe37⤵
- Executes dropped EXE
-
\??\c:\vdjdv.exec:\vdjdv.exe38⤵
- Executes dropped EXE
-
\??\c:\lrxxxfl.exec:\lrxxxfl.exe39⤵
- Executes dropped EXE
-
\??\c:\ththnb.exec:\ththnb.exe40⤵
- Executes dropped EXE
-
\??\c:\hbtbbn.exec:\hbtbbn.exe41⤵
- Executes dropped EXE
-
\??\c:\pdjvj.exec:\pdjvj.exe42⤵
- Executes dropped EXE
-
\??\c:\rxrlrrf.exec:\rxrlrrf.exe43⤵
- Executes dropped EXE
-
\??\c:\rfllfff.exec:\rfllfff.exe44⤵
- Executes dropped EXE
-
\??\c:\hbhhth.exec:\hbhhth.exe45⤵
- Executes dropped EXE
-
\??\c:\vjvjp.exec:\vjvjp.exe46⤵
- Executes dropped EXE
-
\??\c:\djjdp.exec:\djjdp.exe47⤵
- Executes dropped EXE
-
\??\c:\rlxxfxl.exec:\rlxxfxl.exe48⤵
- Executes dropped EXE
-
\??\c:\hbhbbb.exec:\hbhbbb.exe49⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe50⤵
- Executes dropped EXE
-
\??\c:\jpjvj.exec:\jpjvj.exe51⤵
- Executes dropped EXE
-
\??\c:\rxlrllx.exec:\rxlrllx.exe52⤵
- Executes dropped EXE
-
\??\c:\hnthth.exec:\hnthth.exe53⤵
- Executes dropped EXE
-
\??\c:\nhhbhb.exec:\nhhbhb.exe54⤵
- Executes dropped EXE
-
\??\c:\7jjjp.exec:\7jjjp.exe55⤵
- Executes dropped EXE
-
\??\c:\7rrrffx.exec:\7rrrffx.exe56⤵
- Executes dropped EXE
-
\??\c:\lxfxrll.exec:\lxfxrll.exe57⤵
- Executes dropped EXE
-
\??\c:\9bbttt.exec:\9bbttt.exe58⤵
- Executes dropped EXE
-
\??\c:\7bhhbb.exec:\7bhhbb.exe59⤵
- Executes dropped EXE
-
\??\c:\vdjdd.exec:\vdjdd.exe60⤵
- Executes dropped EXE
-
\??\c:\3lllxxf.exec:\3lllxxf.exe61⤵
- Executes dropped EXE
-
\??\c:\lffxrrx.exec:\lffxrrx.exe62⤵
- Executes dropped EXE
-
\??\c:\7bhbtt.exec:\7bhbtt.exe63⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe64⤵
- Executes dropped EXE
-
\??\c:\jvvpj.exec:\jvvpj.exe65⤵
- Executes dropped EXE
-
\??\c:\rffxxrl.exec:\rffxxrl.exe66⤵
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe67⤵
-
\??\c:\thtnhh.exec:\thtnhh.exe68⤵
-
\??\c:\nnhthn.exec:\nnhthn.exe69⤵
-
\??\c:\vdddv.exec:\vdddv.exe70⤵
-
\??\c:\lfrrxfr.exec:\lfrrxfr.exe71⤵
-
\??\c:\nttttn.exec:\nttttn.exe72⤵
-
\??\c:\jvvvp.exec:\jvvvp.exe73⤵
-
\??\c:\pvjvp.exec:\pvjvp.exe74⤵
-
\??\c:\rflfxlf.exec:\rflfxlf.exe75⤵
-
\??\c:\5rffxxr.exec:\5rffxxr.exe76⤵
-
\??\c:\btnnhh.exec:\btnnhh.exe77⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe78⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe79⤵
-
\??\c:\xrlflff.exec:\xrlflff.exe80⤵
-
\??\c:\rrxxfff.exec:\rrxxfff.exe81⤵
-
\??\c:\thhhtn.exec:\thhhtn.exe82⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe83⤵
-
\??\c:\3djvj.exec:\3djvj.exe84⤵
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe85⤵
-
\??\c:\fxxflfr.exec:\fxxflfr.exe86⤵
-
\??\c:\hbhbnn.exec:\hbhbnn.exe87⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe88⤵
-
\??\c:\djpjj.exec:\djpjj.exe89⤵
-
\??\c:\rlrfffx.exec:\rlrfffx.exe90⤵
-
\??\c:\tbhbbb.exec:\tbhbbb.exe91⤵
-
\??\c:\tnnhnh.exec:\tnnhnh.exe92⤵
-
\??\c:\1vdpd.exec:\1vdpd.exe93⤵
-
\??\c:\ffxxxrr.exec:\ffxxxrr.exe94⤵
-
\??\c:\bnbbnh.exec:\bnbbnh.exe95⤵
-
\??\c:\dpvvp.exec:\dpvvp.exe96⤵
-
\??\c:\1lrlffr.exec:\1lrlffr.exe97⤵
-
\??\c:\rlrrlrr.exec:\rlrrlrr.exe98⤵
-
\??\c:\hhnntt.exec:\hhnntt.exe99⤵
-
\??\c:\9nnnhn.exec:\9nnnhn.exe100⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe101⤵
-
\??\c:\5frrrrr.exec:\5frrrrr.exe102⤵
-
\??\c:\xxxxxff.exec:\xxxxxff.exe103⤵
-
\??\c:\tnnbhh.exec:\tnnbhh.exe104⤵
-
\??\c:\vdppv.exec:\vdppv.exe105⤵
-
\??\c:\fxrxfff.exec:\fxrxfff.exe106⤵
-
\??\c:\rrlllrf.exec:\rrlllrf.exe107⤵
-
\??\c:\bthbbh.exec:\bthbbh.exe108⤵
-
\??\c:\nbnnhn.exec:\nbnnhn.exe109⤵
-
\??\c:\pjvjd.exec:\pjvjd.exe110⤵
-
\??\c:\9xfrrll.exec:\9xfrrll.exe111⤵
-
\??\c:\bbnnbn.exec:\bbnnbn.exe112⤵
-
\??\c:\tntnhh.exec:\tntnhh.exe113⤵
-
\??\c:\jdppj.exec:\jdppj.exe114⤵
-
\??\c:\nhhtht.exec:\nhhtht.exe115⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe116⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe117⤵
-
\??\c:\7xxfrrl.exec:\7xxfrrl.exe118⤵
-
\??\c:\frfxxrr.exec:\frfxxrr.exe119⤵
-
\??\c:\tnhttb.exec:\tnhttb.exe120⤵
-
\??\c:\vpvdd.exec:\vpvdd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-