Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
04-05-2024 02:31
General
-
Target
c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3.exe
-
Size
78KB
-
MD5
2ad142098a4c969d4317b60c1932c948
-
SHA1
be01a69f4cb90e3e0e9d40f4e0a2696767f1621e
-
SHA256
c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3
-
SHA512
7252fcaa04fd5004e7779412b9ab62fd45d12196c6c1eba3a4e4ad935292895e2a51d19d704440e7a65d57cd1bbd5f1863a5fb6c7e856748bb1879e648151739
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIYgC/KSLJEd2arzle:ymb3NkkiQ3mdBjFI3eFC/rzA
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
UPX dump on OEP (original entry point) 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3.exe"C:\Users\Admin\AppData\Local\Temp\c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnttt.exec:\tnnttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xrrffr.exec:\1xrrffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlxffr.exec:\fxlxffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bnnbt.exec:\3bnnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdj.exec:\pjvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppj.exec:\vjppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlrlr.exec:\lxrlrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fxlxxx.exec:\7fxlxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3thbhh.exec:\3thbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdj.exec:\dvjdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxllrxl.exec:\lxllrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxxxf.exec:\xlrxxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnthn.exec:\hbnthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnnnn.exec:\thnnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjv.exec:\pjdjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdj.exec:\pjjdj.exe17⤵
- Executes dropped EXE
-
\??\c:\fxlxllr.exec:\fxlxllr.exe18⤵
- Executes dropped EXE
-
\??\c:\xlrxrrx.exec:\xlrxrrx.exe19⤵
- Executes dropped EXE
-
\??\c:\bnhntn.exec:\bnhntn.exe20⤵
- Executes dropped EXE
-
\??\c:\hthhhh.exec:\hthhhh.exe21⤵
- Executes dropped EXE
-
\??\c:\jjvvj.exec:\jjvvj.exe22⤵
- Executes dropped EXE
-
\??\c:\fxxrxrl.exec:\fxxrxrl.exe23⤵
- Executes dropped EXE
-
\??\c:\fxxfllf.exec:\fxxfllf.exe24⤵
- Executes dropped EXE
-
\??\c:\1ntbhh.exec:\1ntbhh.exe25⤵
- Executes dropped EXE
-
\??\c:\bthhnn.exec:\bthhnn.exe26⤵
- Executes dropped EXE
-
\??\c:\vjvvp.exec:\vjvvp.exe27⤵
- Executes dropped EXE
-
\??\c:\3rxrrlr.exec:\3rxrrlr.exe28⤵
- Executes dropped EXE
-
\??\c:\lxrrlff.exec:\lxrrlff.exe29⤵
- Executes dropped EXE
-
\??\c:\9nhhnn.exec:\9nhhnn.exe30⤵
- Executes dropped EXE
-
\??\c:\thbbhb.exec:\thbbhb.exe31⤵
- Executes dropped EXE
-
\??\c:\vddvj.exec:\vddvj.exe32⤵
- Executes dropped EXE
-
\??\c:\1lrrrrx.exec:\1lrrrrx.exe33⤵
- Executes dropped EXE
-
\??\c:\ffxfxxf.exec:\ffxfxxf.exe34⤵
- Executes dropped EXE
-
\??\c:\9btntt.exec:\9btntt.exe35⤵
-
\??\c:\htbntt.exec:\htbntt.exe36⤵
- Executes dropped EXE
-
\??\c:\vvpjp.exec:\vvpjp.exe37⤵
- Executes dropped EXE
-
\??\c:\pjjvj.exec:\pjjvj.exe38⤵
- Executes dropped EXE
-
\??\c:\xlfflrx.exec:\xlfflrx.exe39⤵
- Executes dropped EXE
-
\??\c:\llflfrf.exec:\llflfrf.exe40⤵
- Executes dropped EXE
-
\??\c:\htbhnn.exec:\htbhnn.exe41⤵
- Executes dropped EXE
-
\??\c:\1hhtht.exec:\1hhtht.exe42⤵
- Executes dropped EXE
-
\??\c:\vpvdv.exec:\vpvdv.exe43⤵
- Executes dropped EXE
-
\??\c:\jvpjp.exec:\jvpjp.exe44⤵
- Executes dropped EXE
-
\??\c:\1dpjj.exec:\1dpjj.exe45⤵
- Executes dropped EXE
-
\??\c:\7llrxxl.exec:\7llrxxl.exe46⤵
- Executes dropped EXE
-
\??\c:\xxlfrxf.exec:\xxlfrxf.exe47⤵
- Executes dropped EXE
-
\??\c:\nnbtnh.exec:\nnbtnh.exe48⤵
- Executes dropped EXE
-
\??\c:\3hntht.exec:\3hntht.exe49⤵
- Executes dropped EXE
-
\??\c:\xxxfrxf.exec:\xxxfrxf.exe50⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe51⤵
- Executes dropped EXE
-
\??\c:\rlrxxlf.exec:\rlrxxlf.exe52⤵
- Executes dropped EXE
-
\??\c:\tntbhh.exec:\tntbhh.exe53⤵
- Executes dropped EXE
-
\??\c:\9bbbtb.exec:\9bbbtb.exe54⤵
- Executes dropped EXE
-
\??\c:\ddddj.exec:\ddddj.exe55⤵
- Executes dropped EXE
-
\??\c:\5dvvv.exec:\5dvvv.exe56⤵
- Executes dropped EXE
-
\??\c:\lflrxxx.exec:\lflrxxx.exe57⤵
- Executes dropped EXE
-
\??\c:\xrrrxxx.exec:\xrrrxxx.exe58⤵
- Executes dropped EXE
-
\??\c:\3tttbb.exec:\3tttbb.exe59⤵
- Executes dropped EXE
-
\??\c:\3bbbnt.exec:\3bbbnt.exe60⤵
- Executes dropped EXE
-
\??\c:\pjdjp.exec:\pjdjp.exe61⤵
- Executes dropped EXE
-
\??\c:\7vppp.exec:\7vppp.exe62⤵
- Executes dropped EXE
-
\??\c:\7lxxfrx.exec:\7lxxfrx.exe63⤵
- Executes dropped EXE
-
\??\c:\5rxlllr.exec:\5rxlllr.exe64⤵
- Executes dropped EXE
-
\??\c:\tnhbhh.exec:\tnhbhh.exe65⤵
- Executes dropped EXE
-
\??\c:\btnnnn.exec:\btnnnn.exe66⤵
- Executes dropped EXE
-
\??\c:\htnntt.exec:\htnntt.exe67⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe68⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe69⤵
-
\??\c:\5fflxfr.exec:\5fflxfr.exe70⤵
-
\??\c:\1rrxxff.exec:\1rrxxff.exe71⤵
-
\??\c:\nhbhnt.exec:\nhbhnt.exe72⤵
-
\??\c:\7ntnnh.exec:\7ntnnh.exe73⤵
-
\??\c:\nhbnnn.exec:\nhbnnn.exe74⤵
-
\??\c:\jpjjp.exec:\jpjjp.exe75⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe76⤵
-
\??\c:\rfllllf.exec:\rfllllf.exe77⤵
-
\??\c:\3xlfrrx.exec:\3xlfrrx.exe78⤵
-
\??\c:\nnbbhh.exec:\nnbbhh.exe79⤵
-
\??\c:\bhtnhb.exec:\bhtnhb.exe80⤵
-
\??\c:\vvjpd.exec:\vvjpd.exe81⤵
-
\??\c:\djpjj.exec:\djpjj.exe82⤵
-
\??\c:\5lfffll.exec:\5lfffll.exe83⤵
-
\??\c:\rrfrlfl.exec:\rrfrlfl.exe84⤵
-
\??\c:\ntnbtt.exec:\ntnbtt.exe85⤵
-
\??\c:\btnnbt.exec:\btnnbt.exe86⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe87⤵
-
\??\c:\vjpdj.exec:\vjpdj.exe88⤵
-
\??\c:\rrlrrrl.exec:\rrlrrrl.exe89⤵
-
\??\c:\rfrxxxx.exec:\rfrxxxx.exe90⤵
-
\??\c:\nnhntt.exec:\nnhntt.exe91⤵
-
\??\c:\bnbbnh.exec:\bnbbnh.exe92⤵
-
\??\c:\vdddd.exec:\vdddd.exe93⤵
-
\??\c:\5dpdd.exec:\5dpdd.exe94⤵
-
\??\c:\fxlxxrf.exec:\fxlxxrf.exe95⤵
-
\??\c:\rrxxrxx.exec:\rrxxrxx.exe96⤵
-
\??\c:\flflrrl.exec:\flflrrl.exe97⤵
-
\??\c:\hhbnhh.exec:\hhbnhh.exe98⤵
-
\??\c:\5thttb.exec:\5thttb.exe99⤵
-
\??\c:\pdpvv.exec:\pdpvv.exe100⤵
-
\??\c:\jdvjp.exec:\jdvjp.exe101⤵
-
\??\c:\5jddj.exec:\5jddj.exe102⤵
-
\??\c:\5xrflrf.exec:\5xrflrf.exe103⤵
-
\??\c:\xlrffxx.exec:\xlrffxx.exe104⤵
-
\??\c:\hthtnn.exec:\hthtnn.exe105⤵
-
\??\c:\bbthbh.exec:\bbthbh.exe106⤵
-
\??\c:\pjvjp.exec:\pjvjp.exe107⤵
-
\??\c:\pdpdj.exec:\pdpdj.exe108⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe109⤵
-
\??\c:\xlrlrrx.exec:\xlrlrrx.exe110⤵
-
\??\c:\xxxlfrf.exec:\xxxlfrf.exe111⤵
-
\??\c:\bnnhnn.exec:\bnnhnn.exe112⤵
-
\??\c:\9httbt.exec:\9httbt.exe113⤵
-
\??\c:\htbbbt.exec:\htbbbt.exe114⤵
-
\??\c:\pdvvp.exec:\pdvvp.exe115⤵
-
\??\c:\dpvdv.exec:\dpvdv.exe116⤵
-
\??\c:\rlfrxfr.exec:\rlfrxfr.exe117⤵
-
\??\c:\rrxlrlr.exec:\rrxlrlr.exe118⤵
-
\??\c:\nhttbn.exec:\nhttbn.exe119⤵
-
\??\c:\nbttbb.exec:\nbttbb.exe120⤵
-
\??\c:\vdddj.exec:\vdddj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-