Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
04/05/2024, 02:31
General
-
Target
c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3.exe
-
Size
78KB
-
MD5
2ad142098a4c969d4317b60c1932c948
-
SHA1
be01a69f4cb90e3e0e9d40f4e0a2696767f1621e
-
SHA256
c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3
-
SHA512
7252fcaa04fd5004e7779412b9ab62fd45d12196c6c1eba3a4e4ad935292895e2a51d19d704440e7a65d57cd1bbd5f1863a5fb6c7e856748bb1879e648151739
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIYgC/KSLJEd2arzle:ymb3NkkiQ3mdBjFI3eFC/rzA
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3.exe"C:\Users\Admin\AppData\Local\Temp\c0f579a583852a8cff9878a122cfb6eb0eadca56f6f7c530311543d427f812a3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvd.exec:\vvvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrlrr.exec:\rrxrlrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttttt.exec:\bttttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hhbbt.exec:\1hhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvjd.exec:\pvvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvj.exec:\dvdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ththb.exec:\5ththb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjjd.exec:\djjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdv.exec:\dvvdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbtt.exec:\tbhbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbbb.exec:\bthbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpp.exec:\ddvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlxlr.exec:\lfrlxlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nnnhh.exec:\3nnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjvv.exec:\vjjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjdj.exec:\jvjdj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxxxxx.exec:\rlxxxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbtt.exec:\bbhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvv.exec:\dvpvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppj.exec:\ddppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbhb.exec:\nhhbhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtnhb.exec:\nhtnhb.exe23⤵
- Executes dropped EXE
-
\??\c:\vpjpj.exec:\vpjpj.exe24⤵
- Executes dropped EXE
-
\??\c:\lfllffx.exec:\lfllffx.exe25⤵
- Executes dropped EXE
-
\??\c:\nnnntb.exec:\nnnntb.exe26⤵
- Executes dropped EXE
-
\??\c:\dpvvp.exec:\dpvvp.exe27⤵
- Executes dropped EXE
-
\??\c:\dpvpj.exec:\dpvpj.exe28⤵
- Executes dropped EXE
-
\??\c:\lrxxllf.exec:\lrxxllf.exe29⤵
- Executes dropped EXE
-
\??\c:\5hbtbb.exec:\5hbtbb.exe30⤵
- Executes dropped EXE
-
\??\c:\hhbtnh.exec:\hhbtnh.exe31⤵
- Executes dropped EXE
-
\??\c:\vpddv.exec:\vpddv.exe32⤵
- Executes dropped EXE
-
\??\c:\lrxrffx.exec:\lrxrffx.exe33⤵
- Executes dropped EXE
-
\??\c:\hbbbbb.exec:\hbbbbb.exe34⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\jpvvj.exec:\jpvvj.exe36⤵
- Executes dropped EXE
-
\??\c:\frflrfr.exec:\frflrfr.exe37⤵
- Executes dropped EXE
-
\??\c:\rrxxxfx.exec:\rrxxxfx.exe38⤵
- Executes dropped EXE
-
\??\c:\hhbhhb.exec:\hhbhhb.exe39⤵
- Executes dropped EXE
-
\??\c:\nntnhh.exec:\nntnhh.exe40⤵
- Executes dropped EXE
-
\??\c:\pjppj.exec:\pjppj.exe41⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe42⤵
- Executes dropped EXE
-
\??\c:\rfrrlrr.exec:\rfrrlrr.exe43⤵
- Executes dropped EXE
-
\??\c:\lflllll.exec:\lflllll.exe44⤵
- Executes dropped EXE
-
\??\c:\thhnnh.exec:\thhnnh.exe45⤵
- Executes dropped EXE
-
\??\c:\vpdvj.exec:\vpdvj.exe46⤵
- Executes dropped EXE
-
\??\c:\ddddv.exec:\ddddv.exe47⤵
- Executes dropped EXE
-
\??\c:\lxrlffl.exec:\lxrlffl.exe48⤵
- Executes dropped EXE
-
\??\c:\frfxfff.exec:\frfxfff.exe49⤵
- Executes dropped EXE
-
\??\c:\tnbnth.exec:\tnbnth.exe50⤵
- Executes dropped EXE
-
\??\c:\hhnnht.exec:\hhnnht.exe51⤵
- Executes dropped EXE
-
\??\c:\xxffffl.exec:\xxffffl.exe52⤵
- Executes dropped EXE
-
\??\c:\xlffffl.exec:\xlffffl.exe53⤵
- Executes dropped EXE
-
\??\c:\3rrxxxx.exec:\3rrxxxx.exe54⤵
- Executes dropped EXE
-
\??\c:\hhbbtt.exec:\hhbbtt.exe55⤵
- Executes dropped EXE
-
\??\c:\djpjj.exec:\djpjj.exe56⤵
- Executes dropped EXE
-
\??\c:\frxrrfl.exec:\frxrrfl.exe57⤵
- Executes dropped EXE
-
\??\c:\7fxfffx.exec:\7fxfffx.exe58⤵
- Executes dropped EXE
-
\??\c:\ntbbtb.exec:\ntbbtb.exe59⤵
- Executes dropped EXE
-
\??\c:\9pjjd.exec:\9pjjd.exe60⤵
- Executes dropped EXE
-
\??\c:\pppvv.exec:\pppvv.exe61⤵
- Executes dropped EXE
-
\??\c:\xxxxrxx.exec:\xxxxrxx.exe62⤵
- Executes dropped EXE
-
\??\c:\rrrrllf.exec:\rrrrllf.exe63⤵
- Executes dropped EXE
-
\??\c:\1thtnn.exec:\1thtnn.exe64⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe65⤵
- Executes dropped EXE
-
\??\c:\ddvpd.exec:\ddvpd.exe66⤵
-
\??\c:\5dvpp.exec:\5dvpp.exe67⤵
-
\??\c:\3fxxxff.exec:\3fxxxff.exe68⤵
-
\??\c:\ffxxlrx.exec:\ffxxlrx.exe69⤵
-
\??\c:\hhtbtb.exec:\hhtbtb.exe70⤵
-
\??\c:\tnntnt.exec:\tnntnt.exe71⤵
-
\??\c:\djdjj.exec:\djdjj.exe72⤵
-
\??\c:\vjdvp.exec:\vjdvp.exe73⤵
-
\??\c:\rffrllr.exec:\rffrllr.exe74⤵
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe75⤵
-
\??\c:\nbhhhh.exec:\nbhhhh.exe76⤵
-
\??\c:\5bbbth.exec:\5bbbth.exe77⤵
-
\??\c:\jjpvp.exec:\jjpvp.exe78⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe79⤵
-
\??\c:\9vvpp.exec:\9vvpp.exe80⤵
-
\??\c:\lllfxxx.exec:\lllfxxx.exe81⤵
-
\??\c:\rrrxxxx.exec:\rrrxxxx.exe82⤵
-
\??\c:\3bhbbt.exec:\3bhbbt.exe83⤵
-
\??\c:\tbbthn.exec:\tbbthn.exe84⤵
-
\??\c:\pppdv.exec:\pppdv.exe85⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe86⤵
-
\??\c:\lffxrrl.exec:\lffxrrl.exe87⤵
-
\??\c:\bnhbtt.exec:\bnhbtt.exe88⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe89⤵
-
\??\c:\lfrxxxx.exec:\lfrxxxx.exe90⤵
-
\??\c:\rfxffxr.exec:\rfxffxr.exe91⤵
-
\??\c:\bbhhbn.exec:\bbhhbn.exe92⤵
-
\??\c:\pppjd.exec:\pppjd.exe93⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe94⤵
-
\??\c:\9lrrrlr.exec:\9lrrrlr.exe95⤵
-
\??\c:\llrxxxf.exec:\llrxxxf.exe96⤵
-
\??\c:\hhhnnn.exec:\hhhnnn.exe97⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe98⤵
-
\??\c:\9lfxxxl.exec:\9lfxxxl.exe99⤵
-
\??\c:\nbtnbt.exec:\nbtnbt.exe100⤵
-
\??\c:\tnbtnb.exec:\tnbtnb.exe101⤵
-
\??\c:\ppvdv.exec:\ppvdv.exe102⤵
-
\??\c:\pvppp.exec:\pvppp.exe103⤵
-
\??\c:\9xxxxff.exec:\9xxxxff.exe104⤵
-
\??\c:\xllllll.exec:\xllllll.exe105⤵
-
\??\c:\hnbttt.exec:\hnbttt.exe106⤵
-
\??\c:\nbtnhh.exec:\nbtnhh.exe107⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe108⤵
-
\??\c:\lxlrlrr.exec:\lxlrlrr.exe109⤵
-
\??\c:\ffffxff.exec:\ffffxff.exe110⤵
-
\??\c:\5hnnnn.exec:\5hnnnn.exe111⤵
-
\??\c:\1bbthh.exec:\1bbthh.exe112⤵
-
\??\c:\bbnbtb.exec:\bbnbtb.exe113⤵
-
\??\c:\jjjdd.exec:\jjjdd.exe114⤵
-
\??\c:\vddvv.exec:\vddvv.exe115⤵
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe116⤵
-
\??\c:\thnttb.exec:\thnttb.exe117⤵
-
\??\c:\ttnnnt.exec:\ttnnnt.exe118⤵
-
\??\c:\nnhhth.exec:\nnhhth.exe119⤵
-
\??\c:\dvvvv.exec:\dvvvv.exe120⤵
-
\??\c:\djdvv.exec:\djdvv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-