Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
04/05/2024, 04:54
General
-
Target
f2a9a1db595671358969501f439fc25dfaa55bd2cc57a2569b384c25d07b1c45.exe
-
Size
293KB
-
MD5
b4da601ae5933cefbe458687df7059fb
-
SHA1
2534dda0ffac0124129d7ba7bd2b4cfa7c67a960
-
SHA256
f2a9a1db595671358969501f439fc25dfaa55bd2cc57a2569b384c25d07b1c45
-
SHA512
d832e667a7fedefe8987ab92b0aa19f6022fd348e5017499f6163e33d0bef0fcbd2237e8291ec8354047996c31af034ecc5d514f6f633f0479042ca32fec1de1
-
SSDEEP
6144:ccm4FmowdHoSQkuObHq9ltAszBd+za/p1slTjZXvEQo9dftO1:K4wFHoSQkuUHk1zBR/pMT9XvEhdfk
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 42 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2a9a1db595671358969501f439fc25dfaa55bd2cc57a2569b384c25d07b1c45.exe"C:\Users\Admin\AppData\Local\Temp\f2a9a1db595671358969501f439fc25dfaa55bd2cc57a2569b384c25d07b1c45.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxxxx.exec:\rfrxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrrrl.exec:\xlrrrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bbbtn.exec:\7bbbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djjj.exec:\5djjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxrrlf.exec:\rxxrrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddd.exec:\jvddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbht.exec:\tnhbht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppp.exec:\pdppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpjp.exec:\pdpjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrrrr.exec:\fxrrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbb.exec:\nhttbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ddpj.exec:\1ddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfllxx.exec:\lxfllxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hnhhh.exec:\3hnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvv.exec:\vpvvv.exe17⤵
- Executes dropped EXE
-
\??\c:\vddvp.exec:\vddvp.exe18⤵
- Executes dropped EXE
-
\??\c:\hbhhhb.exec:\hbhhhb.exe19⤵
- Executes dropped EXE
-
\??\c:\tnbbbh.exec:\tnbbbh.exe20⤵
- Executes dropped EXE
-
\??\c:\rlrffff.exec:\rlrffff.exe21⤵
- Executes dropped EXE
-
\??\c:\htbbnh.exec:\htbbnh.exe22⤵
- Executes dropped EXE
-
\??\c:\5vddd.exec:\5vddd.exe23⤵
- Executes dropped EXE
-
\??\c:\1lfllrl.exec:\1lfllrl.exe24⤵
- Executes dropped EXE
-
\??\c:\9tbttt.exec:\9tbttt.exe25⤵
- Executes dropped EXE
-
\??\c:\bnbbhb.exec:\bnbbhb.exe26⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe27⤵
- Executes dropped EXE
-
\??\c:\1xrxfxf.exec:\1xrxfxf.exe28⤵
- Executes dropped EXE
-
\??\c:\5htnnn.exec:\5htnnn.exe29⤵
- Executes dropped EXE
-
\??\c:\ppvdv.exec:\ppvdv.exe30⤵
- Executes dropped EXE
-
\??\c:\frfxffl.exec:\frfxffl.exe31⤵
- Executes dropped EXE
-
\??\c:\7tnnnh.exec:\7tnnnh.exe32⤵
- Executes dropped EXE
-
\??\c:\jjppp.exec:\jjppp.exe33⤵
- Executes dropped EXE
-
\??\c:\5rflffx.exec:\5rflffx.exe34⤵
- Executes dropped EXE
-
\??\c:\bthttb.exec:\bthttb.exe35⤵
- Executes dropped EXE
-
\??\c:\1tbbtb.exec:\1tbbtb.exe36⤵
- Executes dropped EXE
-
\??\c:\vjvdp.exec:\vjvdp.exe37⤵
- Executes dropped EXE
-
\??\c:\lxxflff.exec:\lxxflff.exe38⤵
- Executes dropped EXE
-
\??\c:\fxrlxxf.exec:\fxrlxxf.exe39⤵
- Executes dropped EXE
-
\??\c:\thhttn.exec:\thhttn.exe40⤵
- Executes dropped EXE
-
\??\c:\5jvvd.exec:\5jvvd.exe41⤵
- Executes dropped EXE
-
\??\c:\1pjvj.exec:\1pjvj.exe42⤵
- Executes dropped EXE
-
\??\c:\lfrxffl.exec:\lfrxffl.exe43⤵
- Executes dropped EXE
-
\??\c:\nhhntt.exec:\nhhntt.exe44⤵
- Executes dropped EXE
-
\??\c:\thnhnt.exec:\thnhnt.exe45⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe46⤵
- Executes dropped EXE
-
\??\c:\9vjvv.exec:\9vjvv.exe47⤵
- Executes dropped EXE
-
\??\c:\fxrfrrr.exec:\fxrfrrr.exe48⤵
- Executes dropped EXE
-
\??\c:\hnbbhh.exec:\hnbbhh.exe49⤵
- Executes dropped EXE
-
\??\c:\btbntb.exec:\btbntb.exe50⤵
- Executes dropped EXE
-
\??\c:\jvddj.exec:\jvddj.exe51⤵
- Executes dropped EXE
-
\??\c:\rxrfxlf.exec:\rxrfxlf.exe52⤵
- Executes dropped EXE
-
\??\c:\5xlxxxx.exec:\5xlxxxx.exe53⤵
- Executes dropped EXE
-
\??\c:\7nbthh.exec:\7nbthh.exe54⤵
- Executes dropped EXE
-
\??\c:\vjvvp.exec:\vjvvp.exe55⤵
- Executes dropped EXE
-
\??\c:\djpdd.exec:\djpdd.exe56⤵
- Executes dropped EXE
-
\??\c:\lrrllff.exec:\lrrllff.exe57⤵
- Executes dropped EXE
-
\??\c:\httnnb.exec:\httnnb.exe58⤵
- Executes dropped EXE
-
\??\c:\thtbtt.exec:\thtbtt.exe59⤵
- Executes dropped EXE
-
\??\c:\pjjvd.exec:\pjjvd.exe60⤵
- Executes dropped EXE
-
\??\c:\fxfllrl.exec:\fxfllrl.exe61⤵
- Executes dropped EXE
-
\??\c:\7frlfxx.exec:\7frlfxx.exe62⤵
- Executes dropped EXE
-
\??\c:\tbhhnn.exec:\tbhhnn.exe63⤵
- Executes dropped EXE
-
\??\c:\ntbnhh.exec:\ntbnhh.exe64⤵
- Executes dropped EXE
-
\??\c:\vjpjp.exec:\vjpjp.exe65⤵
- Executes dropped EXE
-
\??\c:\5fllfxx.exec:\5fllfxx.exe66⤵
-
\??\c:\xlrrxll.exec:\xlrrxll.exe67⤵
-
\??\c:\3bnbbt.exec:\3bnbbt.exe68⤵
-
\??\c:\1nbnhb.exec:\1nbnhb.exe69⤵
-
\??\c:\jvddd.exec:\jvddd.exe70⤵
-
\??\c:\lfrxfxf.exec:\lfrxfxf.exe71⤵
-
\??\c:\7xxllxx.exec:\7xxllxx.exe72⤵
-
\??\c:\9bbnnh.exec:\9bbnnh.exe73⤵
-
\??\c:\5thbbb.exec:\5thbbb.exe74⤵
-
\??\c:\dppdv.exec:\dppdv.exe75⤵
-
\??\c:\9dvdj.exec:\9dvdj.exe76⤵
-
\??\c:\1frlflx.exec:\1frlflx.exe77⤵
-
\??\c:\rxxxxrr.exec:\rxxxxrr.exe78⤵
-
\??\c:\1bhtbt.exec:\1bhtbt.exe79⤵
-
\??\c:\tbnbbt.exec:\tbnbbt.exe80⤵
-
\??\c:\pdvjj.exec:\pdvjj.exe81⤵
-
\??\c:\llffffr.exec:\llffffr.exe82⤵
-
\??\c:\frrrfxx.exec:\frrrfxx.exe83⤵
-
\??\c:\7htnnh.exec:\7htnnh.exe84⤵
-
\??\c:\vppvv.exec:\vppvv.exe85⤵
-
\??\c:\3jppd.exec:\3jppd.exe86⤵
-
\??\c:\frfffxf.exec:\frfffxf.exe87⤵
-
\??\c:\bhbbbn.exec:\bhbbbn.exe88⤵
-
\??\c:\tbbhnt.exec:\tbbhnt.exe89⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe90⤵
-
\??\c:\9llrrrx.exec:\9llrrrx.exe91⤵
-
\??\c:\fxlxflf.exec:\fxlxflf.exe92⤵
-
\??\c:\thnntt.exec:\thnntt.exe93⤵
-
\??\c:\vjpjp.exec:\vjpjp.exe94⤵
-
\??\c:\dvpvj.exec:\dvpvj.exe95⤵
-
\??\c:\xrlfffl.exec:\xrlfffl.exe96⤵
-
\??\c:\rllxfff.exec:\rllxfff.exe97⤵
-
\??\c:\thnbhb.exec:\thnbhb.exe98⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe99⤵
-
\??\c:\1djpp.exec:\1djpp.exe100⤵
-
\??\c:\lfxrffr.exec:\lfxrffr.exe101⤵
-
\??\c:\xlrxllx.exec:\xlrxllx.exe102⤵
-
\??\c:\nbhhnh.exec:\nbhhnh.exe103⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe104⤵
-
\??\c:\jjdpv.exec:\jjdpv.exe105⤵
-
\??\c:\xlxxrrx.exec:\xlxxrrx.exe106⤵
-
\??\c:\nbbttn.exec:\nbbttn.exe107⤵
-
\??\c:\9vjjv.exec:\9vjjv.exe108⤵
-
\??\c:\7vjvj.exec:\7vjvj.exe109⤵
-
\??\c:\frxrlfl.exec:\frxrlfl.exe110⤵
-
\??\c:\rlxlflx.exec:\rlxlflx.exe111⤵
-
\??\c:\hbnnhh.exec:\hbnnhh.exe112⤵
-
\??\c:\nbnthh.exec:\nbnthh.exe113⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe114⤵
-
\??\c:\lxllrrx.exec:\lxllrrx.exe115⤵
-
\??\c:\rfrllxx.exec:\rfrllxx.exe116⤵
-
\??\c:\bbnbnn.exec:\bbnbnn.exe117⤵
-
\??\c:\hhttnn.exec:\hhttnn.exe118⤵
-
\??\c:\vvdpv.exec:\vvdpv.exe119⤵
-
\??\c:\xrrfrll.exec:\xrrfrll.exe120⤵
-
\??\c:\rlrrffl.exec:\rlrrffl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-