Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07/05/2024, 18:51
General
-
Target
128a503197ca8cdb4d4af4de699f7697f9e07e35d2b99e8ee6bc7925a2d6699f.exe
-
Size
460KB
-
MD5
2629d94f0ac8939276d3fd40394f977b
-
SHA1
159989e4d6b03840de88a00e7e05b00fedb1b268
-
SHA256
128a503197ca8cdb4d4af4de699f7697f9e07e35d2b99e8ee6bc7925a2d6699f
-
SHA512
b639d64eb4c24e7e9b10973734ebf370b7c0d5d5d6c96ffdb06bba74504d7b4ff60fd2fdda846ff595314b7be0d942d8678619ccca16d26f6d0c94b0b14984ab
-
SSDEEP
12288:n3C9ytvnVXl3C9nQIWJJGmFHQ3C9X3C9qAfIZ/o+gZ6:SgdnV42RfIJ7+
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 31 IoCs
-
UPX dump on OEP (original entry point) 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\128a503197ca8cdb4d4af4de699f7697f9e07e35d2b99e8ee6bc7925a2d6699f.exe"C:\Users\Admin\AppData\Local\Temp\128a503197ca8cdb4d4af4de699f7697f9e07e35d2b99e8ee6bc7925a2d6699f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tttbbt.exec:\tttbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1djdv.exec:\1djdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddv.exec:\vpddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttnn.exec:\tnttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvv.exec:\ddvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxffffx.exec:\rxffffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbht.exec:\tnbbht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnhh.exec:\hbtnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjj.exec:\vvvjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllfff.exec:\ffllfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrflllr.exec:\rrflllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbnt.exec:\tnhbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddd.exec:\jdddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvvj.exec:\jjvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fxfxxr.exec:\9fxfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtbtn.exec:\hhtbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvp.exec:\vpvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxxll.exec:\rlfxxll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbhbb.exec:\thbhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhnnh.exec:\hbhnnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjd.exec:\dvjjd.exe23⤵
- Executes dropped EXE
-
\??\c:\xrrlllf.exec:\xrrlllf.exe24⤵
- Executes dropped EXE
-
\??\c:\7rrlflf.exec:\7rrlflf.exe25⤵
- Executes dropped EXE
-
\??\c:\tnhbhh.exec:\tnhbhh.exe26⤵
- Executes dropped EXE
-
\??\c:\hbnhhb.exec:\hbnhhb.exe27⤵
- Executes dropped EXE
-
\??\c:\dpjjj.exec:\dpjjj.exe28⤵
- Executes dropped EXE
-
\??\c:\llxfffr.exec:\llxfffr.exe29⤵
- Executes dropped EXE
-
\??\c:\5frllxr.exec:\5frllxr.exe30⤵
- Executes dropped EXE
-
\??\c:\tnbttt.exec:\tnbttt.exe31⤵
- Executes dropped EXE
-
\??\c:\jpvvv.exec:\jpvvv.exe32⤵
- Executes dropped EXE
-
\??\c:\jpppv.exec:\jpppv.exe33⤵
- Executes dropped EXE
-
\??\c:\xxffflr.exec:\xxffflr.exe34⤵
- Executes dropped EXE
-
\??\c:\hbhbtt.exec:\hbhbtt.exe35⤵
- Executes dropped EXE
-
\??\c:\bhnbtn.exec:\bhnbtn.exe36⤵
- Executes dropped EXE
-
\??\c:\dvjpp.exec:\dvjpp.exe37⤵
- Executes dropped EXE
-
\??\c:\1flfxxx.exec:\1flfxxx.exe38⤵
- Executes dropped EXE
-
\??\c:\rxllxxf.exec:\rxllxxf.exe39⤵
- Executes dropped EXE
-
\??\c:\5bnhnt.exec:\5bnhnt.exe40⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe41⤵
- Executes dropped EXE
-
\??\c:\vvvvj.exec:\vvvvj.exe42⤵
- Executes dropped EXE
-
\??\c:\9fxxrrl.exec:\9fxxrrl.exe43⤵
- Executes dropped EXE
-
\??\c:\9xxrrll.exec:\9xxrrll.exe44⤵
- Executes dropped EXE
-
\??\c:\9hhhbh.exec:\9hhhbh.exe45⤵
- Executes dropped EXE
-
\??\c:\dvjdv.exec:\dvjdv.exe46⤵
- Executes dropped EXE
-
\??\c:\ppvvp.exec:\ppvvp.exe47⤵
- Executes dropped EXE
-
\??\c:\lflfffx.exec:\lflfffx.exe48⤵
- Executes dropped EXE
-
\??\c:\nhbbtt.exec:\nhbbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\nntntt.exec:\nntntt.exe50⤵
- Executes dropped EXE
-
\??\c:\dddjj.exec:\dddjj.exe51⤵
- Executes dropped EXE
-
\??\c:\jpvvv.exec:\jpvvv.exe52⤵
- Executes dropped EXE
-
\??\c:\xxfxxrx.exec:\xxfxxrx.exe53⤵
- Executes dropped EXE
-
\??\c:\tntnhh.exec:\tntnhh.exe54⤵
- Executes dropped EXE
-
\??\c:\5nbbht.exec:\5nbbht.exe55⤵
- Executes dropped EXE
-
\??\c:\pvpjp.exec:\pvpjp.exe56⤵
- Executes dropped EXE
-
\??\c:\7rrrxff.exec:\7rrrxff.exe57⤵
- Executes dropped EXE
-
\??\c:\bthnnn.exec:\bthnnn.exe58⤵
- Executes dropped EXE
-
\??\c:\7tbbtt.exec:\7tbbtt.exe59⤵
- Executes dropped EXE
-
\??\c:\jpdjd.exec:\jpdjd.exe60⤵
- Executes dropped EXE
-
\??\c:\xrrllll.exec:\xrrllll.exe61⤵
- Executes dropped EXE
-
\??\c:\1rrrlll.exec:\1rrrlll.exe62⤵
- Executes dropped EXE
-
\??\c:\hbnhhb.exec:\hbnhhb.exe63⤵
- Executes dropped EXE
-
\??\c:\dvpdv.exec:\dvpdv.exe64⤵
- Executes dropped EXE
-
\??\c:\9vjdp.exec:\9vjdp.exe65⤵
- Executes dropped EXE
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe66⤵
-
\??\c:\1ttnnn.exec:\1ttnnn.exe67⤵
-
\??\c:\nhnnnt.exec:\nhnnnt.exe68⤵
-
\??\c:\5dpjp.exec:\5dpjp.exe69⤵
-
\??\c:\7fllfff.exec:\7fllfff.exe70⤵
-
\??\c:\flrlffx.exec:\flrlffx.exe71⤵
-
\??\c:\thhhbt.exec:\thhhbt.exe72⤵
-
\??\c:\jvddv.exec:\jvddv.exe73⤵
-
\??\c:\vpjjv.exec:\vpjjv.exe74⤵
-
\??\c:\rlrrllf.exec:\rlrrllf.exe75⤵
-
\??\c:\hbnbtn.exec:\hbnbtn.exe76⤵
-
\??\c:\nnthhb.exec:\nnthhb.exe77⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe78⤵
-
\??\c:\xflfxxx.exec:\xflfxxx.exe79⤵
-
\??\c:\frxxfff.exec:\frxxfff.exe80⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe81⤵
-
\??\c:\1flllrl.exec:\1flllrl.exe82⤵
-
\??\c:\fxlllxx.exec:\fxlllxx.exe83⤵
-
\??\c:\5tbbtb.exec:\5tbbtb.exe84⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe85⤵
-
\??\c:\5fllfll.exec:\5fllfll.exe86⤵
-
\??\c:\xflfxxx.exec:\xflfxxx.exe87⤵
-
\??\c:\9ntntt.exec:\9ntntt.exe88⤵
-
\??\c:\9vppv.exec:\9vppv.exe89⤵
-
\??\c:\rrfffll.exec:\rrfffll.exe90⤵
-
\??\c:\5hnnnt.exec:\5hnnnt.exe91⤵
-
\??\c:\hhhbbb.exec:\hhhbbb.exe92⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe93⤵
-
\??\c:\fxxrfxl.exec:\fxxrfxl.exe94⤵
-
\??\c:\xrllllr.exec:\xrllllr.exe95⤵
-
\??\c:\httttb.exec:\httttb.exe96⤵
-
\??\c:\ddvdp.exec:\ddvdp.exe97⤵
-
\??\c:\rrxxfxx.exec:\rrxxfxx.exe98⤵
-
\??\c:\hbnnhn.exec:\hbnnhn.exe99⤵
-
\??\c:\nhttbh.exec:\nhttbh.exe100⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe101⤵
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe102⤵
-
\??\c:\1ttnnn.exec:\1ttnnn.exe103⤵
-
\??\c:\nntnnn.exec:\nntnnn.exe104⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe105⤵
-
\??\c:\tnnnhn.exec:\tnnnhn.exe106⤵
-
\??\c:\pvjjd.exec:\pvjjd.exe107⤵
-
\??\c:\lxlffff.exec:\lxlffff.exe108⤵
-
\??\c:\hhhtnh.exec:\hhhtnh.exe109⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe110⤵
-
\??\c:\jddvv.exec:\jddvv.exe111⤵
-
\??\c:\ffllllr.exec:\ffllllr.exe112⤵
-
\??\c:\tnbbnn.exec:\tnbbnn.exe113⤵
-
\??\c:\5btttb.exec:\5btttb.exe114⤵
-
\??\c:\xxrrxfr.exec:\xxrrxfr.exe115⤵
-
\??\c:\7rrfflf.exec:\7rrfflf.exe116⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe117⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe118⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe119⤵
-
\??\c:\9lffxfx.exec:\9lffxfx.exe120⤵
-
\??\c:\bbhhhh.exec:\bbhhhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-