Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
08-05-2024 01:46
General
-
Target
af7f0b212e9db53792fb7aacbe64f2b99e44eb735e666b60fac16cec9e225cf9.exe
-
Size
87KB
-
MD5
f8bbd7b634a2ae5149184cd972f2ee97
-
SHA1
553890ea5944beb6a270d185d3747acc2b4a7742
-
SHA256
af7f0b212e9db53792fb7aacbe64f2b99e44eb735e666b60fac16cec9e225cf9
-
SHA512
e0118a67ae84a099649997f967fff17e146a0b0102d123d9362007660d539f91033887a2cf04e81a603410932efc763745a4a924a7d94c794c2647cfa2908326
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLU1grORPfr0k890C0:ymb3NkkiQ3mdBjFoLk8Pk890C0
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af7f0b212e9db53792fb7aacbe64f2b99e44eb735e666b60fac16cec9e225cf9.exe"C:\Users\Admin\AppData\Local\Temp\af7f0b212e9db53792fb7aacbe64f2b99e44eb735e666b60fac16cec9e225cf9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1bbtnn.exec:\1bbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jpvp.exec:\3jpvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlxfrr.exec:\rxlxfrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtttn.exec:\nhtttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdp.exec:\dvjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflflfx.exec:\xflflfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jjjd.exec:\7jjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxxxr.exec:\xlfxxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhbtt.exec:\bnhbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjd.exec:\ppjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdd.exec:\ddjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlfllx.exec:\xxlfllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbtn.exec:\nbhbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnbth.exec:\bnnbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllflf.exec:\lfllflf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bbnht.exec:\7bbnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbttnb.exec:\hbttnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvj.exec:\jvdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjddp.exec:\jjddp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bhhnh.exec:\1bhhnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhbb.exec:\ttnhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpjj.exec:\djpjj.exe23⤵
- Executes dropped EXE
-
\??\c:\pdvjd.exec:\pdvjd.exe24⤵
- Executes dropped EXE
-
\??\c:\ffrlxfx.exec:\ffrlxfx.exe25⤵
- Executes dropped EXE
-
\??\c:\tnhhbb.exec:\tnhhbb.exe26⤵
- Executes dropped EXE
-
\??\c:\jpdvj.exec:\jpdvj.exe27⤵
- Executes dropped EXE
-
\??\c:\9jpdp.exec:\9jpdp.exe28⤵
- Executes dropped EXE
-
\??\c:\rfxlffx.exec:\rfxlffx.exe29⤵
- Executes dropped EXE
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe30⤵
- Executes dropped EXE
-
\??\c:\tnbttt.exec:\tnbttt.exe31⤵
- Executes dropped EXE
-
\??\c:\dppvj.exec:\dppvj.exe32⤵
- Executes dropped EXE
-
\??\c:\rxfrfxf.exec:\rxfrfxf.exe33⤵
- Executes dropped EXE
-
\??\c:\ntbthh.exec:\ntbthh.exe34⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\xxrrrxf.exec:\xxrrrxf.exe36⤵
- Executes dropped EXE
-
\??\c:\rfllflr.exec:\rfllflr.exe37⤵
- Executes dropped EXE
-
\??\c:\btbbbb.exec:\btbbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\hnhbnb.exec:\hnhbnb.exe39⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe40⤵
- Executes dropped EXE
-
\??\c:\jvdvv.exec:\jvdvv.exe41⤵
- Executes dropped EXE
-
\??\c:\lxxrllf.exec:\lxxrllf.exe42⤵
- Executes dropped EXE
-
\??\c:\fxrlflf.exec:\fxrlflf.exe43⤵
- Executes dropped EXE
-
\??\c:\htnhhb.exec:\htnhhb.exe44⤵
- Executes dropped EXE
-
\??\c:\3ttbtn.exec:\3ttbtn.exe45⤵
- Executes dropped EXE
-
\??\c:\9ppjd.exec:\9ppjd.exe46⤵
- Executes dropped EXE
-
\??\c:\djppp.exec:\djppp.exe47⤵
- Executes dropped EXE
-
\??\c:\lffxflr.exec:\lffxflr.exe48⤵
- Executes dropped EXE
-
\??\c:\frxrllx.exec:\frxrllx.exe49⤵
- Executes dropped EXE
-
\??\c:\7bttnn.exec:\7bttnn.exe50⤵
- Executes dropped EXE
-
\??\c:\hbthtn.exec:\hbthtn.exe51⤵
- Executes dropped EXE
-
\??\c:\jpdjj.exec:\jpdjj.exe52⤵
- Executes dropped EXE
-
\??\c:\pvdvj.exec:\pvdvj.exe53⤵
- Executes dropped EXE
-
\??\c:\9rrlffx.exec:\9rrlffx.exe54⤵
- Executes dropped EXE
-
\??\c:\rxrfrfx.exec:\rxrfrfx.exe55⤵
- Executes dropped EXE
-
\??\c:\hbtttt.exec:\hbtttt.exe56⤵
- Executes dropped EXE
-
\??\c:\tntntn.exec:\tntntn.exe57⤵
- Executes dropped EXE
-
\??\c:\dpdvp.exec:\dpdvp.exe58⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe59⤵
- Executes dropped EXE
-
\??\c:\xxxrxfx.exec:\xxxrxfx.exe60⤵
- Executes dropped EXE
-
\??\c:\bbhhtb.exec:\bbhhtb.exe61⤵
- Executes dropped EXE
-
\??\c:\nhtnbb.exec:\nhtnbb.exe62⤵
- Executes dropped EXE
-
\??\c:\vpppj.exec:\vpppj.exe63⤵
- Executes dropped EXE
-
\??\c:\pjjjd.exec:\pjjjd.exe64⤵
- Executes dropped EXE
-
\??\c:\1fxrflf.exec:\1fxrflf.exe65⤵
- Executes dropped EXE
-
\??\c:\9ttnhh.exec:\9ttnhh.exe66⤵
-
\??\c:\ntnhbt.exec:\ntnhbt.exe67⤵
-
\??\c:\vvvvv.exec:\vvvvv.exe68⤵
-
\??\c:\9rxlfxf.exec:\9rxlfxf.exe69⤵
-
\??\c:\3nnhbh.exec:\3nnhbh.exe70⤵
-
\??\c:\nhbttn.exec:\nhbttn.exe71⤵
-
\??\c:\jdddd.exec:\jdddd.exe72⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe73⤵
-
\??\c:\xrrlllf.exec:\xrrlllf.exe74⤵
-
\??\c:\bbttnb.exec:\bbttnb.exe75⤵
-
\??\c:\bhthtt.exec:\bhthtt.exe76⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe77⤵
-
\??\c:\pddvv.exec:\pddvv.exe78⤵
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe79⤵
-
\??\c:\rflfxff.exec:\rflfxff.exe80⤵
-
\??\c:\nntnnt.exec:\nntnnt.exe81⤵
-
\??\c:\pjdvj.exec:\pjdvj.exe82⤵
-
\??\c:\7vdvj.exec:\7vdvj.exe83⤵
-
\??\c:\fxfrllf.exec:\fxfrllf.exe84⤵
-
\??\c:\lfxrllx.exec:\lfxrllx.exe85⤵
-
\??\c:\btttnn.exec:\btttnn.exe86⤵
-
\??\c:\bbhbnt.exec:\bbhbnt.exe87⤵
-
\??\c:\pdpdv.exec:\pdpdv.exe88⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe89⤵
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe90⤵
-
\??\c:\frrrrrr.exec:\frrrrrr.exe91⤵
-
\??\c:\ttttbb.exec:\ttttbb.exe92⤵
-
\??\c:\9nnnbb.exec:\9nnnbb.exe93⤵
-
\??\c:\jvjdp.exec:\jvjdp.exe94⤵
-
\??\c:\rlxrllf.exec:\rlxrllf.exe95⤵
-
\??\c:\xfllxxx.exec:\xfllxxx.exe96⤵
-
\??\c:\nbnnhb.exec:\nbnnhb.exe97⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe98⤵
-
\??\c:\5ddvp.exec:\5ddvp.exe99⤵
-
\??\c:\lfrlfff.exec:\lfrlfff.exe100⤵
-
\??\c:\3tnhbb.exec:\3tnhbb.exe101⤵
-
\??\c:\htnhtt.exec:\htnhtt.exe102⤵
-
\??\c:\dppjd.exec:\dppjd.exe103⤵
-
\??\c:\ddpjd.exec:\ddpjd.exe104⤵
-
\??\c:\jdddv.exec:\jdddv.exe105⤵
-
\??\c:\rfffrrl.exec:\rfffrrl.exe106⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe107⤵
-
\??\c:\tnnhbh.exec:\tnnhbh.exe108⤵
-
\??\c:\nhbhtt.exec:\nhbhtt.exe109⤵
-
\??\c:\jvdpd.exec:\jvdpd.exe110⤵
-
\??\c:\vdjvp.exec:\vdjvp.exe111⤵
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe112⤵
-
\??\c:\rxxxlxr.exec:\rxxxlxr.exe113⤵
-
\??\c:\nnnnhh.exec:\nnnnhh.exe114⤵
-
\??\c:\btbtnn.exec:\btbtnn.exe115⤵
-
\??\c:\5tnhtn.exec:\5tnhtn.exe116⤵
-
\??\c:\3vvdv.exec:\3vvdv.exe117⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe118⤵
-
\??\c:\xflfxrr.exec:\xflfxrr.exe119⤵
-
\??\c:\7fffrrl.exec:\7fffrrl.exe120⤵
-
\??\c:\tnnhbb.exec:\tnnhbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-