Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09/05/2024, 01:57
General
-
Target
41e6e4899d212578ef8ac005908330c0.exe
-
Size
68KB
-
MD5
41e6e4899d212578ef8ac005908330c0
-
SHA1
0f00659260342edc5775d9ca7a901f284dcc8a38
-
SHA256
92de4763d29a69f2860c169e4eb8b1d35e9ecdba000f6e3a7f03e3b14bd6bea2
-
SHA512
e9291975f6fbeb3949cc5e72cb6f0f7d29f3263849c2a2421f17909b99611946d14ca222b833aadb7b18d1f36d0aac8490fb72dfd20ca332a415cc79d5d70957
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89JgVj:ymb3NkkiQ3mdBjFIvl358nLA89m5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41e6e4899d212578ef8ac005908330c0.exe"C:\Users\Admin\AppData\Local\Temp\41e6e4899d212578ef8ac005908330c0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbhh.exec:\nhhbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djddv.exec:\djddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ddvd.exec:\7ddvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxrlf.exec:\rffxrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ttttt.exec:\1ttttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvv.exec:\jddvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llllfff.exec:\llllfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxffrrl.exec:\lxffrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhnbt.exec:\hnhnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvjv.exec:\ppvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfxrl.exec:\rllfxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnbt.exec:\bttnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dpjd.exec:\1dpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllfxrl.exec:\lllfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxllll.exec:\rrxllll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnht.exec:\hbtnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jdvv.exec:\9jdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllllll.exec:\rllllll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lfrlxx.exec:\9lfrlxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbbb.exec:\nhhbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflfllf.exec:\xflfllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe23⤵
- Executes dropped EXE
-
\??\c:\hbhhbn.exec:\hbhhbn.exe24⤵
- Executes dropped EXE
-
\??\c:\pdddd.exec:\pdddd.exe25⤵
- Executes dropped EXE
-
\??\c:\rlrrlrf.exec:\rlrrlrf.exe26⤵
- Executes dropped EXE
-
\??\c:\btbbnn.exec:\btbbnn.exe27⤵
- Executes dropped EXE
-
\??\c:\dpvvj.exec:\dpvvj.exe28⤵
- Executes dropped EXE
-
\??\c:\lxfxxff.exec:\lxfxxff.exe29⤵
- Executes dropped EXE
-
\??\c:\nhbbbb.exec:\nhbbbb.exe30⤵
- Executes dropped EXE
-
\??\c:\bnhhhh.exec:\bnhhhh.exe31⤵
- Executes dropped EXE
-
\??\c:\djppp.exec:\djppp.exe32⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe33⤵
- Executes dropped EXE
-
\??\c:\pjdpd.exec:\pjdpd.exe34⤵
- Executes dropped EXE
-
\??\c:\lflflrx.exec:\lflflrx.exe35⤵
- Executes dropped EXE
-
\??\c:\nhttbn.exec:\nhttbn.exe36⤵
- Executes dropped EXE
-
\??\c:\dvvpj.exec:\dvvpj.exe37⤵
- Executes dropped EXE
-
\??\c:\bbnbth.exec:\bbnbth.exe38⤵
- Executes dropped EXE
-
\??\c:\vvdvd.exec:\vvdvd.exe39⤵
- Executes dropped EXE
-
\??\c:\llllfxr.exec:\llllfxr.exe40⤵
- Executes dropped EXE
-
\??\c:\llxrlrr.exec:\llxrlrr.exe41⤵
- Executes dropped EXE
-
\??\c:\ttbbtn.exec:\ttbbtn.exe42⤵
- Executes dropped EXE
-
\??\c:\5ppjv.exec:\5ppjv.exe43⤵
- Executes dropped EXE
-
\??\c:\frfrfll.exec:\frfrfll.exe44⤵
- Executes dropped EXE
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe45⤵
- Executes dropped EXE
-
\??\c:\7hhbtt.exec:\7hhbtt.exe46⤵
- Executes dropped EXE
-
\??\c:\pvjjd.exec:\pvjjd.exe47⤵
- Executes dropped EXE
-
\??\c:\jjddp.exec:\jjddp.exe48⤵
- Executes dropped EXE
-
\??\c:\xflllll.exec:\xflllll.exe49⤵
- Executes dropped EXE
-
\??\c:\hbnntt.exec:\hbnntt.exe50⤵
- Executes dropped EXE
-
\??\c:\bttnbt.exec:\bttnbt.exe51⤵
- Executes dropped EXE
-
\??\c:\7dvpd.exec:\7dvpd.exe52⤵
- Executes dropped EXE
-
\??\c:\xrlrrxx.exec:\xrlrrxx.exe53⤵
- Executes dropped EXE
-
\??\c:\xrllfxx.exec:\xrllfxx.exe54⤵
- Executes dropped EXE
-
\??\c:\hnbtnh.exec:\hnbtnh.exe55⤵
- Executes dropped EXE
-
\??\c:\nnntnh.exec:\nnntnh.exe56⤵
- Executes dropped EXE
-
\??\c:\vpvpd.exec:\vpvpd.exe57⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe58⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe59⤵
- Executes dropped EXE
-
\??\c:\1rrlfrl.exec:\1rrlfrl.exe60⤵
- Executes dropped EXE
-
\??\c:\3nbbnh.exec:\3nbbnh.exe61⤵
- Executes dropped EXE
-
\??\c:\pjjdd.exec:\pjjdd.exe62⤵
- Executes dropped EXE
-
\??\c:\xllfffx.exec:\xllfffx.exe63⤵
- Executes dropped EXE
-
\??\c:\fffffll.exec:\fffffll.exe64⤵
- Executes dropped EXE
-
\??\c:\hbbntt.exec:\hbbntt.exe65⤵
- Executes dropped EXE
-
\??\c:\djdvp.exec:\djdvp.exe66⤵
-
\??\c:\ddjvj.exec:\ddjvj.exe67⤵
-
\??\c:\frrlfxx.exec:\frrlfxx.exe68⤵
-
\??\c:\bthbtn.exec:\bthbtn.exe69⤵
-
\??\c:\hbnhhh.exec:\hbnhhh.exe70⤵
-
\??\c:\jdjvv.exec:\jdjvv.exe71⤵
-
\??\c:\5vddd.exec:\5vddd.exe72⤵
-
\??\c:\rrrllll.exec:\rrrllll.exe73⤵
-
\??\c:\9httbn.exec:\9httbn.exe74⤵
-
\??\c:\pjdpv.exec:\pjdpv.exe75⤵
-
\??\c:\pvvpd.exec:\pvvpd.exe76⤵
-
\??\c:\lrrllfx.exec:\lrrllfx.exe77⤵
-
\??\c:\nnnnnn.exec:\nnnnnn.exe78⤵
-
\??\c:\hhnhtb.exec:\hhnhtb.exe79⤵
-
\??\c:\pvjjp.exec:\pvjjp.exe80⤵
-
\??\c:\frxrrxr.exec:\frxrrxr.exe81⤵
-
\??\c:\rlflflf.exec:\rlflflf.exe82⤵
-
\??\c:\tbbbhh.exec:\tbbbhh.exe83⤵
-
\??\c:\7pvvv.exec:\7pvvv.exe84⤵
-
\??\c:\9pjjp.exec:\9pjjp.exe85⤵
-
\??\c:\xrfxlll.exec:\xrfxlll.exe86⤵
-
\??\c:\hntbtn.exec:\hntbtn.exe87⤵
-
\??\c:\vvjdj.exec:\vvjdj.exe88⤵
-
\??\c:\1ddvj.exec:\1ddvj.exe89⤵
-
\??\c:\1fffrxl.exec:\1fffrxl.exe90⤵
-
\??\c:\rlrxfxl.exec:\rlrxfxl.exe91⤵
-
\??\c:\1tbbhh.exec:\1tbbhh.exe92⤵
-
\??\c:\5jjvj.exec:\5jjvj.exe93⤵
-
\??\c:\ppdjd.exec:\ppdjd.exe94⤵
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe95⤵
-
\??\c:\tbbnhb.exec:\tbbnhb.exe96⤵
-
\??\c:\nhtnnh.exec:\nhtnnh.exe97⤵
-
\??\c:\jpjdp.exec:\jpjdp.exe98⤵
-
\??\c:\5xrlllx.exec:\5xrlllx.exe99⤵
-
\??\c:\1rrfxxr.exec:\1rrfxxr.exe100⤵
-
\??\c:\hnhntn.exec:\hnhntn.exe101⤵
-
\??\c:\bttnnh.exec:\bttnnh.exe102⤵
-
\??\c:\vvjdj.exec:\vvjdj.exe103⤵
-
\??\c:\1rlrlfr.exec:\1rlrlfr.exe104⤵
-
\??\c:\xrfxfff.exec:\xrfxfff.exe105⤵
-
\??\c:\tnbbnn.exec:\tnbbnn.exe106⤵
-
\??\c:\xlfxllx.exec:\xlfxllx.exe107⤵
-
\??\c:\9hhtnh.exec:\9hhtnh.exe108⤵
-
\??\c:\dppjj.exec:\dppjj.exe109⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe110⤵
-
\??\c:\1lllllf.exec:\1lllllf.exe111⤵
-
\??\c:\nbttnn.exec:\nbttnn.exe112⤵
-
\??\c:\9pvpp.exec:\9pvpp.exe113⤵
-
\??\c:\vvvdd.exec:\vvvdd.exe114⤵
-
\??\c:\rlxxlfl.exec:\rlxxlfl.exe115⤵
-
\??\c:\5ttntn.exec:\5ttntn.exe116⤵
-
\??\c:\9bhhhh.exec:\9bhhhh.exe117⤵
-
\??\c:\jdjvp.exec:\jdjvp.exe118⤵
-
\??\c:\7pvvj.exec:\7pvvj.exe119⤵
-
\??\c:\xrfxxxf.exec:\xrfxxxf.exe120⤵
-
\??\c:\thnhbb.exec:\thnhbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-