Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
09/05/2024, 20:33
General
-
Target
3b760197ec5fb86a9f43c557be5d786c2a6401dd4e8c50bed084035fcfcfd75d.exe
-
Size
54KB
-
MD5
f9bda3730b0829dcb64aaca0117a9221
-
SHA1
9523779d1a6889bc28eff8ac645830cbb33fa98f
-
SHA256
3b760197ec5fb86a9f43c557be5d786c2a6401dd4e8c50bed084035fcfcfd75d
-
SHA512
0a71791523969d2fdbba13c64318c676f7a305d87182b83ed80170a413030893bbc2ed2b38e54ab2ba9d362caa66abe6cdbf36c07724d065d72d1c9fa2673c93
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFV6:ymb3NkkiQ3mdBjFIFV6
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b760197ec5fb86a9f43c557be5d786c2a6401dd4e8c50bed084035fcfcfd75d.exe"C:\Users\Admin\AppData\Local\Temp\3b760197ec5fb86a9f43c557be5d786c2a6401dd4e8c50bed084035fcfcfd75d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1jdjp.exec:\1jdjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64006.exec:\64006.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xlflrf.exec:\5xlflrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e20666.exec:\e20666.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xlrfll.exec:\7xlrfll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k26268.exec:\k26268.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxffl.exec:\xlfxffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\046628.exec:\046628.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbht.exec:\thhbht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpvv.exec:\jdpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnth.exec:\tnnnth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbhn.exec:\nhbbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xffrxxr.exec:\xffrxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjpd.exec:\pdjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a6288.exec:\a6288.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rflxxr.exec:\3rflxxr.exe17⤵
- Executes dropped EXE
-
\??\c:\480060.exec:\480060.exe18⤵
- Executes dropped EXE
-
\??\c:\u602446.exec:\u602446.exe19⤵
- Executes dropped EXE
-
\??\c:\htbthh.exec:\htbthh.exe20⤵
- Executes dropped EXE
-
\??\c:\lrffxrx.exec:\lrffxrx.exe21⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe22⤵
- Executes dropped EXE
-
\??\c:\22868.exec:\22868.exe23⤵
- Executes dropped EXE
-
\??\c:\2228464.exec:\2228464.exe24⤵
- Executes dropped EXE
-
\??\c:\26062.exec:\26062.exe25⤵
- Executes dropped EXE
-
\??\c:\httttn.exec:\httttn.exe26⤵
- Executes dropped EXE
-
\??\c:\bntbhn.exec:\bntbhn.exe27⤵
- Executes dropped EXE
-
\??\c:\666888.exec:\666888.exe28⤵
- Executes dropped EXE
-
\??\c:\e08242.exec:\e08242.exe29⤵
- Executes dropped EXE
-
\??\c:\bnbbbt.exec:\bnbbbt.exe30⤵
- Executes dropped EXE
-
\??\c:\42666.exec:\42666.exe31⤵
- Executes dropped EXE
-
\??\c:\9vjjv.exec:\9vjjv.exe32⤵
- Executes dropped EXE
-
\??\c:\9nhhbh.exec:\9nhhbh.exe33⤵
- Executes dropped EXE
-
\??\c:\08446.exec:\08446.exe34⤵
- Executes dropped EXE
-
\??\c:\080066.exec:\080066.exe35⤵
- Executes dropped EXE
-
\??\c:\226040.exec:\226040.exe36⤵
- Executes dropped EXE
-
\??\c:\w84804.exec:\w84804.exe37⤵
- Executes dropped EXE
-
\??\c:\48400.exec:\48400.exe38⤵
- Executes dropped EXE
-
\??\c:\tnbhbn.exec:\tnbhbn.exe39⤵
- Executes dropped EXE
-
\??\c:\428804.exec:\428804.exe40⤵
- Executes dropped EXE
-
\??\c:\m2422.exec:\m2422.exe41⤵
- Executes dropped EXE
-
\??\c:\pjdpv.exec:\pjdpv.exe42⤵
- Executes dropped EXE
-
\??\c:\s4288.exec:\s4288.exe43⤵
- Executes dropped EXE
-
\??\c:\2040000.exec:\2040000.exe44⤵
- Executes dropped EXE
-
\??\c:\jpjdj.exec:\jpjdj.exe45⤵
- Executes dropped EXE
-
\??\c:\3vppv.exec:\3vppv.exe46⤵
- Executes dropped EXE
-
\??\c:\jvppp.exec:\jvppp.exe47⤵
- Executes dropped EXE
-
\??\c:\2644046.exec:\2644046.exe48⤵
- Executes dropped EXE
-
\??\c:\8240880.exec:\8240880.exe49⤵
- Executes dropped EXE
-
\??\c:\jvdjp.exec:\jvdjp.exe50⤵
- Executes dropped EXE
-
\??\c:\nnbbth.exec:\nnbbth.exe51⤵
- Executes dropped EXE
-
\??\c:\o248822.exec:\o248822.exe52⤵
- Executes dropped EXE
-
\??\c:\nbntbh.exec:\nbntbh.exe53⤵
- Executes dropped EXE
-
\??\c:\266644.exec:\266644.exe54⤵
- Executes dropped EXE
-
\??\c:\86066.exec:\86066.exe55⤵
- Executes dropped EXE
-
\??\c:\424466.exec:\424466.exe56⤵
- Executes dropped EXE
-
\??\c:\fxfrlff.exec:\fxfrlff.exe57⤵
- Executes dropped EXE
-
\??\c:\dvppp.exec:\dvppp.exe58⤵
- Executes dropped EXE
-
\??\c:\48000.exec:\48000.exe59⤵
- Executes dropped EXE
-
\??\c:\fxflxxf.exec:\fxflxxf.exe60⤵
- Executes dropped EXE
-
\??\c:\9lxxrfr.exec:\9lxxrfr.exe61⤵
- Executes dropped EXE
-
\??\c:\606640.exec:\606640.exe62⤵
- Executes dropped EXE
-
\??\c:\2266666.exec:\2266666.exe63⤵
- Executes dropped EXE
-
\??\c:\420026.exec:\420026.exe64⤵
- Executes dropped EXE
-
\??\c:\g2880.exec:\g2880.exe65⤵
- Executes dropped EXE
-
\??\c:\ppjpd.exec:\ppjpd.exe66⤵
-
\??\c:\20222.exec:\20222.exe67⤵
-
\??\c:\20844.exec:\20844.exe68⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe69⤵
-
\??\c:\266222.exec:\266222.exe70⤵
-
\??\c:\084040.exec:\084040.exe71⤵
-
\??\c:\5vjdj.exec:\5vjdj.exe72⤵
-
\??\c:\86402.exec:\86402.exe73⤵
-
\??\c:\xlrlflr.exec:\xlrlflr.exe74⤵
-
\??\c:\0820600.exec:\0820600.exe75⤵
-
\??\c:\a8028.exec:\a8028.exe76⤵
-
\??\c:\848082.exec:\848082.exe77⤵
-
\??\c:\1thbbb.exec:\1thbbb.exe78⤵
-
\??\c:\xxfxxff.exec:\xxfxxff.exe79⤵
-
\??\c:\60868.exec:\60868.exe80⤵
-
\??\c:\208800.exec:\208800.exe81⤵
-
\??\c:\68482.exec:\68482.exe82⤵
-
\??\c:\428222.exec:\428222.exe83⤵
-
\??\c:\8622222.exec:\8622222.exe84⤵
-
\??\c:\7lffxxl.exec:\7lffxxl.exe85⤵
-
\??\c:\7bhbth.exec:\7bhbth.exe86⤵
-
\??\c:\e62888.exec:\e62888.exe87⤵
-
\??\c:\jvvvv.exec:\jvvvv.exe88⤵
-
\??\c:\tnbthn.exec:\tnbthn.exe89⤵
-
\??\c:\0800628.exec:\0800628.exe90⤵
-
\??\c:\7rfllrx.exec:\7rfllrx.exe91⤵
-
\??\c:\i206424.exec:\i206424.exe92⤵
-
\??\c:\4804622.exec:\4804622.exe93⤵
-
\??\c:\460642.exec:\460642.exe94⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe95⤵
-
\??\c:\c044446.exec:\c044446.exe96⤵
-
\??\c:\8624066.exec:\8624066.exe97⤵
-
\??\c:\htbbbn.exec:\htbbbn.exe98⤵
-
\??\c:\vpjdd.exec:\vpjdd.exe99⤵
-
\??\c:\fffllrf.exec:\fffllrf.exe100⤵
-
\??\c:\3pvdd.exec:\3pvdd.exe101⤵
-
\??\c:\pddvd.exec:\pddvd.exe102⤵
-
\??\c:\5rlffrx.exec:\5rlffrx.exe103⤵
-
\??\c:\3bbbnh.exec:\3bbbnh.exe104⤵
-
\??\c:\pdjpp.exec:\pdjpp.exe105⤵
-
\??\c:\2406228.exec:\2406228.exe106⤵
-
\??\c:\s2444.exec:\s2444.exe107⤵
-
\??\c:\btnthn.exec:\btnthn.exe108⤵
-
\??\c:\jvddj.exec:\jvddj.exe109⤵
-
\??\c:\hbhbnh.exec:\hbhbnh.exe110⤵
-
\??\c:\nbtttt.exec:\nbtttt.exe111⤵
-
\??\c:\vjjdj.exec:\vjjdj.exe112⤵
-
\??\c:\0200622.exec:\0200622.exe113⤵
-
\??\c:\3vjpv.exec:\3vjpv.exe114⤵
-
\??\c:\246026.exec:\246026.exe115⤵
-
\??\c:\82846.exec:\82846.exe116⤵
-
\??\c:\08662.exec:\08662.exe117⤵
-
\??\c:\08402.exec:\08402.exe118⤵
-
\??\c:\rfllxrx.exec:\rfllxrx.exe119⤵
-
\??\c:\m4062.exec:\m4062.exe120⤵
-
\??\c:\i426602.exec:\i426602.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-