Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
10-05-2024 22:43
General
-
Target
71a5a933d27b9821901d7b20f81dba0c5a46fcaf53ecc3805a0e540844fe37a1.exe
-
Size
440KB
-
MD5
20f7442933011e9196531ee6e0729ab1
-
SHA1
58861e1585b884fd62242ab14a518a00c53944a0
-
SHA256
71a5a933d27b9821901d7b20f81dba0c5a46fcaf53ecc3805a0e540844fe37a1
-
SHA512
0bac84617f81e41fe1e401051bf780972bc79d73397845b443adcf48453414fc211847fe6f5e2bbf24db65f66d3697ecd00acc699017c957879ffa04b0f757df
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH5:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMv
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 34 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71a5a933d27b9821901d7b20f81dba0c5a46fcaf53ecc3805a0e540844fe37a1.exe"C:\Users\Admin\AppData\Local\Temp\71a5a933d27b9821901d7b20f81dba0c5a46fcaf53ecc3805a0e540844fe37a1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxlfll.exec:\rrxlfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rflrxx.exec:\5rflrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jjjv.exec:\7jjjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlflrf.exec:\xxlflrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfxlrr.exec:\llfxlrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxrrrl.exec:\xfxrrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbthth.exec:\nbthth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxffr.exec:\fffxffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvd.exec:\ddpvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxrxl.exec:\lxfxrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lffxlf.exec:\5lffxlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nhnbh.exec:\9nhnbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tbntt.exec:\1tbntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdd.exec:\vpjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbhn.exec:\hbnbhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vpvp.exec:\7vpvp.exe17⤵
- Executes dropped EXE
-
\??\c:\7vpdv.exec:\7vpdv.exe18⤵
- Executes dropped EXE
-
\??\c:\lxxlfrl.exec:\lxxlfrl.exe19⤵
- Executes dropped EXE
-
\??\c:\5pddj.exec:\5pddj.exe20⤵
- Executes dropped EXE
-
\??\c:\lfxrlrl.exec:\lfxrlrl.exe21⤵
- Executes dropped EXE
-
\??\c:\flfflxf.exec:\flfflxf.exe22⤵
- Executes dropped EXE
-
\??\c:\nnhbth.exec:\nnhbth.exe23⤵
- Executes dropped EXE
-
\??\c:\3hbntb.exec:\3hbntb.exe24⤵
- Executes dropped EXE
-
\??\c:\pppdv.exec:\pppdv.exe25⤵
- Executes dropped EXE
-
\??\c:\ppdpv.exec:\ppdpv.exe26⤵
- Executes dropped EXE
-
\??\c:\dpjpj.exec:\dpjpj.exe27⤵
- Executes dropped EXE
-
\??\c:\3dvvj.exec:\3dvvj.exe28⤵
- Executes dropped EXE
-
\??\c:\vppdv.exec:\vppdv.exe29⤵
- Executes dropped EXE
-
\??\c:\vvppj.exec:\vvppj.exe30⤵
- Executes dropped EXE
-
\??\c:\hnhbtb.exec:\hnhbtb.exe31⤵
- Executes dropped EXE
-
\??\c:\vdvdp.exec:\vdvdp.exe32⤵
- Executes dropped EXE
-
\??\c:\lxrrlfl.exec:\lxrrlfl.exe33⤵
- Executes dropped EXE
-
\??\c:\vjjvv.exec:\vjjvv.exe34⤵
- Executes dropped EXE
-
\??\c:\9lrflff.exec:\9lrflff.exe35⤵
- Executes dropped EXE
-
\??\c:\hhbhnn.exec:\hhbhnn.exe36⤵
- Executes dropped EXE
-
\??\c:\vvvdv.exec:\vvvdv.exe37⤵
- Executes dropped EXE
-
\??\c:\rlxflrx.exec:\rlxflrx.exe38⤵
- Executes dropped EXE
-
\??\c:\bbnnht.exec:\bbnnht.exe39⤵
- Executes dropped EXE
-
\??\c:\jvdjd.exec:\jvdjd.exe40⤵
- Executes dropped EXE
-
\??\c:\fxxlrxl.exec:\fxxlrxl.exe41⤵
- Executes dropped EXE
-
\??\c:\thbhbh.exec:\thbhbh.exe42⤵
- Executes dropped EXE
-
\??\c:\vvvjd.exec:\vvvjd.exe43⤵
- Executes dropped EXE
-
\??\c:\rfxfxrf.exec:\rfxfxrf.exe44⤵
- Executes dropped EXE
-
\??\c:\thbbnt.exec:\thbbnt.exe45⤵
- Executes dropped EXE
-
\??\c:\vvjdd.exec:\vvjdd.exe46⤵
- Executes dropped EXE
-
\??\c:\lllrlrl.exec:\lllrlrl.exe47⤵
- Executes dropped EXE
-
\??\c:\bbhhhb.exec:\bbhhhb.exe48⤵
- Executes dropped EXE
-
\??\c:\lrrlrfl.exec:\lrrlrfl.exe49⤵
- Executes dropped EXE
-
\??\c:\llxxffx.exec:\llxxffx.exe50⤵
- Executes dropped EXE
-
\??\c:\pvdvp.exec:\pvdvp.exe51⤵
- Executes dropped EXE
-
\??\c:\vvpvv.exec:\vvpvv.exe52⤵
- Executes dropped EXE
-
\??\c:\fxxflrx.exec:\fxxflrx.exe53⤵
- Executes dropped EXE
-
\??\c:\3bhthn.exec:\3bhthn.exe54⤵
- Executes dropped EXE
-
\??\c:\3dvdd.exec:\3dvdd.exe55⤵
- Executes dropped EXE
-
\??\c:\7ffxlxl.exec:\7ffxlxl.exe56⤵
- Executes dropped EXE
-
\??\c:\thbhhb.exec:\thbhhb.exe57⤵
- Executes dropped EXE
-
\??\c:\ddjdd.exec:\ddjdd.exe58⤵
- Executes dropped EXE
-
\??\c:\9flrflr.exec:\9flrflr.exe59⤵
- Executes dropped EXE
-
\??\c:\bhhbnb.exec:\bhhbnb.exe60⤵
- Executes dropped EXE
-
\??\c:\1jjpd.exec:\1jjpd.exe61⤵
- Executes dropped EXE
-
\??\c:\rllxrrr.exec:\rllxrrr.exe62⤵
- Executes dropped EXE
-
\??\c:\bhhttt.exec:\bhhttt.exe63⤵
- Executes dropped EXE
-
\??\c:\dvpjv.exec:\dvpjv.exe64⤵
- Executes dropped EXE
-
\??\c:\jvvjd.exec:\jvvjd.exe65⤵
- Executes dropped EXE
-
\??\c:\5lflrxf.exec:\5lflrxf.exe66⤵
-
\??\c:\bhbhbh.exec:\bhbhbh.exe67⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe68⤵
-
\??\c:\rlfrflf.exec:\rlfrflf.exe69⤵
-
\??\c:\7nhnnt.exec:\7nhnnt.exe70⤵
-
\??\c:\9jdpp.exec:\9jdpp.exe71⤵
-
\??\c:\xlrrrll.exec:\xlrrrll.exe72⤵
-
\??\c:\fxlrllx.exec:\fxlrllx.exe73⤵
-
\??\c:\7bnhnt.exec:\7bnhnt.exe74⤵
-
\??\c:\ppjdp.exec:\ppjdp.exe75⤵
-
\??\c:\frxrrlr.exec:\frxrrlr.exe76⤵
-
\??\c:\rlflrfl.exec:\rlflrfl.exe77⤵
-
\??\c:\1nnhbh.exec:\1nnhbh.exe78⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe79⤵
-
\??\c:\lrrlffx.exec:\lrrlffx.exe80⤵
-
\??\c:\tbbtnb.exec:\tbbtnb.exe81⤵
-
\??\c:\vvjvv.exec:\vvjvv.exe82⤵
-
\??\c:\xrrxrrl.exec:\xrrxrrl.exe83⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe84⤵
-
\??\c:\1nhnbh.exec:\1nhnbh.exe85⤵
-
\??\c:\fxllflx.exec:\fxllflx.exe86⤵
-
\??\c:\nttbnt.exec:\nttbnt.exe87⤵
-
\??\c:\7jpjv.exec:\7jpjv.exe88⤵
-
\??\c:\xxlrllx.exec:\xxlrllx.exe89⤵
-
\??\c:\5dvpv.exec:\5dvpv.exe90⤵
-
\??\c:\7fxfrxl.exec:\7fxfrxl.exe91⤵
-
\??\c:\1thhtt.exec:\1thhtt.exe92⤵
-
\??\c:\ddvjv.exec:\ddvjv.exe93⤵
-
\??\c:\9llrlrf.exec:\9llrlrf.exe94⤵
-
\??\c:\7thttb.exec:\7thttb.exe95⤵
-
\??\c:\jpjdv.exec:\jpjdv.exe96⤵
-
\??\c:\rfllfrr.exec:\rfllfrr.exe97⤵
-
\??\c:\rlfxlrx.exec:\rlfxlrx.exe98⤵
-
\??\c:\hhhbtb.exec:\hhhbtb.exe99⤵
-
\??\c:\jpjpv.exec:\jpjpv.exe100⤵
-
\??\c:\frlxfxf.exec:\frlxfxf.exe101⤵
-
\??\c:\bhnhth.exec:\bhnhth.exe102⤵
-
\??\c:\jjpdv.exec:\jjpdv.exe103⤵
-
\??\c:\rfxllfx.exec:\rfxllfx.exe104⤵
-
\??\c:\bnnthb.exec:\bnnthb.exe105⤵
-
\??\c:\dvppj.exec:\dvppj.exe106⤵
-
\??\c:\vddjp.exec:\vddjp.exe107⤵
-
\??\c:\xrllxff.exec:\xrllxff.exe108⤵
-
\??\c:\ddpvd.exec:\ddpvd.exe109⤵
-
\??\c:\5flxlxr.exec:\5flxlxr.exe110⤵
-
\??\c:\tbtbnh.exec:\tbtbnh.exe111⤵
-
\??\c:\vppjp.exec:\vppjp.exe112⤵
-
\??\c:\flxrxlx.exec:\flxrxlx.exe113⤵
-
\??\c:\tbhtth.exec:\tbhtth.exe114⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe115⤵
-
\??\c:\ddpjp.exec:\ddpjp.exe116⤵
-
\??\c:\lfflfrr.exec:\lfflfrr.exe117⤵
-
\??\c:\nbtthh.exec:\nbtthh.exe118⤵
-
\??\c:\dpddp.exec:\dpddp.exe119⤵
-
\??\c:\xffrflf.exec:\xffrflf.exe120⤵
-
\??\c:\llfrrfr.exec:\llfrrfr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-