Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10/05/2024, 20:21
General
-
Target
387cdc0ccefbef793473111da1bd4491487b514bb22db71b9697921429ece325.exe
-
Size
225KB
-
MD5
143e24583d8c89d93ee9099b1d6087f5
-
SHA1
54bf3e3a47d3363016d83558decaa567fd3c6be7
-
SHA256
387cdc0ccefbef793473111da1bd4491487b514bb22db71b9697921429ece325
-
SHA512
601b942a246980999361daf2f53a785c1d7bc4b3579f877ae7b9f80dfba720b61a0f54a8ebfdf79cc6b54254bded22f4f592f5583fe38d53a673faed6fc54cdc
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLjBeG6:n3C9BRo7MlrWKo+lxKA
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
UPX dump on OEP (original entry point) 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\387cdc0ccefbef793473111da1bd4491487b514bb22db71b9697921429ece325.exe"C:\Users\Admin\AppData\Local\Temp\387cdc0ccefbef793473111da1bd4491487b514bb22db71b9697921429ece325.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7tbbhh.exec:\7tbbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdpj.exec:\jjdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppp.exec:\ddppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxllllr.exec:\xxllllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnnn.exec:\hhtnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxfllf.exec:\xxxfllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhnnn.exec:\tnhnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxxxff.exec:\fxxxxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7frrlrl.exec:\7frrlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbbb.exec:\tnbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdd.exec:\jdjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxrrfl.exec:\rrxrrfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbntnt.exec:\nbntnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjjv.exec:\jvjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frffrrl.exec:\frffrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnthbh.exec:\hnthbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppdv.exec:\pppdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllffxx.exec:\rllffxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbtnn.exec:\hhbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpp.exec:\pjjpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rlfxrl.exec:\1rlfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbbtb.exec:\hnbbtb.exe23⤵
- Executes dropped EXE
-
\??\c:\nnnhbh.exec:\nnnhbh.exe24⤵
- Executes dropped EXE
-
\??\c:\3pdvv.exec:\3pdvv.exe25⤵
- Executes dropped EXE
-
\??\c:\7frlrxf.exec:\7frlrxf.exe26⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe27⤵
- Executes dropped EXE
-
\??\c:\djjpj.exec:\djjpj.exe28⤵
- Executes dropped EXE
-
\??\c:\thnntn.exec:\thnntn.exe29⤵
- Executes dropped EXE
-
\??\c:\jdvdp.exec:\jdvdp.exe30⤵
- Executes dropped EXE
-
\??\c:\3lrfxrf.exec:\3lrfxrf.exe31⤵
- Executes dropped EXE
-
\??\c:\thnbth.exec:\thnbth.exe32⤵
- Executes dropped EXE
-
\??\c:\7jjjj.exec:\7jjjj.exe33⤵
- Executes dropped EXE
-
\??\c:\1vvvp.exec:\1vvvp.exe34⤵
-
\??\c:\rfxffxx.exec:\rfxffxx.exe35⤵
- Executes dropped EXE
-
\??\c:\tnhhnn.exec:\tnhhnn.exe36⤵
- Executes dropped EXE
-
\??\c:\pjpvd.exec:\pjpvd.exe37⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe38⤵
- Executes dropped EXE
-
\??\c:\9xfxxxr.exec:\9xfxxxr.exe39⤵
- Executes dropped EXE
-
\??\c:\httnnn.exec:\httnnn.exe40⤵
- Executes dropped EXE
-
\??\c:\ntnnhh.exec:\ntnnhh.exe41⤵
- Executes dropped EXE
-
\??\c:\ddvvp.exec:\ddvvp.exe42⤵
- Executes dropped EXE
-
\??\c:\lrlffxf.exec:\lrlffxf.exe43⤵
- Executes dropped EXE
-
\??\c:\ttnhbh.exec:\ttnhbh.exe44⤵
- Executes dropped EXE
-
\??\c:\1pdvj.exec:\1pdvj.exe45⤵
- Executes dropped EXE
-
\??\c:\pdjpd.exec:\pdjpd.exe46⤵
- Executes dropped EXE
-
\??\c:\flxfxlf.exec:\flxfxlf.exe47⤵
- Executes dropped EXE
-
\??\c:\xxffrff.exec:\xxffrff.exe48⤵
- Executes dropped EXE
-
\??\c:\hthbtt.exec:\hthbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\ddddv.exec:\ddddv.exe50⤵
- Executes dropped EXE
-
\??\c:\rlxxllr.exec:\rlxxllr.exe51⤵
- Executes dropped EXE
-
\??\c:\5bnnhn.exec:\5bnnhn.exe52⤵
- Executes dropped EXE
-
\??\c:\7ttttb.exec:\7ttttb.exe53⤵
- Executes dropped EXE
-
\??\c:\ppdpd.exec:\ppdpd.exe54⤵
- Executes dropped EXE
-
\??\c:\1llfflf.exec:\1llfflf.exe55⤵
- Executes dropped EXE
-
\??\c:\5rllffx.exec:\5rllffx.exe56⤵
- Executes dropped EXE
-
\??\c:\bnhhtt.exec:\bnhhtt.exe57⤵
- Executes dropped EXE
-
\??\c:\5ddvj.exec:\5ddvj.exe58⤵
- Executes dropped EXE
-
\??\c:\xflrxrx.exec:\xflrxrx.exe59⤵
- Executes dropped EXE
-
\??\c:\bthtbb.exec:\bthtbb.exe60⤵
- Executes dropped EXE
-
\??\c:\bbhtnt.exec:\bbhtnt.exe61⤵
- Executes dropped EXE
-
\??\c:\jdjvd.exec:\jdjvd.exe62⤵
- Executes dropped EXE
-
\??\c:\llrxxff.exec:\llrxxff.exe63⤵
- Executes dropped EXE
-
\??\c:\llllfff.exec:\llllfff.exe64⤵
- Executes dropped EXE
-
\??\c:\9hnhbb.exec:\9hnhbb.exe65⤵
- Executes dropped EXE
-
\??\c:\ddpjd.exec:\ddpjd.exe66⤵
- Executes dropped EXE
-
\??\c:\vvjdj.exec:\vvjdj.exe67⤵
-
\??\c:\xrxxrlf.exec:\xrxxrlf.exe68⤵
-
\??\c:\hthhhb.exec:\hthhhb.exe69⤵
-
\??\c:\tnttbt.exec:\tnttbt.exe70⤵
-
\??\c:\pdvpp.exec:\pdvpp.exe71⤵
-
\??\c:\ddppd.exec:\ddppd.exe72⤵
-
\??\c:\7lrllxx.exec:\7lrllxx.exe73⤵
-
\??\c:\hbbntt.exec:\hbbntt.exe74⤵
-
\??\c:\pjddv.exec:\pjddv.exe75⤵
-
\??\c:\5ppjj.exec:\5ppjj.exe76⤵
-
\??\c:\5llxrrl.exec:\5llxrrl.exe77⤵
-
\??\c:\xxxffrl.exec:\xxxffrl.exe78⤵
-
\??\c:\ntbnhb.exec:\ntbnhb.exe79⤵
-
\??\c:\jjvvv.exec:\jjvvv.exe80⤵
-
\??\c:\djppj.exec:\djppj.exe81⤵
-
\??\c:\xfxlxrl.exec:\xfxlxrl.exe82⤵
-
\??\c:\hnbtnb.exec:\hnbtnb.exe83⤵
-
\??\c:\bbtnhh.exec:\bbtnhh.exe84⤵
-
\??\c:\dddvv.exec:\dddvv.exe85⤵
-
\??\c:\fxxxxxl.exec:\fxxxxxl.exe86⤵
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe87⤵
-
\??\c:\httnhh.exec:\httnhh.exe88⤵
-
\??\c:\3vjdv.exec:\3vjdv.exe89⤵
-
\??\c:\ffffrff.exec:\ffffrff.exe90⤵
-
\??\c:\llfxlfx.exec:\llfxlfx.exe91⤵
-
\??\c:\htnnnh.exec:\htnnnh.exe92⤵
-
\??\c:\vjddp.exec:\vjddp.exe93⤵
-
\??\c:\rllfrrl.exec:\rllfrrl.exe94⤵
-
\??\c:\xxlrfff.exec:\xxlrfff.exe95⤵
-
\??\c:\tnnnbb.exec:\tnnnbb.exe96⤵
-
\??\c:\ntbbnn.exec:\ntbbnn.exe97⤵
-
\??\c:\pdvpp.exec:\pdvpp.exe98⤵
-
\??\c:\rrxfrxr.exec:\rrxfrxr.exe99⤵
-
\??\c:\nhtbnn.exec:\nhtbnn.exe100⤵
-
\??\c:\nbbnnn.exec:\nbbnnn.exe101⤵
-
\??\c:\jjpdv.exec:\jjpdv.exe102⤵
-
\??\c:\7lfxrfl.exec:\7lfxrfl.exe103⤵
-
\??\c:\nbthhh.exec:\nbthhh.exe104⤵
-
\??\c:\bnthhh.exec:\bnthhh.exe105⤵
-
\??\c:\vvddd.exec:\vvddd.exe106⤵
-
\??\c:\3lrllfr.exec:\3lrllfr.exe107⤵
-
\??\c:\frrfxfx.exec:\frrfxfx.exe108⤵
-
\??\c:\tbbtnh.exec:\tbbtnh.exe109⤵
-
\??\c:\tnnhbb.exec:\tnnhbb.exe110⤵
-
\??\c:\1dvvj.exec:\1dvvj.exe111⤵
-
\??\c:\pvdvv.exec:\pvdvv.exe112⤵
-
\??\c:\rlfxlll.exec:\rlfxlll.exe113⤵
-
\??\c:\tthbtt.exec:\tthbtt.exe114⤵
-
\??\c:\hnntth.exec:\hnntth.exe115⤵
-
\??\c:\ddppd.exec:\ddppd.exe116⤵
-
\??\c:\7rrrllf.exec:\7rrrllf.exe117⤵
-
\??\c:\hnbnnb.exec:\hnbnnb.exe118⤵
-
\??\c:\3jjdv.exec:\3jjdv.exe119⤵
-
\??\c:\vvdjp.exec:\vvdjp.exe120⤵
-
\??\c:\xlffllr.exec:\xlffllr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-