Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
11-05-2024 05:53
General
-
Target
f1a77ba407e831d4eddb3854afcd86dea9e65723dac132f4e47bfc5a515b7baf.exe
-
Size
67KB
-
MD5
6cf632e36500a938f95688f72c819adf
-
SHA1
be33ef4afb4c3c383fd9e5e0cd2b0926d168800f
-
SHA256
f1a77ba407e831d4eddb3854afcd86dea9e65723dac132f4e47bfc5a515b7baf
-
SHA512
4706a62ef52b8ccc0e378f97ddc5cdb8cefb66f9029568e74059cba8e464ff84698e564dce42bf166df34e1901c8e99d0b4cbd6f5c6cb3e0f842f664c8e0c59b
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIJ/RWPqBjfjBL:ymb3NkkiQ3mdBjFIqsj9L
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
UPX dump on OEP (original entry point) 33 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1a77ba407e831d4eddb3854afcd86dea9e65723dac132f4e47bfc5a515b7baf.exe"C:\Users\Admin\AppData\Local\Temp\f1a77ba407e831d4eddb3854afcd86dea9e65723dac132f4e47bfc5a515b7baf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrllf.exec:\fxxrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tbbtt.exec:\7tbbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nttbh.exec:\7nttbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjdd.exec:\ppjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrlffx.exec:\3rrlffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hhtnt.exec:\9hhtnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbnn.exec:\btbbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddd.exec:\pjddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrrxxr.exec:\ffrrxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfffrr.exec:\rlfffrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hhhhn.exec:\3hhhhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjd.exec:\jdjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvpj.exec:\djvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3llfrrr.exec:\3llfrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ttbtt.exec:\9ttbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvd.exec:\dpvvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvpp.exec:\djvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fxxrrl.exec:\7fxxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbtt.exec:\nhhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhbb.exec:\btnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdjd.exec:\vpdjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxlrrr.exec:\xxxlrrr.exe23⤵
- Executes dropped EXE
-
\??\c:\tthtnb.exec:\tthtnb.exe24⤵
- Executes dropped EXE
-
\??\c:\bntnnn.exec:\bntnnn.exe25⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe26⤵
- Executes dropped EXE
-
\??\c:\rrlxlxr.exec:\rrlxlxr.exe27⤵
- Executes dropped EXE
-
\??\c:\xxxxflr.exec:\xxxxflr.exe28⤵
- Executes dropped EXE
-
\??\c:\9hhthh.exec:\9hhthh.exe29⤵
- Executes dropped EXE
-
\??\c:\1dvjv.exec:\1dvjv.exe30⤵
- Executes dropped EXE
-
\??\c:\rfrrfff.exec:\rfrrfff.exe31⤵
- Executes dropped EXE
-
\??\c:\7xxrfxr.exec:\7xxrfxr.exe32⤵
- Executes dropped EXE
-
\??\c:\htnnhh.exec:\htnnhh.exe33⤵
- Executes dropped EXE
-
\??\c:\tnnbnh.exec:\tnnbnh.exe34⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe35⤵
- Executes dropped EXE
-
\??\c:\xllfrlf.exec:\xllfrlf.exe36⤵
- Executes dropped EXE
-
\??\c:\rxxrxrx.exec:\rxxrxrx.exe37⤵
- Executes dropped EXE
-
\??\c:\htnbnh.exec:\htnbnh.exe38⤵
- Executes dropped EXE
-
\??\c:\btnbnt.exec:\btnbnt.exe39⤵
-
\??\c:\dddpd.exec:\dddpd.exe40⤵
- Executes dropped EXE
-
\??\c:\jdjvv.exec:\jdjvv.exe41⤵
- Executes dropped EXE
-
\??\c:\3lrlrlx.exec:\3lrlrlx.exe42⤵
- Executes dropped EXE
-
\??\c:\xrlxrrl.exec:\xrlxrrl.exe43⤵
- Executes dropped EXE
-
\??\c:\nbnbnh.exec:\nbnbnh.exe44⤵
- Executes dropped EXE
-
\??\c:\vjjdd.exec:\vjjdd.exe45⤵
- Executes dropped EXE
-
\??\c:\pdpjj.exec:\pdpjj.exe46⤵
- Executes dropped EXE
-
\??\c:\frlfrrf.exec:\frlfrrf.exe47⤵
- Executes dropped EXE
-
\??\c:\1rxrlff.exec:\1rxrlff.exe48⤵
- Executes dropped EXE
-
\??\c:\hnnnbb.exec:\hnnnbb.exe49⤵
- Executes dropped EXE
-
\??\c:\nntnnh.exec:\nntnnh.exe50⤵
- Executes dropped EXE
-
\??\c:\rllfrfx.exec:\rllfrfx.exe51⤵
- Executes dropped EXE
-
\??\c:\xffxllf.exec:\xffxllf.exe52⤵
- Executes dropped EXE
-
\??\c:\nbbttt.exec:\nbbttt.exe53⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe54⤵
- Executes dropped EXE
-
\??\c:\7vppj.exec:\7vppj.exe55⤵
- Executes dropped EXE
-
\??\c:\frfxrxx.exec:\frfxrxx.exe56⤵
- Executes dropped EXE
-
\??\c:\xfrfxrl.exec:\xfrfxrl.exe57⤵
- Executes dropped EXE
-
\??\c:\1btnbb.exec:\1btnbb.exe58⤵
- Executes dropped EXE
-
\??\c:\bttnhh.exec:\bttnhh.exe59⤵
- Executes dropped EXE
-
\??\c:\jvvdd.exec:\jvvdd.exe60⤵
- Executes dropped EXE
-
\??\c:\1xfxxxf.exec:\1xfxxxf.exe61⤵
- Executes dropped EXE
-
\??\c:\llfrlxx.exec:\llfrlxx.exe62⤵
- Executes dropped EXE
-
\??\c:\hnnhhb.exec:\hnnhhb.exe63⤵
- Executes dropped EXE
-
\??\c:\vjvvp.exec:\vjvvp.exe64⤵
- Executes dropped EXE
-
\??\c:\jvppv.exec:\jvppv.exe65⤵
- Executes dropped EXE
-
\??\c:\fxllfff.exec:\fxllfff.exe66⤵
- Executes dropped EXE
-
\??\c:\nhbbbb.exec:\nhbbbb.exe67⤵
-
\??\c:\bhntbn.exec:\bhntbn.exe68⤵
-
\??\c:\vddvp.exec:\vddvp.exe69⤵
-
\??\c:\pvjvp.exec:\pvjvp.exe70⤵
-
\??\c:\1xxrfff.exec:\1xxrfff.exe71⤵
-
\??\c:\flxxrrr.exec:\flxxrrr.exe72⤵
-
\??\c:\nhtttt.exec:\nhtttt.exe73⤵
-
\??\c:\5bbthn.exec:\5bbthn.exe74⤵
-
\??\c:\9vppj.exec:\9vppj.exe75⤵
-
\??\c:\pdddp.exec:\pdddp.exe76⤵
-
\??\c:\fxrxrrl.exec:\fxrxrrl.exe77⤵
-
\??\c:\7rlllff.exec:\7rlllff.exe78⤵
-
\??\c:\hbhbbb.exec:\hbhbbb.exe79⤵
-
\??\c:\hntnnh.exec:\hntnnh.exe80⤵
-
\??\c:\vppvd.exec:\vppvd.exe81⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe82⤵
-
\??\c:\xxfxxrr.exec:\xxfxxrr.exe83⤵
-
\??\c:\xlffxxx.exec:\xlffxxx.exe84⤵
-
\??\c:\nbhhhh.exec:\nbhhhh.exe85⤵
-
\??\c:\hbbbtt.exec:\hbbbtt.exe86⤵
-
\??\c:\nnhbtt.exec:\nnhbtt.exe87⤵
-
\??\c:\ddjjp.exec:\ddjjp.exe88⤵
-
\??\c:\dvpvp.exec:\dvpvp.exe89⤵
-
\??\c:\xlrlrrr.exec:\xlrlrrr.exe90⤵
-
\??\c:\1bbtnh.exec:\1bbtnh.exe91⤵
-
\??\c:\vpjpj.exec:\vpjpj.exe92⤵
-
\??\c:\djpjj.exec:\djpjj.exe93⤵
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe94⤵
-
\??\c:\fxxrlll.exec:\fxxrlll.exe95⤵
-
\??\c:\bthbhh.exec:\bthbhh.exe96⤵
-
\??\c:\thtnbb.exec:\thtnbb.exe97⤵
-
\??\c:\5dvjd.exec:\5dvjd.exe98⤵
-
\??\c:\vppjj.exec:\vppjj.exe99⤵
-
\??\c:\fffxrrl.exec:\fffxrrl.exe100⤵
-
\??\c:\9lfrfxr.exec:\9lfrfxr.exe101⤵
-
\??\c:\nnnnnn.exec:\nnnnnn.exe102⤵
-
\??\c:\jvddv.exec:\jvddv.exe103⤵
-
\??\c:\1vvpj.exec:\1vvpj.exe104⤵
-
\??\c:\xllxrlf.exec:\xllxrlf.exe105⤵
-
\??\c:\xxxrllf.exec:\xxxrllf.exe106⤵
-
\??\c:\nhttnb.exec:\nhttnb.exe107⤵
-
\??\c:\nbtnbt.exec:\nbtnbt.exe108⤵
-
\??\c:\jjvpv.exec:\jjvpv.exe109⤵
-
\??\c:\rfllrrr.exec:\rfllrrr.exe110⤵
-
\??\c:\rfrllxx.exec:\rfrllxx.exe111⤵
-
\??\c:\nbhbth.exec:\nbhbth.exe112⤵
-
\??\c:\tnthnn.exec:\tnthnn.exe113⤵
-
\??\c:\ddpdd.exec:\ddpdd.exe114⤵
-
\??\c:\1lrlllf.exec:\1lrlllf.exe115⤵
-
\??\c:\7rxxxxx.exec:\7rxxxxx.exe116⤵
-
\??\c:\tthhtt.exec:\tthhtt.exe117⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe118⤵
-
\??\c:\9pvpp.exec:\9pvpp.exe119⤵
-
\??\c:\rlflxlf.exec:\rlflxlf.exe120⤵
-
\??\c:\thbbhh.exec:\thbbhh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-