Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
11/05/2024, 19:15
General
-
Target
1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2.exe
-
Size
493KB
-
MD5
aad50f7cc69adafb11e611169038d9bd
-
SHA1
4c38464cd5b8fa4ebcdd60693040b8d56ff0ab24
-
SHA256
1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2
-
SHA512
79e41db71d040835c6c9e83b02702fc1a4083dbb993b6a700a02ded4460ed767f9d450fd73a6af7ad95b2fd90e7968e1ee1903532220980b261d59dd0660fb01
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93svqTbWL5wEpOQ9DRRr:n3C9yMo+S0L9xRnoq7H9QYcmeN9Dj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2.exe"C:\Users\Admin\AppData\Local\Temp\1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rlflxfr.exec:\rlflxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbnnb.exec:\thbnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrlflr.exec:\rxrlflr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvj.exec:\dvvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dppv.exec:\1dppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxlxxl.exec:\ffxlxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3fflxfr.exec:\3fflxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tbtbb.exec:\9tbtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvjv.exec:\vpvjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttbtn.exec:\tttbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjddp.exec:\vjddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxllf.exec:\rrlxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrxrlf.exec:\7lrxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhnbt.exec:\bhhnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fxxlrf.exec:\9fxxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hbbnb.exec:\3hbbnb.exe17⤵
- Executes dropped EXE
-
\??\c:\lxffxrr.exec:\lxffxrr.exe18⤵
- Executes dropped EXE
-
\??\c:\djdvp.exec:\djdvp.exe19⤵
- Executes dropped EXE
-
\??\c:\rllrflf.exec:\rllrflf.exe20⤵
- Executes dropped EXE
-
\??\c:\ttbbnh.exec:\ttbbnh.exe21⤵
- Executes dropped EXE
-
\??\c:\xflxrff.exec:\xflxrff.exe22⤵
- Executes dropped EXE
-
\??\c:\lfxxxff.exec:\lfxxxff.exe23⤵
- Executes dropped EXE
-
\??\c:\ppdjj.exec:\ppdjj.exe24⤵
- Executes dropped EXE
-
\??\c:\1dvdp.exec:\1dvdp.exe25⤵
- Executes dropped EXE
-
\??\c:\hbttbh.exec:\hbttbh.exe26⤵
- Executes dropped EXE
-
\??\c:\vpdpd.exec:\vpdpd.exe27⤵
- Executes dropped EXE
-
\??\c:\5hhnbh.exec:\5hhnbh.exe28⤵
- Executes dropped EXE
-
\??\c:\xlflffr.exec:\xlflffr.exe29⤵
- Executes dropped EXE
-
\??\c:\hhbntn.exec:\hhbntn.exe30⤵
- Executes dropped EXE
-
\??\c:\lffxflx.exec:\lffxflx.exe31⤵
- Executes dropped EXE
-
\??\c:\vvpvp.exec:\vvpvp.exe32⤵
- Executes dropped EXE
-
\??\c:\llflxfl.exec:\llflxfl.exe33⤵
- Executes dropped EXE
-
\??\c:\djvpd.exec:\djvpd.exe34⤵
- Executes dropped EXE
-
\??\c:\xxxlxrr.exec:\xxxlxrr.exe35⤵
- Executes dropped EXE
-
\??\c:\btnnth.exec:\btnnth.exe36⤵
- Executes dropped EXE
-
\??\c:\ddpvp.exec:\ddpvp.exe37⤵
- Executes dropped EXE
-
\??\c:\rrlfrrl.exec:\rrlfrrl.exe38⤵
- Executes dropped EXE
-
\??\c:\nhhhth.exec:\nhhhth.exe39⤵
- Executes dropped EXE
-
\??\c:\tnbtnt.exec:\tnbtnt.exe40⤵
- Executes dropped EXE
-
\??\c:\pjddd.exec:\pjddd.exe41⤵
- Executes dropped EXE
-
\??\c:\rllflrl.exec:\rllflrl.exe42⤵
- Executes dropped EXE
-
\??\c:\hhhnbn.exec:\hhhnbn.exe43⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe44⤵
- Executes dropped EXE
-
\??\c:\3jpvd.exec:\3jpvd.exe45⤵
- Executes dropped EXE
-
\??\c:\lfxfxxl.exec:\lfxfxxl.exe46⤵
- Executes dropped EXE
-
\??\c:\tnbbnb.exec:\tnbbnb.exe47⤵
- Executes dropped EXE
-
\??\c:\jdvdj.exec:\jdvdj.exe48⤵
- Executes dropped EXE
-
\??\c:\xrrfrxl.exec:\xrrfrxl.exe49⤵
- Executes dropped EXE
-
\??\c:\bbthtt.exec:\bbthtt.exe50⤵
- Executes dropped EXE
-
\??\c:\vvpdp.exec:\vvpdp.exe51⤵
- Executes dropped EXE
-
\??\c:\ddvjp.exec:\ddvjp.exe52⤵
- Executes dropped EXE
-
\??\c:\rxrxrfr.exec:\rxrxrfr.exe53⤵
- Executes dropped EXE
-
\??\c:\tnnnbb.exec:\tnnnbb.exe54⤵
- Executes dropped EXE
-
\??\c:\pppdv.exec:\pppdv.exe55⤵
- Executes dropped EXE
-
\??\c:\rfxlrxf.exec:\rfxlrxf.exe56⤵
- Executes dropped EXE
-
\??\c:\ffxfllx.exec:\ffxfllx.exe57⤵
- Executes dropped EXE
-
\??\c:\1thhbb.exec:\1thhbb.exe58⤵
- Executes dropped EXE
-
\??\c:\jjjpj.exec:\jjjpj.exe59⤵
- Executes dropped EXE
-
\??\c:\xxrflrl.exec:\xxrflrl.exe60⤵
- Executes dropped EXE
-
\??\c:\btnthh.exec:\btnthh.exe61⤵
- Executes dropped EXE
-
\??\c:\jpdpv.exec:\jpdpv.exe62⤵
- Executes dropped EXE
-
\??\c:\5lfflrr.exec:\5lfflrr.exe63⤵
- Executes dropped EXE
-
\??\c:\xxxfxlf.exec:\xxxfxlf.exe64⤵
- Executes dropped EXE
-
\??\c:\bhbhbb.exec:\bhbhbb.exe65⤵
- Executes dropped EXE
-
\??\c:\jpjdj.exec:\jpjdj.exe66⤵
-
\??\c:\rxrxlrx.exec:\rxrxlrx.exe67⤵
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe68⤵
-
\??\c:\nbttbh.exec:\nbttbh.exe69⤵
-
\??\c:\ddpdv.exec:\ddpdv.exe70⤵
-
\??\c:\vvpdp.exec:\vvpdp.exe71⤵
-
\??\c:\5lxxfrx.exec:\5lxxfrx.exe72⤵
-
\??\c:\tbnthn.exec:\tbnthn.exe73⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe74⤵
-
\??\c:\pjppd.exec:\pjppd.exe75⤵
-
\??\c:\3rfxflx.exec:\3rfxflx.exe76⤵
-
\??\c:\thbnhh.exec:\thbnhh.exe77⤵
-
\??\c:\djdjv.exec:\djdjv.exe78⤵
-
\??\c:\lfxfxxr.exec:\lfxfxxr.exe79⤵
-
\??\c:\xrlrrfl.exec:\xrlrrfl.exe80⤵
-
\??\c:\hhhtnb.exec:\hhhtnb.exe81⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe82⤵
-
\??\c:\fxfrrrr.exec:\fxfrrrr.exe83⤵
-
\??\c:\3nnbnb.exec:\3nnbnb.exe84⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe85⤵
-
\??\c:\pddjv.exec:\pddjv.exe86⤵
-
\??\c:\lxllxxl.exec:\lxllxxl.exe87⤵
-
\??\c:\tnntht.exec:\tnntht.exe88⤵
-
\??\c:\1vpvj.exec:\1vpvj.exe89⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe90⤵
-
\??\c:\rrrxfxl.exec:\rrrxfxl.exe91⤵
-
\??\c:\hnntnn.exec:\hnntnn.exe92⤵
-
\??\c:\1bbnbn.exec:\1bbnbn.exe93⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe94⤵
-
\??\c:\9lfxrrl.exec:\9lfxrrl.exe95⤵
-
\??\c:\5lffrfr.exec:\5lffrfr.exe96⤵
-
\??\c:\hbnntn.exec:\hbnntn.exe97⤵
-
\??\c:\5pvvj.exec:\5pvvj.exe98⤵
-
\??\c:\1lfflrx.exec:\1lfflrx.exe99⤵
-
\??\c:\bbttnb.exec:\bbttnb.exe100⤵
-
\??\c:\dvpvj.exec:\dvpvj.exe101⤵
-
\??\c:\ffffrxf.exec:\ffffrxf.exe102⤵
-
\??\c:\fllfxfr.exec:\fllfxfr.exe103⤵
-
\??\c:\ttnbtt.exec:\ttnbtt.exe104⤵
-
\??\c:\vdvvd.exec:\vdvvd.exe105⤵
-
\??\c:\3lxlrfx.exec:\3lxlrfx.exe106⤵
-
\??\c:\pvjvv.exec:\pvjvv.exe107⤵
-
\??\c:\pvvdv.exec:\pvvdv.exe108⤵
-
\??\c:\7lrxxfr.exec:\7lrxxfr.exe109⤵
-
\??\c:\nbnhhb.exec:\nbnhhb.exe110⤵
-
\??\c:\7jjvp.exec:\7jjvp.exe111⤵
-
\??\c:\7vpvj.exec:\7vpvj.exe112⤵
-
\??\c:\xflfrfr.exec:\xflfrfr.exe113⤵
-
\??\c:\3tbthn.exec:\3tbthn.exe114⤵
-
\??\c:\dddjj.exec:\dddjj.exe115⤵
-
\??\c:\3lrxrxr.exec:\3lrxrxr.exe116⤵
-
\??\c:\frxrlff.exec:\frxrlff.exe117⤵
-
\??\c:\nttnnn.exec:\nttnnn.exe118⤵
-
\??\c:\jdppj.exec:\jdppj.exe119⤵
-
\??\c:\lxrxllr.exec:\lxrxllr.exe120⤵
-
\??\c:\btnhtn.exec:\btnhtn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-