Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-05-2024 19:15
General
-
Target
1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2.exe
-
Size
493KB
-
MD5
aad50f7cc69adafb11e611169038d9bd
-
SHA1
4c38464cd5b8fa4ebcdd60693040b8d56ff0ab24
-
SHA256
1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2
-
SHA512
79e41db71d040835c6c9e83b02702fc1a4083dbb993b6a700a02ded4460ed767f9d450fd73a6af7ad95b2fd90e7968e1ee1903532220980b261d59dd0660fb01
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93svqTbWL5wEpOQ9DRRr:n3C9yMo+S0L9xRnoq7H9QYcmeN9Dj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2.exe"C:\Users\Admin\AppData\Local\Temp\1bf73a11bdc6e268066415c16dd34acb5ea828f54c8bf1f5ee33a82dd387efe2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1btttb.exec:\1btttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnnnt.exec:\nhnnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvv.exec:\vvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxxff.exec:\xrxxxff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpddd.exec:\dpddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjvp.exec:\dpjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnttt.exec:\hhnttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfffff.exec:\llfffff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnhn.exec:\nnnnhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rxxxff.exec:\1rxxxff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrrrxr.exec:\ffrrrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddd.exec:\jdddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lrrflf.exec:\5lrrflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnnnt.exec:\hhnnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjdd.exec:\jvjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrrlff.exec:\rrrrlff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjj.exec:\jjjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrrlff.exec:\frrrlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvpv.exec:\ppvpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrrflx.exec:\3rrrflx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxflrx.exec:\flxflrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1htbbh.exec:\1htbbh.exe23⤵
- Executes dropped EXE
-
\??\c:\vvddv.exec:\vvddv.exe24⤵
- Executes dropped EXE
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe25⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe26⤵
- Executes dropped EXE
-
\??\c:\lrxxxff.exec:\lrxxxff.exe27⤵
- Executes dropped EXE
-
\??\c:\pppvp.exec:\pppvp.exe28⤵
- Executes dropped EXE
-
\??\c:\tnhbbh.exec:\tnhbbh.exe29⤵
- Executes dropped EXE
-
\??\c:\7fxxrrl.exec:\7fxxrrl.exe30⤵
- Executes dropped EXE
-
\??\c:\1lrlllx.exec:\1lrlllx.exe31⤵
- Executes dropped EXE
-
\??\c:\nbnntt.exec:\nbnntt.exe32⤵
- Executes dropped EXE
-
\??\c:\xlfxllf.exec:\xlfxllf.exe33⤵
- Executes dropped EXE
-
\??\c:\9ddvp.exec:\9ddvp.exe34⤵
- Executes dropped EXE
-
\??\c:\rxlfxlf.exec:\rxlfxlf.exe35⤵
- Executes dropped EXE
-
\??\c:\bnbtnn.exec:\bnbtnn.exe36⤵
- Executes dropped EXE
-
\??\c:\vjddv.exec:\vjddv.exe37⤵
- Executes dropped EXE
-
\??\c:\xxlffff.exec:\xxlffff.exe38⤵
- Executes dropped EXE
-
\??\c:\ntbtnn.exec:\ntbtnn.exe39⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe40⤵
- Executes dropped EXE
-
\??\c:\rfxfrrr.exec:\rfxfrrr.exe41⤵
- Executes dropped EXE
-
\??\c:\fxxxfrf.exec:\fxxxfrf.exe42⤵
- Executes dropped EXE
-
\??\c:\1djjp.exec:\1djjp.exe43⤵
- Executes dropped EXE
-
\??\c:\rflfxrf.exec:\rflfxrf.exe44⤵
- Executes dropped EXE
-
\??\c:\5tbnnb.exec:\5tbnnb.exe45⤵
- Executes dropped EXE
-
\??\c:\ppjdj.exec:\ppjdj.exe46⤵
- Executes dropped EXE
-
\??\c:\frfxflf.exec:\frfxflf.exe47⤵
- Executes dropped EXE
-
\??\c:\9thbnh.exec:\9thbnh.exe48⤵
- Executes dropped EXE
-
\??\c:\djpvv.exec:\djpvv.exe49⤵
- Executes dropped EXE
-
\??\c:\frfxxfx.exec:\frfxxfx.exe50⤵
- Executes dropped EXE
-
\??\c:\btbnbt.exec:\btbnbt.exe51⤵
- Executes dropped EXE
-
\??\c:\3vvdj.exec:\3vvdj.exe52⤵
- Executes dropped EXE
-
\??\c:\xxxrlll.exec:\xxxrlll.exe53⤵
- Executes dropped EXE
-
\??\c:\fffffff.exec:\fffffff.exe54⤵
- Executes dropped EXE
-
\??\c:\bbbbbh.exec:\bbbbbh.exe55⤵
- Executes dropped EXE
-
\??\c:\lflllrr.exec:\lflllrr.exe56⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe57⤵
- Executes dropped EXE
-
\??\c:\lxlfffl.exec:\lxlfffl.exe58⤵
- Executes dropped EXE
-
\??\c:\httnhb.exec:\httnhb.exe59⤵
- Executes dropped EXE
-
\??\c:\dvpdv.exec:\dvpdv.exe60⤵
- Executes dropped EXE
-
\??\c:\9xxxxff.exec:\9xxxxff.exe61⤵
- Executes dropped EXE
-
\??\c:\llffflr.exec:\llffflr.exe62⤵
- Executes dropped EXE
-
\??\c:\bthbbb.exec:\bthbbb.exe63⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe64⤵
- Executes dropped EXE
-
\??\c:\5llllrr.exec:\5llllrr.exe65⤵
- Executes dropped EXE
-
\??\c:\nbhnnt.exec:\nbhnnt.exe66⤵
-
\??\c:\9hhhhh.exec:\9hhhhh.exe67⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe68⤵
-
\??\c:\xrxxrxf.exec:\xrxxrxf.exe69⤵
-
\??\c:\nnnnbb.exec:\nnnnbb.exe70⤵
-
\??\c:\5hnnnt.exec:\5hnnnt.exe71⤵
-
\??\c:\3vdpd.exec:\3vdpd.exe72⤵
-
\??\c:\rrfllfr.exec:\rrfllfr.exe73⤵
-
\??\c:\bhthbt.exec:\bhthbt.exe74⤵
-
\??\c:\nttttt.exec:\nttttt.exe75⤵
-
\??\c:\5pvdd.exec:\5pvdd.exe76⤵
-
\??\c:\fxlrxff.exec:\fxlrxff.exe77⤵
-
\??\c:\hhbttt.exec:\hhbttt.exe78⤵
-
\??\c:\5bhhht.exec:\5bhhht.exe79⤵
-
\??\c:\vpjdd.exec:\vpjdd.exe80⤵
-
\??\c:\xrxffrr.exec:\xrxffrr.exe81⤵
-
\??\c:\rrxffll.exec:\rrxffll.exe82⤵
-
\??\c:\nbhhhn.exec:\nbhhhn.exe83⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe84⤵
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe85⤵
-
\??\c:\nhhbbh.exec:\nhhbbh.exe86⤵
-
\??\c:\hhnhbb.exec:\hhnhbb.exe87⤵
-
\??\c:\jjdjv.exec:\jjdjv.exe88⤵
-
\??\c:\rlfflfx.exec:\rlfflfx.exe89⤵
-
\??\c:\hhnbbn.exec:\hhnbbn.exe90⤵
-
\??\c:\ddddj.exec:\ddddj.exe91⤵
-
\??\c:\vppvv.exec:\vppvv.exe92⤵
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe93⤵
-
\??\c:\7hnttt.exec:\7hnttt.exe94⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe95⤵
-
\??\c:\ppvvj.exec:\ppvvj.exe96⤵
-
\??\c:\1rfxxff.exec:\1rfxxff.exe97⤵
-
\??\c:\bnnnhn.exec:\bnnnhn.exe98⤵
-
\??\c:\vjvjv.exec:\vjvjv.exe99⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe100⤵
-
\??\c:\lrfffll.exec:\lrfffll.exe101⤵
-
\??\c:\tbhhbh.exec:\tbhhbh.exe102⤵
-
\??\c:\jdjdj.exec:\jdjdj.exe103⤵
-
\??\c:\1rffrxx.exec:\1rffrxx.exe104⤵
-
\??\c:\lrxfffl.exec:\lrxfffl.exe105⤵
-
\??\c:\bhhhbb.exec:\bhhhbb.exe106⤵
-
\??\c:\vddpj.exec:\vddpj.exe107⤵
-
\??\c:\xfrxlrf.exec:\xfrxlrf.exe108⤵
-
\??\c:\hhhbbb.exec:\hhhbbb.exe109⤵
-
\??\c:\dvdjd.exec:\dvdjd.exe110⤵
-
\??\c:\rxlllfx.exec:\rxlllfx.exe111⤵
-
\??\c:\bbbnbt.exec:\bbbnbt.exe112⤵
-
\??\c:\pppvv.exec:\pppvv.exe113⤵
-
\??\c:\xrxxxff.exec:\xrxxxff.exe114⤵
-
\??\c:\rrlllrl.exec:\rrlllrl.exe115⤵
-
\??\c:\hbhbbh.exec:\hbhbbh.exe116⤵
-
\??\c:\7djvv.exec:\7djvv.exe117⤵
-
\??\c:\fflllrl.exec:\fflllrl.exe118⤵
-
\??\c:\ttbbbh.exec:\ttbbbh.exe119⤵
-
\??\c:\nntbbb.exec:\nntbbb.exe120⤵
-
\??\c:\1dvvp.exec:\1dvvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-