Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
12/05/2024, 03:47
General
-
Target
cfdc493b3ce740c729f168125c03650afb75ddfe4bc4c3164e8964a14f260ba3.exe
-
Size
233KB
-
MD5
10da159a1d4ef2242664e3510bd8952c
-
SHA1
5eeb2e33d27476affe5684e2d19566aaad2b958a
-
SHA256
cfdc493b3ce740c729f168125c03650afb75ddfe4bc4c3164e8964a14f260ba3
-
SHA512
d0509982f103b6abb85a183f6f3261a9ee7116aa0cfd8a12c6aa621e18c901d6ff0fcc23cc2b455c73f35eddd23aee47af41e26deda2eb5e0012a2cb51f0c1b8
-
SSDEEP
6144:kcm4FmowdHoSSGpJw4PqhraHcpOmFTHDGYhEf5X2a90:y4wFHoSSGpJwGeeFmFTNAp2A0
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 36 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfdc493b3ce740c729f168125c03650afb75ddfe4bc4c3164e8964a14f260ba3.exe"C:\Users\Admin\AppData\Local\Temp\cfdc493b3ce740c729f168125c03650afb75ddfe4bc4c3164e8964a14f260ba3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nhntbb.exec:\nhntbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bhntt.exec:\9bhntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\46842.exec:\46842.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480404.exec:\480404.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\240004.exec:\240004.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthbtb.exec:\nthbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\48244.exec:\48244.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\084466.exec:\084466.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\640600.exec:\640600.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2628444.exec:\2628444.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnttt.exec:\hbnttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xfxfxf.exec:\7xfxfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xfflfl.exec:\1xfflfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhht.exec:\tnhhht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdp.exec:\pjvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhhh.exec:\htbhhh.exe17⤵
- Executes dropped EXE
-
\??\c:\4680222.exec:\4680222.exe18⤵
- Executes dropped EXE
-
\??\c:\hbnttb.exec:\hbnttb.exe19⤵
- Executes dropped EXE
-
\??\c:\xlfxxfl.exec:\xlfxxfl.exe20⤵
- Executes dropped EXE
-
\??\c:\3frrxrx.exec:\3frrxrx.exe21⤵
- Executes dropped EXE
-
\??\c:\86288.exec:\86288.exe22⤵
- Executes dropped EXE
-
\??\c:\86222.exec:\86222.exe23⤵
- Executes dropped EXE
-
\??\c:\k20444.exec:\k20444.exe24⤵
- Executes dropped EXE
-
\??\c:\5lfxfll.exec:\5lfxfll.exe25⤵
- Executes dropped EXE
-
\??\c:\42284.exec:\42284.exe26⤵
- Executes dropped EXE
-
\??\c:\1rlxlrl.exec:\1rlxlrl.exe27⤵
- Executes dropped EXE
-
\??\c:\llxlrxl.exec:\llxlrxl.exe28⤵
- Executes dropped EXE
-
\??\c:\1jjpv.exec:\1jjpv.exe29⤵
- Executes dropped EXE
-
\??\c:\806000.exec:\806000.exe30⤵
- Executes dropped EXE
-
\??\c:\88406.exec:\88406.exe31⤵
- Executes dropped EXE
-
\??\c:\bbhbnn.exec:\bbhbnn.exe32⤵
- Executes dropped EXE
-
\??\c:\4824624.exec:\4824624.exe33⤵
- Executes dropped EXE
-
\??\c:\nhnnhh.exec:\nhnnhh.exe34⤵
- Executes dropped EXE
-
\??\c:\u866800.exec:\u866800.exe35⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe36⤵
- Executes dropped EXE
-
\??\c:\9djdj.exec:\9djdj.exe37⤵
- Executes dropped EXE
-
\??\c:\ttnnbb.exec:\ttnnbb.exe38⤵
- Executes dropped EXE
-
\??\c:\g0406.exec:\g0406.exe39⤵
- Executes dropped EXE
-
\??\c:\djvjj.exec:\djvjj.exe40⤵
- Executes dropped EXE
-
\??\c:\3jdjd.exec:\3jdjd.exe41⤵
- Executes dropped EXE
-
\??\c:\1dvvd.exec:\1dvvd.exe42⤵
- Executes dropped EXE
-
\??\c:\llxlfxl.exec:\llxlfxl.exe43⤵
- Executes dropped EXE
-
\??\c:\rrlrlff.exec:\rrlrlff.exe44⤵
- Executes dropped EXE
-
\??\c:\u468406.exec:\u468406.exe45⤵
- Executes dropped EXE
-
\??\c:\64224.exec:\64224.exe46⤵
- Executes dropped EXE
-
\??\c:\xlxxffl.exec:\xlxxffl.exe47⤵
- Executes dropped EXE
-
\??\c:\jdppv.exec:\jdppv.exe48⤵
- Executes dropped EXE
-
\??\c:\5fxlxxf.exec:\5fxlxxf.exe49⤵
- Executes dropped EXE
-
\??\c:\pjpvj.exec:\pjpvj.exe50⤵
- Executes dropped EXE
-
\??\c:\7jdpv.exec:\7jdpv.exe51⤵
- Executes dropped EXE
-
\??\c:\240268.exec:\240268.exe52⤵
- Executes dropped EXE
-
\??\c:\6466880.exec:\6466880.exe53⤵
- Executes dropped EXE
-
\??\c:\044022.exec:\044022.exe54⤵
- Executes dropped EXE
-
\??\c:\26280.exec:\26280.exe55⤵
- Executes dropped EXE
-
\??\c:\206084.exec:\206084.exe56⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe57⤵
- Executes dropped EXE
-
\??\c:\rflffff.exec:\rflffff.exe58⤵
- Executes dropped EXE
-
\??\c:\8206406.exec:\8206406.exe59⤵
- Executes dropped EXE
-
\??\c:\e68244.exec:\e68244.exe60⤵
- Executes dropped EXE
-
\??\c:\m8062.exec:\m8062.exe61⤵
- Executes dropped EXE
-
\??\c:\44860.exec:\44860.exe62⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe63⤵
- Executes dropped EXE
-
\??\c:\httntn.exec:\httntn.exe64⤵
- Executes dropped EXE
-
\??\c:\a6262.exec:\a6262.exe65⤵
- Executes dropped EXE
-
\??\c:\3flrxrx.exec:\3flrxrx.exe66⤵
-
\??\c:\llxfrll.exec:\llxfrll.exe67⤵
-
\??\c:\frfxlrl.exec:\frfxlrl.exe68⤵
-
\??\c:\608868.exec:\608868.exe69⤵
-
\??\c:\bbnhtt.exec:\bbnhtt.exe70⤵
-
\??\c:\pdjpp.exec:\pdjpp.exe71⤵
-
\??\c:\200404.exec:\200404.exe72⤵
-
\??\c:\m4668.exec:\m4668.exe73⤵
-
\??\c:\w64422.exec:\w64422.exe74⤵
-
\??\c:\hbhhbh.exec:\hbhhbh.exe75⤵
-
\??\c:\8688484.exec:\8688484.exe76⤵
-
\??\c:\642240.exec:\642240.exe77⤵
-
\??\c:\600622.exec:\600622.exe78⤵
-
\??\c:\nbnhtn.exec:\nbnhtn.exe79⤵
-
\??\c:\fxffxxf.exec:\fxffxxf.exe80⤵
-
\??\c:\k64422.exec:\k64422.exe81⤵
-
\??\c:\xrllflr.exec:\xrllflr.exe82⤵
-
\??\c:\1xrfllr.exec:\1xrfllr.exe83⤵
-
\??\c:\864022.exec:\864022.exe84⤵
-
\??\c:\2028040.exec:\2028040.exe85⤵
-
\??\c:\xlxxrfr.exec:\xlxxrfr.exe86⤵
-
\??\c:\btbbhn.exec:\btbbhn.exe87⤵
-
\??\c:\bbtbbb.exec:\bbtbbb.exe88⤵
-
\??\c:\0406240.exec:\0406240.exe89⤵
-
\??\c:\nhbntb.exec:\nhbntb.exe90⤵
-
\??\c:\4202468.exec:\4202468.exe91⤵
-
\??\c:\ffrffxf.exec:\ffrffxf.exe92⤵
-
\??\c:\nhnnbt.exec:\nhnnbt.exe93⤵
-
\??\c:\062628.exec:\062628.exe94⤵
-
\??\c:\ttnttb.exec:\ttnttb.exe95⤵
-
\??\c:\vvjpv.exec:\vvjpv.exe96⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe97⤵
-
\??\c:\w86684.exec:\w86684.exe98⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe99⤵
-
\??\c:\5vppj.exec:\5vppj.exe100⤵
-
\??\c:\7jddv.exec:\7jddv.exe101⤵
-
\??\c:\a6484.exec:\a6484.exe102⤵
-
\??\c:\9btbbb.exec:\9btbbb.exe103⤵
-
\??\c:\7ttnnn.exec:\7ttnnn.exe104⤵
-
\??\c:\djvjd.exec:\djvjd.exe105⤵
-
\??\c:\002244.exec:\002244.exe106⤵
-
\??\c:\ntnnhh.exec:\ntnnhh.exe107⤵
-
\??\c:\a0842.exec:\a0842.exe108⤵
-
\??\c:\lxffrrf.exec:\lxffrrf.exe109⤵
-
\??\c:\042082.exec:\042082.exe110⤵
-
\??\c:\86802.exec:\86802.exe111⤵
-
\??\c:\8688440.exec:\8688440.exe112⤵
-
\??\c:\26062.exec:\26062.exe113⤵
-
\??\c:\042240.exec:\042240.exe114⤵
-
\??\c:\2688884.exec:\2688884.exe115⤵
-
\??\c:\6424284.exec:\6424284.exe116⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe117⤵
-
\??\c:\0428442.exec:\0428442.exe118⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe119⤵
-
\??\c:\bbnnbh.exec:\bbnnbh.exe120⤵
-
\??\c:\rrffrrf.exec:\rrffrrf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-