Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
15/05/2024, 21:30
General
-
Target
46870a3887dd1002b340881349ea90a6e9e0f8dd0d458556ca77b0e9a1d305ee.exe
-
Size
588KB
-
MD5
31d3337e04a0dc7526ad49127dbd1697
-
SHA1
162640a15b209628d839d46f8583278c10d18eef
-
SHA256
46870a3887dd1002b340881349ea90a6e9e0f8dd0d458556ca77b0e9a1d305ee
-
SHA512
f1f292d1b5bd517739c690e592351e1c5dd01a515c327f2add50550c9338d938fb95bdc5f832954e4bb77f2f5e23da1f173f0b3f321b39eab34a101e64188c74
-
SSDEEP
6144:n3C9BRIj+ebjcSbcY+CaQdaFOY4iGFYtRdzzoyYxJAyfgaj:n3C9Lebz+xt4vFeFmgaj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
UPX dump on OEP (original entry point) 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\46870a3887dd1002b340881349ea90a6e9e0f8dd0d458556ca77b0e9a1d305ee.exe"C:\Users\Admin\AppData\Local\Temp\46870a3887dd1002b340881349ea90a6e9e0f8dd0d458556ca77b0e9a1d305ee.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\242282.exec:\242282.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbhb.exec:\bbtbhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnnbb.exec:\hhnnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0068088.exec:\0068088.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64006.exec:\64006.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllrfl.exec:\lfllrfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82006.exec:\82006.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthntt.exec:\bthntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\080060.exec:\080060.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\808084.exec:\808084.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntbhh.exec:\tntbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\428404.exec:\428404.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrlfx.exec:\flrrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0422884.exec:\0422884.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60220.exec:\60220.exe17⤵
- Executes dropped EXE
-
\??\c:\ppddj.exec:\ppddj.exe18⤵
- Executes dropped EXE
-
\??\c:\ppddp.exec:\ppddp.exe19⤵
- Executes dropped EXE
-
\??\c:\4240284.exec:\4240284.exe20⤵
- Executes dropped EXE
-
\??\c:\206200.exec:\206200.exe21⤵
- Executes dropped EXE
-
\??\c:\46462.exec:\46462.exe22⤵
- Executes dropped EXE
-
\??\c:\4864208.exec:\4864208.exe23⤵
- Executes dropped EXE
-
\??\c:\1ppjj.exec:\1ppjj.exe24⤵
- Executes dropped EXE
-
\??\c:\0468404.exec:\0468404.exe25⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe26⤵
- Executes dropped EXE
-
\??\c:\hhnthh.exec:\hhnthh.exe27⤵
- Executes dropped EXE
-
\??\c:\886424.exec:\886424.exe28⤵
- Executes dropped EXE
-
\??\c:\208400.exec:\208400.exe29⤵
- Executes dropped EXE
-
\??\c:\5hnbhh.exec:\5hnbhh.exe30⤵
- Executes dropped EXE
-
\??\c:\8648484.exec:\8648484.exe31⤵
- Executes dropped EXE
-
\??\c:\vdjjv.exec:\vdjjv.exe32⤵
- Executes dropped EXE
-
\??\c:\ddvdj.exec:\ddvdj.exe33⤵
- Executes dropped EXE
-
\??\c:\6644662.exec:\6644662.exe34⤵
- Executes dropped EXE
-
\??\c:\bbhbhh.exec:\bbhbhh.exe35⤵
- Executes dropped EXE
-
\??\c:\ffxrxxx.exec:\ffxrxxx.exe36⤵
- Executes dropped EXE
-
\??\c:\64886.exec:\64886.exe37⤵
- Executes dropped EXE
-
\??\c:\64026.exec:\64026.exe38⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe39⤵
- Executes dropped EXE
-
\??\c:\nbnhnt.exec:\nbnhnt.exe40⤵
- Executes dropped EXE
-
\??\c:\08046.exec:\08046.exe41⤵
- Executes dropped EXE
-
\??\c:\82402.exec:\82402.exe42⤵
- Executes dropped EXE
-
\??\c:\9frrxxl.exec:\9frrxxl.exe43⤵
- Executes dropped EXE
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe44⤵
- Executes dropped EXE
-
\??\c:\u262402.exec:\u262402.exe45⤵
- Executes dropped EXE
-
\??\c:\086284.exec:\086284.exe46⤵
- Executes dropped EXE
-
\??\c:\i084006.exec:\i084006.exe47⤵
- Executes dropped EXE
-
\??\c:\ntnttt.exec:\ntnttt.exe48⤵
- Executes dropped EXE
-
\??\c:\pppvj.exec:\pppvj.exe49⤵
- Executes dropped EXE
-
\??\c:\20684.exec:\20684.exe50⤵
- Executes dropped EXE
-
\??\c:\pdpdd.exec:\pdpdd.exe51⤵
- Executes dropped EXE
-
\??\c:\046688.exec:\046688.exe52⤵
- Executes dropped EXE
-
\??\c:\jpvjd.exec:\jpvjd.exe53⤵
- Executes dropped EXE
-
\??\c:\llrxffr.exec:\llrxffr.exe54⤵
- Executes dropped EXE
-
\??\c:\frlrxll.exec:\frlrxll.exe55⤵
- Executes dropped EXE
-
\??\c:\rfxfrlr.exec:\rfxfrlr.exe56⤵
- Executes dropped EXE
-
\??\c:\64628.exec:\64628.exe57⤵
- Executes dropped EXE
-
\??\c:\466828.exec:\466828.exe58⤵
- Executes dropped EXE
-
\??\c:\3rlxxxf.exec:\3rlxxxf.exe59⤵
- Executes dropped EXE
-
\??\c:\8246844.exec:\8246844.exe60⤵
- Executes dropped EXE
-
\??\c:\ffllrrx.exec:\ffllrrx.exe61⤵
- Executes dropped EXE
-
\??\c:\ffrflll.exec:\ffrflll.exe62⤵
- Executes dropped EXE
-
\??\c:\04280.exec:\04280.exe63⤵
- Executes dropped EXE
-
\??\c:\ffflffr.exec:\ffflffr.exe64⤵
- Executes dropped EXE
-
\??\c:\404640.exec:\404640.exe65⤵
- Executes dropped EXE
-
\??\c:\448482.exec:\448482.exe66⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe67⤵
-
\??\c:\nnhnbb.exec:\nnhnbb.exe68⤵
-
\??\c:\thtnnn.exec:\thtnnn.exe69⤵
-
\??\c:\hbnnhb.exec:\hbnnhb.exe70⤵
-
\??\c:\202284.exec:\202284.exe71⤵
-
\??\c:\s6406.exec:\s6406.exe72⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe73⤵
-
\??\c:\2022884.exec:\2022884.exe74⤵
-
\??\c:\26880.exec:\26880.exe75⤵
-
\??\c:\pddjv.exec:\pddjv.exe76⤵
-
\??\c:\86406.exec:\86406.exe77⤵
-
\??\c:\628242.exec:\628242.exe78⤵
-
\??\c:\tnbntt.exec:\tnbntt.exe79⤵
-
\??\c:\ffrflxf.exec:\ffrflxf.exe80⤵
-
\??\c:\m8840.exec:\m8840.exe81⤵
-
\??\c:\3nbnbn.exec:\3nbnbn.exe82⤵
-
\??\c:\m0846.exec:\m0846.exe83⤵
-
\??\c:\lfflxfl.exec:\lfflxfl.exe84⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe85⤵
-
\??\c:\7xlrxfr.exec:\7xlrxfr.exe86⤵
-
\??\c:\806246.exec:\806246.exe87⤵
-
\??\c:\3pdjp.exec:\3pdjp.exe88⤵
-
\??\c:\48006.exec:\48006.exe89⤵
-
\??\c:\5hbhnh.exec:\5hbhnh.exe90⤵
-
\??\c:\6642604.exec:\6642604.exe91⤵
-
\??\c:\62428.exec:\62428.exe92⤵
-
\??\c:\206862.exec:\206862.exe93⤵
-
\??\c:\xrrllxx.exec:\xrrllxx.exe94⤵
-
\??\c:\66062.exec:\66062.exe95⤵
-
\??\c:\6428006.exec:\6428006.exe96⤵
-
\??\c:\fxrxffl.exec:\fxrxffl.exe97⤵
-
\??\c:\204684.exec:\204684.exe98⤵
-
\??\c:\86228.exec:\86228.exe99⤵
-
\??\c:\02624.exec:\02624.exe100⤵
-
\??\c:\82684.exec:\82684.exe101⤵
-
\??\c:\86842.exec:\86842.exe102⤵
-
\??\c:\pvpdd.exec:\pvpdd.exe103⤵
-
\??\c:\xrfrxfl.exec:\xrfrxfl.exe104⤵
-
\??\c:\hnhtnh.exec:\hnhtnh.exe105⤵
-
\??\c:\60680.exec:\60680.exe106⤵
-
\??\c:\6266202.exec:\6266202.exe107⤵
-
\??\c:\482424.exec:\482424.exe108⤵
-
\??\c:\vdpdj.exec:\vdpdj.exe109⤵
-
\??\c:\08684.exec:\08684.exe110⤵
-
\??\c:\086248.exec:\086248.exe111⤵
-
\??\c:\646828.exec:\646828.exe112⤵
-
\??\c:\088428.exec:\088428.exe113⤵
-
\??\c:\8266424.exec:\8266424.exe114⤵
-
\??\c:\bnbbnn.exec:\bnbbnn.exe115⤵
-
\??\c:\o002408.exec:\o002408.exe116⤵
-
\??\c:\g8002.exec:\g8002.exe117⤵
-
\??\c:\646240.exec:\646240.exe118⤵
-
\??\c:\jdpdj.exec:\jdpdj.exe119⤵
-
\??\c:\u028024.exec:\u028024.exe120⤵
-
\??\c:\820662.exec:\820662.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-