Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16-05-2024 02:45
General
-
Target
bbfbde3e0242c6da4dd0a6cf28fb9cd6f27f3bfb0f6fd911dc5857518f635009.exe
-
Size
200KB
-
MD5
be02f15548abb60acdf00e452073f11b
-
SHA1
80e42d7ee48bfa5a58f4e69bc5a0236e7bd6cff0
-
SHA256
bbfbde3e0242c6da4dd0a6cf28fb9cd6f27f3bfb0f6fd911dc5857518f635009
-
SHA512
e66c963d2ff8335ca3b74ececfa9338c540d364c48f62040d86caf7a7b3691a4a420e7149718b9c62c8e3354b7ff5fb7ed093e29959ccecb007d824a824645ee
-
SSDEEP
3072:ymb3NkkiQ3mdBjFIi/0RU6QeYQsm71vPmc51+GqekBJCvr6zJBUVv1T6:n3C9BRIG0asYFm71m8+GdkB9Cv1W
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
UPX dump on OEP (original entry point) 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbfbde3e0242c6da4dd0a6cf28fb9cd6f27f3bfb0f6fd911dc5857518f635009.exe"C:\Users\Admin\AppData\Local\Temp\bbfbde3e0242c6da4dd0a6cf28fb9cd6f27f3bfb0f6fd911dc5857518f635009.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\810i6.exec:\810i6.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6fcr739.exec:\6fcr739.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\916c2.exec:\916c2.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\wfh616.exec:\wfh616.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2aj6k7.exec:\2aj6k7.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\iou3u.exec:\iou3u.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q5m12.exec:\q5m12.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\35nop.exec:\35nop.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\iqvaic.exec:\iqvaic.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0p2wt.exec:\0p2wt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pthxl.exec:\pthxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\645h2.exec:\645h2.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\wood8.exec:\wood8.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20va9j6.exec:\20va9j6.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5og38q.exec:\5og38q.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u28x1a.exec:\u28x1a.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5p60gp3.exec:\5p60gp3.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pxaapm.exec:\3pxaapm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lriahu.exec:\9lriahu.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\wuu833v.exec:\wuu833v.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxp183s.exec:\lxp183s.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\n1kb61.exec:\n1kb61.exe23⤵
- Executes dropped EXE
-
\??\c:\h08jk.exec:\h08jk.exe24⤵
- Executes dropped EXE
-
\??\c:\uo95vs.exec:\uo95vs.exe25⤵
- Executes dropped EXE
-
\??\c:\4bnuu48.exec:\4bnuu48.exe26⤵
- Executes dropped EXE
-
\??\c:\o8e09n.exec:\o8e09n.exe27⤵
- Executes dropped EXE
-
\??\c:\d3g9nf.exec:\d3g9nf.exe28⤵
- Executes dropped EXE
-
\??\c:\djh3w25.exec:\djh3w25.exe29⤵
- Executes dropped EXE
-
\??\c:\40ag09w.exec:\40ag09w.exe30⤵
- Executes dropped EXE
-
\??\c:\sweog.exec:\sweog.exe31⤵
- Executes dropped EXE
-
\??\c:\u6op9.exec:\u6op9.exe32⤵
- Executes dropped EXE
-
\??\c:\w3ciig.exec:\w3ciig.exe33⤵
- Executes dropped EXE
-
\??\c:\ho54a.exec:\ho54a.exe34⤵
- Executes dropped EXE
-
\??\c:\39695.exec:\39695.exe35⤵
- Executes dropped EXE
-
\??\c:\6fm31to.exec:\6fm31to.exe36⤵
- Executes dropped EXE
-
\??\c:\d5w5it8.exec:\d5w5it8.exe37⤵
- Executes dropped EXE
-
\??\c:\665l18.exec:\665l18.exe38⤵
- Executes dropped EXE
-
\??\c:\69cdde3.exec:\69cdde3.exe39⤵
- Executes dropped EXE
-
\??\c:\x5exm.exec:\x5exm.exe40⤵
- Executes dropped EXE
-
\??\c:\ogplc1.exec:\ogplc1.exe41⤵
- Executes dropped EXE
-
\??\c:\q31qn.exec:\q31qn.exe42⤵
- Executes dropped EXE
-
\??\c:\mjn51.exec:\mjn51.exe43⤵
- Executes dropped EXE
-
\??\c:\gc99x.exec:\gc99x.exe44⤵
- Executes dropped EXE
-
\??\c:\5q9116.exec:\5q9116.exe45⤵
- Executes dropped EXE
-
\??\c:\5iv55ss.exec:\5iv55ss.exe46⤵
- Executes dropped EXE
-
\??\c:\01pqv5t.exec:\01pqv5t.exe47⤵
- Executes dropped EXE
-
\??\c:\8mj32s.exec:\8mj32s.exe48⤵
- Executes dropped EXE
-
\??\c:\81x5329.exec:\81x5329.exe49⤵
- Executes dropped EXE
-
\??\c:\43u2td.exec:\43u2td.exe50⤵
- Executes dropped EXE
-
\??\c:\xhlxdtp.exec:\xhlxdtp.exe51⤵
- Executes dropped EXE
-
\??\c:\62h96.exec:\62h96.exe52⤵
- Executes dropped EXE
-
\??\c:\9860s58.exec:\9860s58.exe53⤵
- Executes dropped EXE
-
\??\c:\deb7rgj.exec:\deb7rgj.exe54⤵
- Executes dropped EXE
-
\??\c:\i21j741.exec:\i21j741.exe55⤵
- Executes dropped EXE
-
\??\c:\p7sgg.exec:\p7sgg.exe56⤵
- Executes dropped EXE
-
\??\c:\6j6e188.exec:\6j6e188.exe57⤵
- Executes dropped EXE
-
\??\c:\x926cd.exec:\x926cd.exe58⤵
- Executes dropped EXE
-
\??\c:\5gjq8g.exec:\5gjq8g.exe59⤵
- Executes dropped EXE
-
\??\c:\x39i98.exec:\x39i98.exe60⤵
- Executes dropped EXE
-
\??\c:\wf35oiv.exec:\wf35oiv.exe61⤵
- Executes dropped EXE
-
\??\c:\eu1940.exec:\eu1940.exe62⤵
- Executes dropped EXE
-
\??\c:\k7071ls.exec:\k7071ls.exe63⤵
- Executes dropped EXE
-
\??\c:\s5w3t.exec:\s5w3t.exe64⤵
- Executes dropped EXE
-
\??\c:\3171r.exec:\3171r.exe65⤵
- Executes dropped EXE
-
\??\c:\3ga0us.exec:\3ga0us.exe66⤵
-
\??\c:\dm31l.exec:\dm31l.exe67⤵
-
\??\c:\7a8bbtl.exec:\7a8bbtl.exe68⤵
-
\??\c:\6u3m2.exec:\6u3m2.exe69⤵
-
\??\c:\u9c9v7h.exec:\u9c9v7h.exe70⤵
-
\??\c:\d6057.exec:\d6057.exe71⤵
-
\??\c:\tqo37d.exec:\tqo37d.exe72⤵
-
\??\c:\exid3.exec:\exid3.exe73⤵
-
\??\c:\1187t.exec:\1187t.exe74⤵
-
\??\c:\x14b0.exec:\x14b0.exe75⤵
-
\??\c:\3qx3a.exec:\3qx3a.exe76⤵
-
\??\c:\kq66dd0.exec:\kq66dd0.exe77⤵
-
\??\c:\l6f53aj.exec:\l6f53aj.exe78⤵
-
\??\c:\92gvq5.exec:\92gvq5.exe79⤵
-
\??\c:\1lic1t1.exec:\1lic1t1.exe80⤵
-
\??\c:\5ggek.exec:\5ggek.exe81⤵
-
\??\c:\9n6mvkm.exec:\9n6mvkm.exe82⤵
-
\??\c:\63q70io.exec:\63q70io.exe83⤵
-
\??\c:\83i7ss.exec:\83i7ss.exe84⤵
-
\??\c:\p9k3s1.exec:\p9k3s1.exe85⤵
-
\??\c:\t15ld.exec:\t15ld.exe86⤵
-
\??\c:\9j7i7g.exec:\9j7i7g.exe87⤵
-
\??\c:\h4x8117.exec:\h4x8117.exe88⤵
-
\??\c:\m4g7dd.exec:\m4g7dd.exe89⤵
-
\??\c:\7149b.exec:\7149b.exe90⤵
-
\??\c:\oq8sp.exec:\oq8sp.exe91⤵
-
\??\c:\2383b.exec:\2383b.exe92⤵
-
\??\c:\p86ep10.exec:\p86ep10.exe93⤵
-
\??\c:\61t5s6.exec:\61t5s6.exe94⤵
-
\??\c:\j12lx.exec:\j12lx.exe95⤵
-
\??\c:\drthj.exec:\drthj.exe96⤵
-
\??\c:\ii8020.exec:\ii8020.exe97⤵
-
\??\c:\wx5d178.exec:\wx5d178.exe98⤵
-
\??\c:\i32h15.exec:\i32h15.exe99⤵
-
\??\c:\quo9h.exec:\quo9h.exe100⤵
-
\??\c:\d25x3.exec:\d25x3.exe101⤵
-
\??\c:\2s41k0.exec:\2s41k0.exe102⤵
-
\??\c:\u15t7.exec:\u15t7.exe103⤵
-
\??\c:\nqn6q.exec:\nqn6q.exe104⤵
-
\??\c:\1pj0858.exec:\1pj0858.exe105⤵
-
\??\c:\478wcv6.exec:\478wcv6.exe106⤵
-
\??\c:\w4579g7.exec:\w4579g7.exe107⤵
-
\??\c:\i81u76e.exec:\i81u76e.exe108⤵
-
\??\c:\t7d1t9.exec:\t7d1t9.exe109⤵
-
\??\c:\f5kcic3.exec:\f5kcic3.exe110⤵
-
\??\c:\1ar3r7p.exec:\1ar3r7p.exe111⤵
-
\??\c:\lr84h.exec:\lr84h.exe112⤵
-
\??\c:\hrabu.exec:\hrabu.exe113⤵
-
\??\c:\e7l28x.exec:\e7l28x.exe114⤵
-
\??\c:\82a6loc.exec:\82a6loc.exe115⤵
-
\??\c:\2n6um.exec:\2n6um.exe116⤵
-
\??\c:\am147.exec:\am147.exe117⤵
-
\??\c:\5m2tcae.exec:\5m2tcae.exe118⤵
-
\??\c:\8c1fg.exec:\8c1fg.exe119⤵
-
\??\c:\65uf7dh.exec:\65uf7dh.exe120⤵
-
\??\c:\4eot64.exec:\4eot64.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-