Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-05-2024 23:22
General
-
Target
84189dca5daa68469f884dfd9c2ba9dbb98034d1d5c737c08b3f2d60cfe3592c.exe
-
Size
92KB
-
MD5
235acf7d09b335ada30bd8f01546afd6
-
SHA1
7f738d95a707701d3dd4119ff174b71d43b3b76a
-
SHA256
84189dca5daa68469f884dfd9c2ba9dbb98034d1d5c737c08b3f2d60cfe3592c
-
SHA512
e86183acbda350e5ef229f473e96d90bc164a3a1a568fd10a22e805b784423633da670938465e74f0abd9482af235ea5ea31fa8d6fcef8481dac221e8b676880
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73XH/YP1HFrJximAAxS1rj/214:ymb3NkkiQ3mdBjFo73PYP1lri3K8Gi
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
UPX dump on OEP (original entry point) 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\84189dca5daa68469f884dfd9c2ba9dbb98034d1d5c737c08b3f2d60cfe3592c.exe"C:\Users\Admin\AppData\Local\Temp\84189dca5daa68469f884dfd9c2ba9dbb98034d1d5c737c08b3f2d60cfe3592c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxxxx.exec:\rfrxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nhhhh.exec:\3nhhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvv.exec:\pppvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jjjv.exec:\3jjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvp.exec:\pvdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrlff.exec:\xlrrlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvpv.exec:\ppvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxlxfl.exec:\xfxlxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtntb.exec:\hhtntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rlrlxr.exec:\5rlrlxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xffllf.exec:\9xffllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhntnn.exec:\bhntnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djppj.exec:\djppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btttnn.exec:\btttnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnbtt.exec:\thnbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjjj.exec:\pdjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflllll.exec:\rflllll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbbtb.exec:\tnbbtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppp.exec:\vpppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfxfff.exec:\lrfxfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtntt.exec:\nhtntt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbttb.exec:\tnbttb.exe23⤵
- Executes dropped EXE
-
\??\c:\lrxrffr.exec:\lrxrffr.exe24⤵
- Executes dropped EXE
-
\??\c:\ffrxlrl.exec:\ffrxlrl.exe25⤵
- Executes dropped EXE
-
\??\c:\bnnbnt.exec:\bnnbnt.exe26⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe27⤵
- Executes dropped EXE
-
\??\c:\rlrrlll.exec:\rlrrlll.exe28⤵
- Executes dropped EXE
-
\??\c:\tbhhnt.exec:\tbhhnt.exe29⤵
- Executes dropped EXE
-
\??\c:\5vjdp.exec:\5vjdp.exe30⤵
- Executes dropped EXE
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe31⤵
- Executes dropped EXE
-
\??\c:\ffrlflf.exec:\ffrlflf.exe32⤵
- Executes dropped EXE
-
\??\c:\pjjpp.exec:\pjjpp.exe33⤵
- Executes dropped EXE
-
\??\c:\jjppj.exec:\jjppj.exe34⤵
- Executes dropped EXE
-
\??\c:\rlfffff.exec:\rlfffff.exe35⤵
- Executes dropped EXE
-
\??\c:\nhhhbn.exec:\nhhhbn.exe36⤵
- Executes dropped EXE
-
\??\c:\nhtnbb.exec:\nhtnbb.exe37⤵
- Executes dropped EXE
-
\??\c:\jjdvv.exec:\jjdvv.exe38⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe39⤵
- Executes dropped EXE
-
\??\c:\rxffxxx.exec:\rxffxxx.exe40⤵
- Executes dropped EXE
-
\??\c:\ffrrxxx.exec:\ffrrxxx.exe41⤵
- Executes dropped EXE
-
\??\c:\hbbbtt.exec:\hbbbtt.exe42⤵
- Executes dropped EXE
-
\??\c:\ppdjj.exec:\ppdjj.exe43⤵
- Executes dropped EXE
-
\??\c:\7vvdp.exec:\7vvdp.exe44⤵
- Executes dropped EXE
-
\??\c:\frxxxff.exec:\frxxxff.exe45⤵
- Executes dropped EXE
-
\??\c:\hhbbbt.exec:\hhbbbt.exe46⤵
- Executes dropped EXE
-
\??\c:\dpdvp.exec:\dpdvp.exe47⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe48⤵
- Executes dropped EXE
-
\??\c:\rrffxxx.exec:\rrffxxx.exe49⤵
- Executes dropped EXE
-
\??\c:\tbtnnh.exec:\tbtnnh.exe50⤵
- Executes dropped EXE
-
\??\c:\bthbbb.exec:\bthbbb.exe51⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe52⤵
- Executes dropped EXE
-
\??\c:\rrxxrrx.exec:\rrxxrrx.exe53⤵
- Executes dropped EXE
-
\??\c:\hhbbbh.exec:\hhbbbh.exe54⤵
- Executes dropped EXE
-
\??\c:\djvjv.exec:\djvjv.exe55⤵
- Executes dropped EXE
-
\??\c:\jpppv.exec:\jpppv.exe56⤵
- Executes dropped EXE
-
\??\c:\7frrrxf.exec:\7frrrxf.exe57⤵
- Executes dropped EXE
-
\??\c:\3bhhhn.exec:\3bhhhn.exe58⤵
- Executes dropped EXE
-
\??\c:\3jvjp.exec:\3jvjp.exe59⤵
- Executes dropped EXE
-
\??\c:\fflfxxx.exec:\fflfxxx.exe60⤵
- Executes dropped EXE
-
\??\c:\hhbbbb.exec:\hhbbbb.exe61⤵
- Executes dropped EXE
-
\??\c:\vpppj.exec:\vpppj.exe62⤵
- Executes dropped EXE
-
\??\c:\jpjjd.exec:\jpjjd.exe63⤵
- Executes dropped EXE
-
\??\c:\xflxllf.exec:\xflxllf.exe64⤵
- Executes dropped EXE
-
\??\c:\httbbh.exec:\httbbh.exe65⤵
- Executes dropped EXE
-
\??\c:\ppvvv.exec:\ppvvv.exe66⤵
-
\??\c:\rxfxrlx.exec:\rxfxrlx.exe67⤵
-
\??\c:\httbht.exec:\httbht.exe68⤵
-
\??\c:\3tthhh.exec:\3tthhh.exe69⤵
-
\??\c:\9pvpd.exec:\9pvpd.exe70⤵
-
\??\c:\ppppj.exec:\ppppj.exe71⤵
-
\??\c:\rxrlfff.exec:\rxrlfff.exe72⤵
-
\??\c:\nhhnhh.exec:\nhhnhh.exe73⤵
-
\??\c:\thhbbt.exec:\thhbbt.exe74⤵
-
\??\c:\7dpjp.exec:\7dpjp.exe75⤵
-
\??\c:\jjvvv.exec:\jjvvv.exe76⤵
-
\??\c:\rlfrrff.exec:\rlfrrff.exe77⤵
-
\??\c:\nhntbh.exec:\nhntbh.exe78⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe79⤵
-
\??\c:\9pvvp.exec:\9pvvp.exe80⤵
-
\??\c:\frfllfr.exec:\frfllfr.exe81⤵
-
\??\c:\flffxxx.exec:\flffxxx.exe82⤵
-
\??\c:\nttnbb.exec:\nttnbb.exe83⤵
-
\??\c:\tnnbbb.exec:\tnnbbb.exe84⤵
-
\??\c:\dvppp.exec:\dvppp.exe85⤵
-
\??\c:\flrrrxf.exec:\flrrrxf.exe86⤵
-
\??\c:\9pjdv.exec:\9pjdv.exe87⤵
-
\??\c:\vvjpj.exec:\vvjpj.exe88⤵
-
\??\c:\xlfrrfr.exec:\xlfrrfr.exe89⤵
-
\??\c:\btnbtn.exec:\btnbtn.exe90⤵
-
\??\c:\ppdjv.exec:\ppdjv.exe91⤵
-
\??\c:\7nnhtb.exec:\7nnhtb.exe92⤵
-
\??\c:\5ttnnh.exec:\5ttnnh.exe93⤵
-
\??\c:\hnnnhh.exec:\hnnnhh.exe94⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe95⤵
-
\??\c:\rlrrxfx.exec:\rlrrxfx.exe96⤵
-
\??\c:\htbntt.exec:\htbntt.exe97⤵
-
\??\c:\bhnbbt.exec:\bhnbbt.exe98⤵
-
\??\c:\dpdjv.exec:\dpdjv.exe99⤵
-
\??\c:\9flrlrl.exec:\9flrlrl.exe100⤵
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe101⤵
-
\??\c:\5hnhbb.exec:\5hnhbb.exe102⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe103⤵
-
\??\c:\3lffflr.exec:\3lffflr.exe104⤵
-
\??\c:\lflrrxl.exec:\lflrrxl.exe105⤵
-
\??\c:\hhnnnb.exec:\hhnnnb.exe106⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe107⤵
-
\??\c:\frxrrrr.exec:\frxrrrr.exe108⤵
-
\??\c:\lffffff.exec:\lffffff.exe109⤵
-
\??\c:\tbbhbn.exec:\tbbhbn.exe110⤵
-
\??\c:\ppddp.exec:\ppddp.exe111⤵
-
\??\c:\rrlxllr.exec:\rrlxllr.exe112⤵
-
\??\c:\ffxrrrr.exec:\ffxrrrr.exe113⤵
-
\??\c:\nntbbb.exec:\nntbbb.exe114⤵
-
\??\c:\3jdjp.exec:\3jdjp.exe115⤵
-
\??\c:\fxflrfl.exec:\fxflrfl.exe116⤵
-
\??\c:\bttttt.exec:\bttttt.exe117⤵
-
\??\c:\jpddd.exec:\jpddd.exe118⤵
-
\??\c:\vdpjp.exec:\vdpjp.exe119⤵
-
\??\c:\ffffrll.exec:\ffffrll.exe120⤵
-
\??\c:\nnnttn.exec:\nnnttn.exe121⤵
-
\??\c:\vvjdj.exec:\vvjdj.exe122⤵
-
\??\c:\1jdpp.exec:\1jdpp.exe123⤵
-
\??\c:\frxlfll.exec:\frxlfll.exe124⤵
-
\??\c:\9xrfllf.exec:\9xrfllf.exe125⤵
-
\??\c:\hbnnnh.exec:\hbnnnh.exe126⤵
-
\??\c:\9djjj.exec:\9djjj.exe127⤵
-
\??\c:\lffxrrx.exec:\lffxrrx.exe128⤵
-
\??\c:\1nntbb.exec:\1nntbb.exe129⤵
-
\??\c:\3bbhhn.exec:\3bbhhn.exe130⤵
-
\??\c:\pvddd.exec:\pvddd.exe131⤵
-
\??\c:\flrxllf.exec:\flrxllf.exe132⤵
-
\??\c:\hbtttt.exec:\hbtttt.exe133⤵
-
\??\c:\tnntnn.exec:\tnntnn.exe134⤵
-
\??\c:\vvjjd.exec:\vvjjd.exe135⤵
-
\??\c:\rxlxxlx.exec:\rxlxxlx.exe136⤵
-
\??\c:\1hnnnh.exec:\1hnnnh.exe137⤵
-
\??\c:\tnnhnh.exec:\tnnhnh.exe138⤵
-
\??\c:\jvppd.exec:\jvppd.exe139⤵
-
\??\c:\rflffrf.exec:\rflffrf.exe140⤵
-
\??\c:\tthhhb.exec:\tthhhb.exe141⤵
-
\??\c:\hntnhh.exec:\hntnhh.exe142⤵
-
\??\c:\djvpj.exec:\djvpj.exe143⤵
-
\??\c:\xrrlllf.exec:\xrrlllf.exe144⤵
-
\??\c:\3hntnt.exec:\3hntnt.exe145⤵
-
\??\c:\jppvp.exec:\jppvp.exe146⤵
-
\??\c:\fffrlfl.exec:\fffrlfl.exe147⤵
-
\??\c:\frxrlrl.exec:\frxrlrl.exe148⤵
-
\??\c:\nhnnnb.exec:\nhnnnb.exe149⤵
-
\??\c:\7dvpp.exec:\7dvpp.exe150⤵
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe151⤵
-
\??\c:\fxxrllf.exec:\fxxrllf.exe152⤵
-
\??\c:\1nbhhh.exec:\1nbhhh.exe153⤵
-
\??\c:\pjvdd.exec:\pjvdd.exe154⤵
-
\??\c:\fxxxllf.exec:\fxxxllf.exe155⤵
-
\??\c:\bthhnt.exec:\bthhnt.exe156⤵
-
\??\c:\nbtnbt.exec:\nbtnbt.exe157⤵
-
\??\c:\djpjj.exec:\djpjj.exe158⤵
-
\??\c:\7ffxrxr.exec:\7ffxrxr.exe159⤵
-
\??\c:\xxxlrxx.exec:\xxxlrxx.exe160⤵
-
\??\c:\tnnttb.exec:\tnnttb.exe161⤵
-
\??\c:\vdjjj.exec:\vdjjj.exe162⤵
-
\??\c:\5vppj.exec:\5vppj.exe163⤵
-
\??\c:\7rfxrrl.exec:\7rfxrrl.exe164⤵
-
\??\c:\hhnhnt.exec:\hhnhnt.exe165⤵
-
\??\c:\hbtnnn.exec:\hbtnnn.exe166⤵
-
\??\c:\djpvp.exec:\djpvp.exe167⤵
-
\??\c:\3rlllrf.exec:\3rlllrf.exe168⤵
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe169⤵
-
\??\c:\nhhhht.exec:\nhhhht.exe170⤵
-
\??\c:\vvdjj.exec:\vvdjj.exe171⤵
-
\??\c:\rlrffff.exec:\rlrffff.exe172⤵
-
\??\c:\thhbtn.exec:\thhbtn.exe173⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe174⤵
-
\??\c:\lrfxxlr.exec:\lrfxxlr.exe175⤵
-
\??\c:\hbbbtb.exec:\hbbbtb.exe176⤵
-
\??\c:\bhhtnn.exec:\bhhtnn.exe177⤵
-
\??\c:\jjddd.exec:\jjddd.exe178⤵
-
\??\c:\frrlxxx.exec:\frrlxxx.exe179⤵
-
\??\c:\tnhhbb.exec:\tnhhbb.exe180⤵
-
\??\c:\hbbnbt.exec:\hbbnbt.exe181⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe182⤵
-
\??\c:\3rrrlrl.exec:\3rrrlrl.exe183⤵
-
\??\c:\ffxxflx.exec:\ffxxflx.exe184⤵
-
\??\c:\bhhhbb.exec:\bhhhbb.exe185⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe186⤵
-
\??\c:\pppdv.exec:\pppdv.exe187⤵
-
\??\c:\5rfxffr.exec:\5rfxffr.exe188⤵
-
\??\c:\bntnnt.exec:\bntnnt.exe189⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe190⤵
-
\??\c:\vpddd.exec:\vpddd.exe191⤵
-
\??\c:\llxfrlx.exec:\llxfrlx.exe192⤵
-
\??\c:\bbtnhb.exec:\bbtnhb.exe193⤵
-
\??\c:\bbbbtb.exec:\bbbbtb.exe194⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe195⤵
-
\??\c:\jjpjj.exec:\jjpjj.exe196⤵
-
\??\c:\fxffrxx.exec:\fxffrxx.exe197⤵
-
\??\c:\9lfxlxx.exec:\9lfxlxx.exe198⤵
-
\??\c:\3nbtbb.exec:\3nbtbb.exe199⤵
-
\??\c:\hhnhbb.exec:\hhnhbb.exe200⤵
-
\??\c:\vvvvj.exec:\vvvvj.exe201⤵
-
\??\c:\pdppp.exec:\pdppp.exe202⤵
-
\??\c:\lllfxxl.exec:\lllfxxl.exe203⤵
-
\??\c:\lrlxlxx.exec:\lrlxlxx.exe204⤵
-
\??\c:\tnbtbn.exec:\tnbtbn.exe205⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe206⤵
-
\??\c:\vpvvj.exec:\vpvvj.exe207⤵
-
\??\c:\lfxrlll.exec:\lfxrlll.exe208⤵
-
\??\c:\3fxrrxl.exec:\3fxrrxl.exe209⤵
-
\??\c:\7fxffll.exec:\7fxffll.exe210⤵
-
\??\c:\bbbttb.exec:\bbbttb.exe211⤵
-
\??\c:\bntthn.exec:\bntthn.exe212⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe213⤵
-
\??\c:\jvddv.exec:\jvddv.exe214⤵
-
\??\c:\1ffflrr.exec:\1ffflrr.exe215⤵
-
\??\c:\nbbnhh.exec:\nbbnhh.exe216⤵
-
\??\c:\3ntnhh.exec:\3ntnhh.exe217⤵
-
\??\c:\jdjjp.exec:\jdjjp.exe218⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe219⤵
-
\??\c:\lfllxfx.exec:\lfllxfx.exe220⤵
-
\??\c:\rlxxxll.exec:\rlxxxll.exe221⤵
-
\??\c:\5thttt.exec:\5thttt.exe222⤵
-
\??\c:\3thbhn.exec:\3thbhn.exe223⤵
-
\??\c:\1ddjj.exec:\1ddjj.exe224⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe225⤵
-
\??\c:\rxrlfrf.exec:\rxrlfrf.exe226⤵
-
\??\c:\xfrrxxx.exec:\xfrrxxx.exe227⤵
-
\??\c:\1ddvd.exec:\1ddvd.exe228⤵
-
\??\c:\1ppjv.exec:\1ppjv.exe229⤵
-
\??\c:\lxflrxr.exec:\lxflrxr.exe230⤵
-
\??\c:\thbbtb.exec:\thbbtb.exe231⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe232⤵
-
\??\c:\7vdvp.exec:\7vdvp.exe233⤵
-
\??\c:\lrfllll.exec:\lrfllll.exe234⤵
-
\??\c:\fxxlrll.exec:\fxxlrll.exe235⤵
-
\??\c:\httthn.exec:\httthn.exe236⤵
-
\??\c:\hhbtnn.exec:\hhbtnn.exe237⤵
-
\??\c:\djpdp.exec:\djpdp.exe238⤵
-
\??\c:\frffllr.exec:\frffllr.exe239⤵
-
\??\c:\nhtbbn.exec:\nhtbbn.exe240⤵
-
\??\c:\jdppd.exec:\jdppd.exe241⤵