Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
18-05-2024 23:32
General
-
Target
8869f7825c89fc10a389ffb8b87de50492dfe2f5cd7d3ea176bc57f6d7d3dfc4.exe
-
Size
466KB
-
MD5
5e3715dbffa81f7666239e21898e67a5
-
SHA1
e72662e0b82d0dcab63607ca055a1fe2cbc4fc60
-
SHA256
8869f7825c89fc10a389ffb8b87de50492dfe2f5cd7d3ea176bc57f6d7d3dfc4
-
SHA512
72162b3be7a05160e07749d31e52837dc119556507069ab36f35c10ee04d2437a8c66aaca53335e2e6def39ebc53ed7b833088e753a5443908b734c7755f0ea1
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93sEqkeGLedW0A8hhq:n3C9yMo+S0L9xRnoq7H9xqYLed35h4
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
UPX dump on OEP (original entry point) 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2516146226\zmstage.exeC:\Users\Admin\AppData\Local\Temp\2516146226\zmstage.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8869f7825c89fc10a389ffb8b87de50492dfe2f5cd7d3ea176bc57f6d7d3dfc4.exe"C:\Users\Admin\AppData\Local\Temp\8869f7825c89fc10a389ffb8b87de50492dfe2f5cd7d3ea176bc57f6d7d3dfc4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxlrf.exec:\lfrxlrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrfxff.exec:\lrrfxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbbb.exec:\btnbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjvd.exec:\pjjvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjddv.exec:\jjddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfflxf.exec:\rlfflxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ttbth.exec:\1ttbth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thntbb.exec:\thntbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvjd.exec:\ddvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlxlrf.exec:\9rlxlrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxxflx.exec:\rlxxflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbttb.exec:\9hbttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vddj.exec:\1vddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlrrxx.exec:\rrlrrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbttbb.exec:\bbttbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnbth.exec:\hnnbth.exe17⤵
- Executes dropped EXE
-
\??\c:\jjddd.exec:\jjddd.exe18⤵
- Executes dropped EXE
-
\??\c:\llxfrrf.exec:\llxfrrf.exe19⤵
- Executes dropped EXE
-
\??\c:\3nhnnn.exec:\3nhnnn.exe20⤵
- Executes dropped EXE
-
\??\c:\dvvjd.exec:\dvvjd.exe21⤵
- Executes dropped EXE
-
\??\c:\ffxrxlr.exec:\ffxrxlr.exe22⤵
- Executes dropped EXE
-
\??\c:\xrllxfl.exec:\xrllxfl.exe23⤵
- Executes dropped EXE
-
\??\c:\tthnhb.exec:\tthnhb.exe24⤵
- Executes dropped EXE
-
\??\c:\9vvvv.exec:\9vvvv.exe25⤵
- Executes dropped EXE
-
\??\c:\lfxfrrr.exec:\lfxfrrr.exe26⤵
- Executes dropped EXE
-
\??\c:\hbntbb.exec:\hbntbb.exe27⤵
- Executes dropped EXE
-
\??\c:\jjdpd.exec:\jjdpd.exe28⤵
- Executes dropped EXE
-
\??\c:\ffflfll.exec:\ffflfll.exe29⤵
- Executes dropped EXE
-
\??\c:\ththhn.exec:\ththhn.exe30⤵
- Executes dropped EXE
-
\??\c:\dvvpv.exec:\dvvpv.exe31⤵
- Executes dropped EXE
-
\??\c:\rrfrrfr.exec:\rrfrrfr.exe32⤵
- Executes dropped EXE
-
\??\c:\nbtbnt.exec:\nbtbnt.exe33⤵
- Executes dropped EXE
-
\??\c:\vdvdj.exec:\vdvdj.exe34⤵
- Executes dropped EXE
-
\??\c:\llfflrx.exec:\llfflrx.exe35⤵
- Executes dropped EXE
-
\??\c:\bnbtbb.exec:\bnbtbb.exe36⤵
- Executes dropped EXE
-
\??\c:\vpdpd.exec:\vpdpd.exe37⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe38⤵
- Executes dropped EXE
-
\??\c:\rrllffx.exec:\rrllffx.exe39⤵
- Executes dropped EXE
-
\??\c:\1bnnht.exec:\1bnnht.exe40⤵
- Executes dropped EXE
-
\??\c:\ppjpj.exec:\ppjpj.exe41⤵
- Executes dropped EXE
-
\??\c:\3vvjv.exec:\3vvjv.exe42⤵
- Executes dropped EXE
-
\??\c:\ffrfllr.exec:\ffrfllr.exe43⤵
- Executes dropped EXE
-
\??\c:\3nbhtb.exec:\3nbhtb.exe44⤵
- Executes dropped EXE
-
\??\c:\vjvvj.exec:\vjvvj.exe45⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe46⤵
- Executes dropped EXE
-
\??\c:\ffxlxrx.exec:\ffxlxrx.exe47⤵
- Executes dropped EXE
-
\??\c:\bbtnbh.exec:\bbtnbh.exe48⤵
- Executes dropped EXE
-
\??\c:\ppjpp.exec:\ppjpp.exe49⤵
- Executes dropped EXE
-
\??\c:\frrflll.exec:\frrflll.exe50⤵
- Executes dropped EXE
-
\??\c:\hbtbbn.exec:\hbtbbn.exe51⤵
- Executes dropped EXE
-
\??\c:\bttnhn.exec:\bttnhn.exe52⤵
- Executes dropped EXE
-
\??\c:\jddjp.exec:\jddjp.exe53⤵
- Executes dropped EXE
-
\??\c:\5rxlrfr.exec:\5rxlrfr.exe54⤵
- Executes dropped EXE
-
\??\c:\ttnbtt.exec:\ttnbtt.exe55⤵
- Executes dropped EXE
-
\??\c:\vpjpd.exec:\vpjpd.exe56⤵
- Executes dropped EXE
-
\??\c:\9pdpv.exec:\9pdpv.exe57⤵
- Executes dropped EXE
-
\??\c:\xfllflf.exec:\xfllflf.exe58⤵
- Executes dropped EXE
-
\??\c:\xxxrfrx.exec:\xxxrfrx.exe59⤵
- Executes dropped EXE
-
\??\c:\5bhntt.exec:\5bhntt.exe60⤵
- Executes dropped EXE
-
\??\c:\jjjdd.exec:\jjjdd.exe61⤵
- Executes dropped EXE
-
\??\c:\flxxxxr.exec:\flxxxxr.exe62⤵
- Executes dropped EXE
-
\??\c:\ffxrxff.exec:\ffxrxff.exe63⤵
- Executes dropped EXE
-
\??\c:\ttnbtb.exec:\ttnbtb.exe64⤵
- Executes dropped EXE
-
\??\c:\ppjjv.exec:\ppjjv.exe65⤵
- Executes dropped EXE
-
\??\c:\5jjjj.exec:\5jjjj.exe66⤵
-
\??\c:\xrllxfx.exec:\xrllxfx.exe67⤵
-
\??\c:\hhttbh.exec:\hhttbh.exe68⤵
-
\??\c:\ddvdj.exec:\ddvdj.exe69⤵
-
\??\c:\5dddp.exec:\5dddp.exe70⤵
-
\??\c:\9rlrflx.exec:\9rlrflx.exe71⤵
-
\??\c:\bnntth.exec:\bnntth.exe72⤵
-
\??\c:\3btbhh.exec:\3btbhh.exe73⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe74⤵
-
\??\c:\fxlrrxl.exec:\fxlrrxl.exe75⤵
-
\??\c:\fxrflrf.exec:\fxrflrf.exe76⤵
-
\??\c:\bbbhtt.exec:\bbbhtt.exe77⤵
-
\??\c:\htnthn.exec:\htnthn.exe78⤵
-
\??\c:\jjjpd.exec:\jjjpd.exe79⤵
-
\??\c:\rffxfll.exec:\rffxfll.exe80⤵
-
\??\c:\fflxflx.exec:\fflxflx.exe81⤵
-
\??\c:\nnhtnt.exec:\nnhtnt.exe82⤵
-
\??\c:\3htbtb.exec:\3htbtb.exe83⤵
-
\??\c:\jpjpd.exec:\jpjpd.exe84⤵
-
\??\c:\lfxfrfx.exec:\lfxfrfx.exe85⤵
-
\??\c:\nnnthn.exec:\nnnthn.exe86⤵
-
\??\c:\1thnht.exec:\1thnht.exe87⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe88⤵
-
\??\c:\jjvdp.exec:\jjvdp.exe89⤵
-
\??\c:\xflxrfr.exec:\xflxrfr.exe90⤵
-
\??\c:\hbhbbt.exec:\hbhbbt.exe91⤵
-
\??\c:\7bttnt.exec:\7bttnt.exe92⤵
-
\??\c:\jddpv.exec:\jddpv.exe93⤵
-
\??\c:\flflxlx.exec:\flflxlx.exe94⤵
-
\??\c:\fxfrxfx.exec:\fxfrxfx.exe95⤵
-
\??\c:\5tnnbn.exec:\5tnnbn.exe96⤵
-
\??\c:\nnhnhh.exec:\nnhnhh.exe97⤵
-
\??\c:\ppppj.exec:\ppppj.exe98⤵
-
\??\c:\lrrlllx.exec:\lrrlllx.exe99⤵
-
\??\c:\1lffllx.exec:\1lffllx.exe100⤵
-
\??\c:\ntnnbh.exec:\ntnnbh.exe101⤵
-
\??\c:\bhnhbn.exec:\bhnhbn.exe102⤵
-
\??\c:\pdpdv.exec:\pdpdv.exe103⤵
-
\??\c:\5vpvj.exec:\5vpvj.exe104⤵
-
\??\c:\ffffrlr.exec:\ffffrlr.exe105⤵
-
\??\c:\ffflxfr.exec:\ffflxfr.exe106⤵
-
\??\c:\3tbhbh.exec:\3tbhbh.exe107⤵
-
\??\c:\dvjvp.exec:\dvjvp.exe108⤵
-
\??\c:\9pdjp.exec:\9pdjp.exe109⤵
-
\??\c:\rllfrxf.exec:\rllfrxf.exe110⤵
-
\??\c:\ttnbtb.exec:\ttnbtb.exe111⤵
-
\??\c:\hhbnht.exec:\hhbnht.exe112⤵
-
\??\c:\pjdpp.exec:\pjdpp.exe113⤵
-
\??\c:\vjdjp.exec:\vjdjp.exe114⤵
-
\??\c:\frlfxxf.exec:\frlfxxf.exe115⤵
-
\??\c:\nbtthh.exec:\nbtthh.exe116⤵
-
\??\c:\btnhtt.exec:\btnhtt.exe117⤵
-
\??\c:\jddjd.exec:\jddjd.exe118⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe119⤵
-
\??\c:\flxflrf.exec:\flxflrf.exe120⤵
-
\??\c:\hnthtt.exec:\hnthtt.exe121⤵
-
\??\c:\tbttnb.exec:\tbttnb.exe122⤵
-
\??\c:\5pdvj.exec:\5pdvj.exe123⤵
-
\??\c:\xffxffx.exec:\xffxffx.exe124⤵
-
\??\c:\lfxlrxl.exec:\lfxlrxl.exe125⤵
-
\??\c:\1bnnnn.exec:\1bnnnn.exe126⤵
-
\??\c:\nhbhbt.exec:\nhbhbt.exe127⤵
-
\??\c:\5pdpj.exec:\5pdpj.exe128⤵
-
\??\c:\frlrrrf.exec:\frlrrrf.exe129⤵
-
\??\c:\rflfxxf.exec:\rflfxxf.exe130⤵
-
\??\c:\nbbhtn.exec:\nbbhtn.exe131⤵
-
\??\c:\nbhttb.exec:\nbhttb.exe132⤵
-
\??\c:\9vddd.exec:\9vddd.exe133⤵
-
\??\c:\7xxrxxx.exec:\7xxrxxx.exe134⤵
-
\??\c:\3lffxxx.exec:\3lffxxx.exe135⤵
-
\??\c:\nbhnht.exec:\nbhnht.exe136⤵
-
\??\c:\tbthnt.exec:\tbthnt.exe137⤵
-
\??\c:\dvjdj.exec:\dvjdj.exe138⤵
-
\??\c:\ffxxflx.exec:\ffxxflx.exe139⤵
-
\??\c:\9flfrll.exec:\9flfrll.exe140⤵
-
\??\c:\tntbbb.exec:\tntbbb.exe141⤵
-
\??\c:\5hbbhh.exec:\5hbbhh.exe142⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe143⤵
-
\??\c:\3djpp.exec:\3djpp.exe144⤵
-
\??\c:\xrrrxxf.exec:\xrrrxxf.exe145⤵
-
\??\c:\5thbbb.exec:\5thbbb.exe146⤵
-
\??\c:\1btbhn.exec:\1btbhn.exe147⤵
-
\??\c:\jdpvp.exec:\jdpvp.exe148⤵
-
\??\c:\1vdjd.exec:\1vdjd.exe149⤵
-
\??\c:\9ffxfxf.exec:\9ffxfxf.exe150⤵
-
\??\c:\bnbthh.exec:\bnbthh.exe151⤵
-
\??\c:\nhtbhh.exec:\nhtbhh.exe152⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe153⤵
-
\??\c:\frfxxxf.exec:\frfxxxf.exe154⤵
-
\??\c:\flxxxxx.exec:\flxxxxx.exe155⤵
-
\??\c:\bthnnt.exec:\bthnnt.exe156⤵
-
\??\c:\bbntbt.exec:\bbntbt.exe157⤵
-
\??\c:\jpddj.exec:\jpddj.exe158⤵
-
\??\c:\dpdpv.exec:\dpdpv.exe159⤵
-
\??\c:\ffllllx.exec:\ffllllx.exe160⤵
-
\??\c:\9btbhh.exec:\9btbhh.exe161⤵
-
\??\c:\5pvpd.exec:\5pvpd.exe162⤵
-
\??\c:\7lxrrrl.exec:\7lxrrrl.exe163⤵
-
\??\c:\7htttt.exec:\7htttt.exe164⤵
-
\??\c:\bntttt.exec:\bntttt.exe165⤵
-
\??\c:\dvpvp.exec:\dvpvp.exe166⤵
-
\??\c:\vpddp.exec:\vpddp.exe167⤵
-
\??\c:\fxllrff.exec:\fxllrff.exe168⤵
-
\??\c:\1rflrrl.exec:\1rflrrl.exe169⤵
-
\??\c:\btnnnn.exec:\btnnnn.exe170⤵
-
\??\c:\pjvpv.exec:\pjvpv.exe171⤵
-
\??\c:\jvjpd.exec:\jvjpd.exe172⤵
-
\??\c:\7vjjj.exec:\7vjjj.exe173⤵
-
\??\c:\rfrxllx.exec:\rfrxllx.exe174⤵
-
\??\c:\thntnh.exec:\thntnh.exe175⤵
-
\??\c:\htnntb.exec:\htnntb.exe176⤵
-
\??\c:\vvjpv.exec:\vvjpv.exe177⤵
-
\??\c:\vvjpp.exec:\vvjpp.exe178⤵
-
\??\c:\rlxrfxf.exec:\rlxrfxf.exe179⤵
-
\??\c:\9xlxlll.exec:\9xlxlll.exe180⤵
-
\??\c:\hbntbn.exec:\hbntbn.exe181⤵
-
\??\c:\btnntn.exec:\btnntn.exe182⤵
-
\??\c:\9pjpp.exec:\9pjpp.exe183⤵
-
\??\c:\xxlrxrf.exec:\xxlrxrf.exe184⤵
-
\??\c:\rfxlfrf.exec:\rfxlfrf.exe185⤵
-
\??\c:\nhttbh.exec:\nhttbh.exe186⤵
-
\??\c:\tnbhnn.exec:\tnbhnn.exe187⤵
-
\??\c:\ddjvj.exec:\ddjvj.exe188⤵
-
\??\c:\dpjjp.exec:\dpjjp.exe189⤵
-
\??\c:\xrlffff.exec:\xrlffff.exe190⤵
-
\??\c:\nhbbhh.exec:\nhbbhh.exe191⤵
-
\??\c:\1nthnt.exec:\1nthnt.exe192⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe193⤵
-
\??\c:\jvjjj.exec:\jvjjj.exe194⤵
-
\??\c:\xrllxxl.exec:\xrllxxl.exe195⤵
-
\??\c:\lxlxffr.exec:\lxlxffr.exe196⤵
-
\??\c:\7ntbnh.exec:\7ntbnh.exe197⤵
-
\??\c:\bhtthb.exec:\bhtthb.exe198⤵
-
\??\c:\dpvpv.exec:\dpvpv.exe199⤵
-
\??\c:\dvppv.exec:\dvppv.exe200⤵
-
\??\c:\xxrffll.exec:\xxrffll.exe201⤵
-
\??\c:\nnhhtb.exec:\nnhhtb.exe202⤵
-
\??\c:\tbhhnh.exec:\tbhhnh.exe203⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe204⤵
-
\??\c:\xlxrrrx.exec:\xlxrrrx.exe205⤵
-
\??\c:\3lxrrlr.exec:\3lxrrlr.exe206⤵
-
\??\c:\ttnnbt.exec:\ttnnbt.exe207⤵
-
\??\c:\5hnhbh.exec:\5hnhbh.exe208⤵
-
\??\c:\dpddj.exec:\dpddj.exe209⤵
-
\??\c:\vjppj.exec:\vjppj.exe210⤵
-
\??\c:\lffxffl.exec:\lffxffl.exe211⤵
-
\??\c:\btnthn.exec:\btnthn.exe212⤵
-
\??\c:\bbnbbn.exec:\bbnbbn.exe213⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe214⤵
-
\??\c:\vdppv.exec:\vdppv.exe215⤵
-
\??\c:\llrlxll.exec:\llrlxll.exe216⤵
-
\??\c:\1lxrrrx.exec:\1lxrrrx.exe217⤵
-
\??\c:\hthnnt.exec:\hthnnt.exe218⤵
-
\??\c:\pddpv.exec:\pddpv.exe219⤵
-
\??\c:\djdjp.exec:\djdjp.exe220⤵
-
\??\c:\1xfffxx.exec:\1xfffxx.exe221⤵
-
\??\c:\rlxfllx.exec:\rlxfllx.exe222⤵
-
\??\c:\hthntt.exec:\hthntt.exe223⤵
-
\??\c:\tnttbb.exec:\tnttbb.exe224⤵
-
\??\c:\dpddp.exec:\dpddp.exe225⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe226⤵
-
\??\c:\rflllrx.exec:\rflllrx.exe227⤵
-
\??\c:\lfrrxxx.exec:\lfrrxxx.exe228⤵
-
\??\c:\hnttbb.exec:\hnttbb.exe229⤵
-
\??\c:\1pdpp.exec:\1pdpp.exe230⤵
-
\??\c:\9djpj.exec:\9djpj.exe231⤵
-
\??\c:\fxfflfx.exec:\fxfflfx.exe232⤵
-
\??\c:\rlxxrrx.exec:\rlxxrrx.exe233⤵
-
\??\c:\tnbhtt.exec:\tnbhtt.exe234⤵
-
\??\c:\vdvvd.exec:\vdvvd.exe235⤵
-
\??\c:\5pdjj.exec:\5pdjj.exe236⤵
-
\??\c:\xlrrllr.exec:\xlrrllr.exe237⤵
-
\??\c:\9flxxrl.exec:\9flxxrl.exe238⤵
-
\??\c:\7thhhb.exec:\7thhhb.exe239⤵
-
\??\c:\7ntnnn.exec:\7ntnnn.exe240⤵
-
\??\c:\pddvp.exec:\pddvp.exe241⤵