Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19/05/2024, 22:18
General
-
Target
613d37b6990686d1e736de5831d4f1eddc02d4da14a96d61a6299e6121db7838.exe
-
Size
61KB
-
MD5
a97534461296a2b3717f35799cda42db
-
SHA1
75768978304ea13db6f7fc56c5894c46f93a2d45
-
SHA256
613d37b6990686d1e736de5831d4f1eddc02d4da14a96d61a6299e6121db7838
-
SHA512
9e3deef09562d0b3ea8f4208777f5b9eaddbe5777add714aab82c7cfac2c9c540bd59e819554a652edabaeaae6c384e55b131af092fcbd42f478b13b8c39d87a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDII9ZvHKEz:ymb3NkkiQ3mdBjFII9ZvHKEz
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
UPX dump on OEP (original entry point) 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\613d37b6990686d1e736de5831d4f1eddc02d4da14a96d61a6299e6121db7838.exe"C:\Users\Admin\AppData\Local\Temp\613d37b6990686d1e736de5831d4f1eddc02d4da14a96d61a6299e6121db7838.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\txrfbt.exec:\txrfbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rpdtdxx.exec:\rpdtdxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vxxjhrv.exec:\vxxjhrv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbfnjv.exec:\hnbfnjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bxhlrll.exec:\bxhlrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfndfh.exec:\rfndfh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ftldjp.exec:\ftldjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nrdffj.exec:\nrdffj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nlthxh.exec:\nlthxh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfdld.exec:\rfdld.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjfxt.exec:\vjfxt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dfdhtj.exec:\dfdhtj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dldvjv.exec:\dldvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pxtjl.exec:\pxtjl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tpvxln.exec:\tpvxln.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lbpfx.exec:\lbpfx.exe17⤵
- Executes dropped EXE
-
\??\c:\rtrlf.exec:\rtrlf.exe18⤵
- Executes dropped EXE
-
\??\c:\fvnblf.exec:\fvnblf.exe19⤵
- Executes dropped EXE
-
\??\c:\blxpp.exec:\blxpp.exe20⤵
- Executes dropped EXE
-
\??\c:\dlfxtrl.exec:\dlfxtrl.exe21⤵
- Executes dropped EXE
-
\??\c:\rjlldnx.exec:\rjlldnx.exe22⤵
- Executes dropped EXE
-
\??\c:\ptjddlr.exec:\ptjddlr.exe23⤵
- Executes dropped EXE
-
\??\c:\llrpfhv.exec:\llrpfhv.exe24⤵
- Executes dropped EXE
-
\??\c:\npvnt.exec:\npvnt.exe25⤵
- Executes dropped EXE
-
\??\c:\nlbxb.exec:\nlbxb.exe26⤵
- Executes dropped EXE
-
\??\c:\pttjl.exec:\pttjl.exe27⤵
- Executes dropped EXE
-
\??\c:\hnnxrtr.exec:\hnnxrtr.exe28⤵
- Executes dropped EXE
-
\??\c:\hjfhrt.exec:\hjfhrt.exe29⤵
- Executes dropped EXE
-
\??\c:\xtfpf.exec:\xtfpf.exe30⤵
- Executes dropped EXE
-
\??\c:\pvpjdh.exec:\pvpjdh.exe31⤵
- Executes dropped EXE
-
\??\c:\vdhhxl.exec:\vdhhxl.exe32⤵
- Executes dropped EXE
-
\??\c:\pnfdfl.exec:\pnfdfl.exe33⤵
- Executes dropped EXE
-
\??\c:\nfpln.exec:\nfpln.exe34⤵
- Executes dropped EXE
-
\??\c:\vjpjxlx.exec:\vjpjxlx.exe35⤵
- Executes dropped EXE
-
\??\c:\hdhjf.exec:\hdhjf.exe36⤵
- Executes dropped EXE
-
\??\c:\ppdll.exec:\ppdll.exe37⤵
- Executes dropped EXE
-
\??\c:\bxrhnv.exec:\bxrhnv.exe38⤵
- Executes dropped EXE
-
\??\c:\trlbrj.exec:\trlbrj.exe39⤵
- Executes dropped EXE
-
\??\c:\vxpld.exec:\vxpld.exe40⤵
- Executes dropped EXE
-
\??\c:\vbhfdp.exec:\vbhfdp.exe41⤵
- Executes dropped EXE
-
\??\c:\rlrph.exec:\rlrph.exe42⤵
- Executes dropped EXE
-
\??\c:\tpnlphh.exec:\tpnlphh.exe43⤵
- Executes dropped EXE
-
\??\c:\fddxb.exec:\fddxb.exe44⤵
- Executes dropped EXE
-
\??\c:\nxlppt.exec:\nxlppt.exe45⤵
- Executes dropped EXE
-
\??\c:\xphpxv.exec:\xphpxv.exe46⤵
- Executes dropped EXE
-
\??\c:\jfdnrl.exec:\jfdnrl.exe47⤵
- Executes dropped EXE
-
\??\c:\ntpbpp.exec:\ntpbpp.exe48⤵
- Executes dropped EXE
-
\??\c:\npllvr.exec:\npllvr.exe49⤵
- Executes dropped EXE
-
\??\c:\jnbbh.exec:\jnbbh.exe50⤵
- Executes dropped EXE
-
\??\c:\xtvnvvf.exec:\xtvnvvf.exe51⤵
- Executes dropped EXE
-
\??\c:\jvtddp.exec:\jvtddp.exe52⤵
- Executes dropped EXE
-
\??\c:\tbpldjl.exec:\tbpldjl.exe53⤵
- Executes dropped EXE
-
\??\c:\jlnvlp.exec:\jlnvlp.exe54⤵
- Executes dropped EXE
-
\??\c:\njhnnjx.exec:\njhnnjx.exe55⤵
- Executes dropped EXE
-
\??\c:\xhnrbv.exec:\xhnrbv.exe56⤵
- Executes dropped EXE
-
\??\c:\vpthxph.exec:\vpthxph.exe57⤵
- Executes dropped EXE
-
\??\c:\dvvtxvt.exec:\dvvtxvt.exe58⤵
- Executes dropped EXE
-
\??\c:\dpxbl.exec:\dpxbl.exe59⤵
- Executes dropped EXE
-
\??\c:\jjtddl.exec:\jjtddl.exe60⤵
- Executes dropped EXE
-
\??\c:\xdbjn.exec:\xdbjn.exe61⤵
- Executes dropped EXE
-
\??\c:\hfflnjj.exec:\hfflnjj.exe62⤵
- Executes dropped EXE
-
\??\c:\brdjj.exec:\brdjj.exe63⤵
- Executes dropped EXE
-
\??\c:\xdhrnhd.exec:\xdhrnhd.exe64⤵
- Executes dropped EXE
-
\??\c:\nptbfj.exec:\nptbfj.exe65⤵
- Executes dropped EXE
-
\??\c:\ttnhl.exec:\ttnhl.exe66⤵
-
\??\c:\vhlhhff.exec:\vhlhhff.exe67⤵
-
\??\c:\nrvdn.exec:\nrvdn.exe68⤵
-
\??\c:\fdvtrlj.exec:\fdvtrlj.exe69⤵
-
\??\c:\hpnpp.exec:\hpnpp.exe70⤵
-
\??\c:\rxnnf.exec:\rxnnf.exe71⤵
-
\??\c:\ttjxlbj.exec:\ttjxlbj.exe72⤵
-
\??\c:\vvnhjx.exec:\vvnhjx.exe73⤵
-
\??\c:\vhrxfh.exec:\vhrxfh.exe74⤵
-
\??\c:\rrppv.exec:\rrppv.exe75⤵
-
\??\c:\pfpvd.exec:\pfpvd.exe76⤵
-
\??\c:\vxfnrb.exec:\vxfnrb.exe77⤵
-
\??\c:\dpbppv.exec:\dpbppv.exe78⤵
-
\??\c:\vdppll.exec:\vdppll.exe79⤵
-
\??\c:\jllbfjn.exec:\jllbfjn.exe80⤵
-
\??\c:\fpvfpxh.exec:\fpvfpxh.exe81⤵
-
\??\c:\jpxtj.exec:\jpxtj.exe82⤵
-
\??\c:\jbrfrdb.exec:\jbrfrdb.exe83⤵
-
\??\c:\hjdbd.exec:\hjdbd.exe84⤵
-
\??\c:\djtrrvx.exec:\djtrrvx.exe85⤵
-
\??\c:\bthln.exec:\bthln.exe86⤵
-
\??\c:\hxlvx.exec:\hxlvx.exe87⤵
-
\??\c:\htpjnpf.exec:\htpjnpf.exe88⤵
-
\??\c:\rrfvdv.exec:\rrfvdv.exe89⤵
-
\??\c:\bnxlvp.exec:\bnxlvp.exe90⤵
-
\??\c:\bvdplh.exec:\bvdplh.exe91⤵
-
\??\c:\npxfxpb.exec:\npxfxpb.exe92⤵
-
\??\c:\dprhlf.exec:\dprhlf.exe93⤵
-
\??\c:\txprdp.exec:\txprdp.exe94⤵
-
\??\c:\bttjnv.exec:\bttjnv.exe95⤵
-
\??\c:\hvftvft.exec:\hvftvft.exe96⤵
-
\??\c:\drpbrfv.exec:\drpbrfv.exe97⤵
-
\??\c:\jphbvnl.exec:\jphbvnl.exe98⤵
-
\??\c:\jxbnjjh.exec:\jxbnjjh.exe99⤵
-
\??\c:\xrnhlrl.exec:\xrnhlrl.exe100⤵
-
\??\c:\xbnntd.exec:\xbnntd.exe101⤵
-
\??\c:\vxxrpf.exec:\vxxrpf.exe102⤵
-
\??\c:\vfbth.exec:\vfbth.exe103⤵
-
\??\c:\djnrjj.exec:\djnrjj.exe104⤵
-
\??\c:\jhddbt.exec:\jhddbt.exe105⤵
-
\??\c:\jnhjnr.exec:\jnhjnr.exe106⤵
-
\??\c:\nbfbl.exec:\nbfbl.exe107⤵
-
\??\c:\fpxhl.exec:\fpxhl.exe108⤵
-
\??\c:\hdbbvr.exec:\hdbbvr.exe109⤵
-
\??\c:\jhrxhd.exec:\jhrxhd.exe110⤵
-
\??\c:\fhpfbvl.exec:\fhpfbvl.exe111⤵
-
\??\c:\bbxvj.exec:\bbxvj.exe112⤵
-
\??\c:\bhftvlb.exec:\bhftvlb.exe113⤵
-
\??\c:\hfbfvbr.exec:\hfbfvbr.exe114⤵
-
\??\c:\hxvpbrx.exec:\hxvpbrx.exe115⤵
-
\??\c:\bdnrp.exec:\bdnrp.exe116⤵
-
\??\c:\dxjdpt.exec:\dxjdpt.exe117⤵
-
\??\c:\drlxphh.exec:\drlxphh.exe118⤵
-
\??\c:\pntxdxf.exec:\pntxdxf.exe119⤵
-
\??\c:\ljptdb.exec:\ljptdb.exe120⤵
-
\??\c:\xxddh.exec:\xxddh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-