Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
19-05-2024 10:45
General
-
Target
7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501.exe
-
Size
169KB
-
MD5
d002865618db61a4b2c7216615c0ed80
-
SHA1
aa6442723c8aac153b9dcdf6b9d0315ab1e703f6
-
SHA256
7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501
-
SHA512
20b224a316fd1af22280c02de25ddb2656a7e511fc679669a53b1452dc6b636493d05516964469fdaa90b9c127d66be34c4c8c5f4030100d429cd8c87592ac8c
-
SSDEEP
1536:HvQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FK4O8A1o4XEc3YtxD8/Ai2L:HhOmTsF93UYfwC6GIoutX8Ki3c3YT8VU
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 33 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501.exe"C:\Users\Admin\AppData\Local\Temp\7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501.exe"C:\Users\Admin\AppData\Local\Temp\7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501.exe"3⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbttbh.exec:\hbttbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppjj.exec:\pppjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrxxlx.exec:\xxrxxlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhhn.exec:\hbhhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jdpv.exec:\5jdpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbtb.exec:\tbhbtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttbnt.exec:\bttbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddjv.exec:\jddjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnttb.exec:\nhnttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hbbnt.exec:\7hbbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjv.exec:\dvdjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fflrrl.exec:\7fflrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbhbn.exec:\bnbhbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjd.exec:\jdjjd.exe18⤵
- Executes dropped EXE
-
\??\c:\3rffllr.exec:\3rffllr.exe19⤵
- Executes dropped EXE
-
\??\c:\7nbnbb.exec:\7nbnbb.exe20⤵
- Executes dropped EXE
-
\??\c:\vvpvd.exec:\vvpvd.exe21⤵
- Executes dropped EXE
-
\??\c:\7fxlllf.exec:\7fxlllf.exe22⤵
- Executes dropped EXE
-
\??\c:\1nbtbh.exec:\1nbtbh.exe23⤵
- Executes dropped EXE
-
\??\c:\jvppd.exec:\jvppd.exe24⤵
- Executes dropped EXE
-
\??\c:\vdpvd.exec:\vdpvd.exe25⤵
- Executes dropped EXE
-
\??\c:\lffrflx.exec:\lffrflx.exe26⤵
- Executes dropped EXE
-
\??\c:\3bbthh.exec:\3bbthh.exe27⤵
- Executes dropped EXE
-
\??\c:\dvdjp.exec:\dvdjp.exe28⤵
- Executes dropped EXE
-
\??\c:\llxlfrx.exec:\llxlfrx.exe29⤵
- Executes dropped EXE
-
\??\c:\bhtbhb.exec:\bhtbhb.exe30⤵
- Executes dropped EXE
-
\??\c:\ddjjd.exec:\ddjjd.exe31⤵
- Executes dropped EXE
-
\??\c:\jdvjj.exec:\jdvjj.exe32⤵
- Executes dropped EXE
-
\??\c:\fxrxflr.exec:\fxrxflr.exe33⤵
- Executes dropped EXE
-
\??\c:\hbthtb.exec:\hbthtb.exe34⤵
- Executes dropped EXE
-
\??\c:\vdjpv.exec:\vdjpv.exe35⤵
- Executes dropped EXE
-
\??\c:\lxlrxrf.exec:\lxlrxrf.exe36⤵
- Executes dropped EXE
-
\??\c:\1tbnnt.exec:\1tbnnt.exe37⤵
- Executes dropped EXE
-
\??\c:\tnbhbh.exec:\tnbhbh.exe38⤵
- Executes dropped EXE
-
\??\c:\dvvvd.exec:\dvvvd.exe39⤵
- Executes dropped EXE
-
\??\c:\xlllrxf.exec:\xlllrxf.exe40⤵
- Executes dropped EXE
-
\??\c:\nhtbbh.exec:\nhtbbh.exe41⤵
- Executes dropped EXE
-
\??\c:\thhbbb.exec:\thhbbb.exe42⤵
- Executes dropped EXE
-
\??\c:\7pdjv.exec:\7pdjv.exe43⤵
- Executes dropped EXE
-
\??\c:\3lflxlf.exec:\3lflxlf.exe44⤵
- Executes dropped EXE
-
\??\c:\lfrrflr.exec:\lfrrflr.exe45⤵
- Executes dropped EXE
-
\??\c:\bhnntn.exec:\bhnntn.exe46⤵
- Executes dropped EXE
-
\??\c:\pjdjv.exec:\pjdjv.exe47⤵
- Executes dropped EXE
-
\??\c:\flxxxxx.exec:\flxxxxx.exe48⤵
- Executes dropped EXE
-
\??\c:\rrflrll.exec:\rrflrll.exe49⤵
- Executes dropped EXE
-
\??\c:\5hntbn.exec:\5hntbn.exe50⤵
- Executes dropped EXE
-
\??\c:\dvjpj.exec:\dvjpj.exe51⤵
- Executes dropped EXE
-
\??\c:\7jvpv.exec:\7jvpv.exe52⤵
- Executes dropped EXE
-
\??\c:\1lfxxxl.exec:\1lfxxxl.exe53⤵
- Executes dropped EXE
-
\??\c:\lxxllll.exec:\lxxllll.exe54⤵
- Executes dropped EXE
-
\??\c:\1hbbbb.exec:\1hbbbb.exe55⤵
- Executes dropped EXE
-
\??\c:\3dvjj.exec:\3dvjj.exe56⤵
- Executes dropped EXE
-
\??\c:\jpjdp.exec:\jpjdp.exe57⤵
- Executes dropped EXE
-
\??\c:\lxfxrxf.exec:\lxfxrxf.exe58⤵
- Executes dropped EXE
-
\??\c:\tttntt.exec:\tttntt.exe59⤵
- Executes dropped EXE
-
\??\c:\7nhhtt.exec:\7nhhtt.exe60⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe61⤵
- Executes dropped EXE
-
\??\c:\rlflffl.exec:\rlflffl.exe62⤵
- Executes dropped EXE
-
\??\c:\bbntbn.exec:\bbntbn.exe63⤵
- Executes dropped EXE
-
\??\c:\nhnntt.exec:\nhnntt.exe64⤵
- Executes dropped EXE
-
\??\c:\vpjjp.exec:\vpjjp.exe65⤵
- Executes dropped EXE
-
\??\c:\1pddp.exec:\1pddp.exe66⤵
- Executes dropped EXE
-
\??\c:\rlffrff.exec:\rlffrff.exe67⤵
- Executes dropped EXE
-
\??\c:\fxllrrf.exec:\fxllrrf.exe68⤵
-
\??\c:\nbntbb.exec:\nbntbb.exe69⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe70⤵
-
\??\c:\3vvpp.exec:\3vvpp.exe71⤵
-
\??\c:\xrxflrl.exec:\xrxflrl.exe72⤵
-
\??\c:\1nntbb.exec:\1nntbb.exe73⤵
-
\??\c:\bnhnbh.exec:\bnhnbh.exe74⤵
-
\??\c:\pvdvv.exec:\pvdvv.exe75⤵
-
\??\c:\frffrrx.exec:\frffrrx.exe76⤵
-
\??\c:\btbhnn.exec:\btbhnn.exe77⤵
-
\??\c:\thbbhh.exec:\thbbhh.exe78⤵
-
\??\c:\9dvjp.exec:\9dvjp.exe79⤵
-
\??\c:\frrlxrx.exec:\frrlxrx.exe80⤵
-
\??\c:\nhthhn.exec:\nhthhn.exe81⤵
-
\??\c:\tnhtnh.exec:\tnhtnh.exe82⤵
-
\??\c:\vvvdd.exec:\vvvdd.exe83⤵
-
\??\c:\jvvdj.exec:\jvvdj.exe84⤵
-
\??\c:\fxflrll.exec:\fxflrll.exe85⤵
-
\??\c:\xrffxxf.exec:\xrffxxf.exe86⤵
-
\??\c:\thntbh.exec:\thntbh.exe87⤵
-
\??\c:\1vppd.exec:\1vppd.exe88⤵
-
\??\c:\vdjjv.exec:\vdjjv.exe89⤵
-
\??\c:\fxlrflx.exec:\fxlrflx.exe90⤵
-
\??\c:\1htbbh.exec:\1htbbh.exe91⤵
-
\??\c:\nhnhbb.exec:\nhnhbb.exe92⤵
-
\??\c:\ddpvd.exec:\ddpvd.exe93⤵
-
\??\c:\lrllllr.exec:\lrllllr.exe94⤵
-
\??\c:\lxllflr.exec:\lxllflr.exe95⤵
-
\??\c:\hthnnb.exec:\hthnnb.exe96⤵
-
\??\c:\ddppd.exec:\ddppd.exe97⤵
-
\??\c:\jjdjv.exec:\jjdjv.exe98⤵
-
\??\c:\lfrfxfx.exec:\lfrfxfx.exe99⤵
-
\??\c:\rfrrfll.exec:\rfrrfll.exe100⤵
-
\??\c:\hbhnbh.exec:\hbhnbh.exe101⤵
-
\??\c:\dvddv.exec:\dvddv.exe102⤵
-
\??\c:\pjvvp.exec:\pjvvp.exe103⤵
-
\??\c:\3frrflr.exec:\3frrflr.exe104⤵
-
\??\c:\5nhnbh.exec:\5nhnbh.exe105⤵
-
\??\c:\tthntb.exec:\tthntb.exe106⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe107⤵
-
\??\c:\dvvjd.exec:\dvvjd.exe108⤵
-
\??\c:\1flxffr.exec:\1flxffr.exe109⤵
-
\??\c:\lfxflrf.exec:\lfxflrf.exe110⤵
-
\??\c:\bttbnb.exec:\bttbnb.exe111⤵
-
\??\c:\7nhhnt.exec:\7nhhnt.exe112⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe113⤵
-
\??\c:\lflrlrx.exec:\lflrlrx.exe114⤵
-
\??\c:\xrxllrl.exec:\xrxllrl.exe115⤵
-
\??\c:\thnbth.exec:\thnbth.exe116⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe117⤵
-
\??\c:\rlfllrf.exec:\rlfllrf.exe118⤵
-
\??\c:\1flrfxf.exec:\1flrfxf.exe119⤵
-
\??\c:\3tbhnt.exec:\3tbhnt.exe120⤵
-
\??\c:\jpdpj.exec:\jpdpj.exe121⤵
-
\??\c:\jdvdp.exec:\jdvdp.exe122⤵
-
\??\c:\5fxfrxf.exec:\5fxfrxf.exe123⤵
-
\??\c:\hhbtnn.exec:\hhbtnn.exe124⤵
-
\??\c:\hhtbhn.exec:\hhtbhn.exe125⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe126⤵
-
\??\c:\7vdjv.exec:\7vdjv.exe127⤵
-
\??\c:\xxrrflx.exec:\xxrrflx.exe128⤵
-
\??\c:\nhtbtb.exec:\nhtbtb.exe129⤵
-
\??\c:\1thnth.exec:\1thnth.exe130⤵
-
\??\c:\dvpdv.exec:\dvpdv.exe131⤵
-
\??\c:\jvjpd.exec:\jvjpd.exe132⤵
-
\??\c:\xfllffr.exec:\xfllffr.exe133⤵
-
\??\c:\5nhthn.exec:\5nhthn.exe134⤵
-
\??\c:\ntbbnt.exec:\ntbbnt.exe135⤵
-
\??\c:\5vpvd.exec:\5vpvd.exe136⤵
-
\??\c:\9vjpd.exec:\9vjpd.exe137⤵
-
\??\c:\frfflrx.exec:\frfflrx.exe138⤵
-
\??\c:\xrxrllx.exec:\xrxrllx.exe139⤵
-
\??\c:\tnbtnb.exec:\tnbtnb.exe140⤵
-
\??\c:\nhhbbn.exec:\nhhbbn.exe141⤵
-
\??\c:\3dvvv.exec:\3dvvv.exe142⤵
-
\??\c:\vjjpp.exec:\vjjpp.exe143⤵
-
\??\c:\frrxflr.exec:\frrxflr.exe144⤵
-
\??\c:\3frxflx.exec:\3frxflx.exe145⤵
-
\??\c:\hbnttt.exec:\hbnttt.exe146⤵
-
\??\c:\hthhhh.exec:\hthhhh.exe147⤵
-
\??\c:\dpjjp.exec:\dpjjp.exe148⤵
-
\??\c:\rlxxlfl.exec:\rlxxlfl.exe149⤵
-
\??\c:\1rlflfr.exec:\1rlflfr.exe150⤵
-
\??\c:\hbnnth.exec:\hbnnth.exe151⤵
-
\??\c:\1tnbhn.exec:\1tnbhn.exe152⤵
-
\??\c:\jdjjv.exec:\jdjjv.exe153⤵
-
\??\c:\xrlxlfr.exec:\xrlxlfr.exe154⤵
-
\??\c:\9xxxfxf.exec:\9xxxfxf.exe155⤵
-
\??\c:\htntbb.exec:\htntbb.exe156⤵
-
\??\c:\tnttnb.exec:\tnttnb.exe157⤵
-
\??\c:\vvvdv.exec:\vvvdv.exe158⤵
-
\??\c:\jvddp.exec:\jvddp.exe159⤵
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe160⤵
-
\??\c:\tnbbhh.exec:\tnbbhh.exe161⤵
-
\??\c:\tnbbhn.exec:\tnbbhn.exe162⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe163⤵
-
\??\c:\rllxfrf.exec:\rllxfrf.exe164⤵
-
\??\c:\ffrlfrx.exec:\ffrlfrx.exe165⤵
-
\??\c:\tnhnbb.exec:\tnhnbb.exe166⤵
-
\??\c:\nhnntb.exec:\nhnntb.exe167⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe168⤵
-
\??\c:\jdjpd.exec:\jdjpd.exe169⤵
-
\??\c:\rlflxxr.exec:\rlflxxr.exe170⤵
-
\??\c:\nbhnht.exec:\nbhnht.exe171⤵
-
\??\c:\tthhbh.exec:\tthhbh.exe172⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe173⤵
-
\??\c:\5dvjv.exec:\5dvjv.exe174⤵
-
\??\c:\lfrllrx.exec:\lfrllrx.exe175⤵
-
\??\c:\nntthn.exec:\nntthn.exe176⤵
-
\??\c:\httbbb.exec:\httbbb.exe177⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe178⤵
-
\??\c:\vjppj.exec:\vjppj.exe179⤵
-
\??\c:\7lxfrxl.exec:\7lxfrxl.exe180⤵
-
\??\c:\fxfxrxf.exec:\fxfxrxf.exe181⤵
-
\??\c:\5bbbnt.exec:\5bbbnt.exe182⤵
-
\??\c:\pjvpj.exec:\pjvpj.exe183⤵
-
\??\c:\3vjvv.exec:\3vjvv.exe184⤵
-
\??\c:\xlxxllf.exec:\xlxxllf.exe185⤵
-
\??\c:\xxfrlrf.exec:\xxfrlrf.exe186⤵
-
\??\c:\thttnn.exec:\thttnn.exe187⤵
-
\??\c:\1tnbnb.exec:\1tnbnb.exe188⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe189⤵
-
\??\c:\3jjvj.exec:\3jjvj.exe190⤵
-
\??\c:\1fxlxfx.exec:\1fxlxfx.exe191⤵
-
\??\c:\btnhtt.exec:\btnhtt.exe192⤵
-
\??\c:\hbbnnn.exec:\hbbnnn.exe193⤵
-
\??\c:\3pjvd.exec:\3pjvd.exe194⤵
-
\??\c:\pddjp.exec:\pddjp.exe195⤵
-
\??\c:\xlrxffx.exec:\xlrxffx.exe196⤵
-
\??\c:\nhbhht.exec:\nhbhht.exe197⤵
-
\??\c:\9httbb.exec:\9httbb.exe198⤵
-
\??\c:\dvdjv.exec:\dvdjv.exe199⤵
-
\??\c:\1vdjv.exec:\1vdjv.exe200⤵
-
\??\c:\9xxfrxr.exec:\9xxfrxr.exe201⤵
-
\??\c:\rxxfrrr.exec:\rxxfrrr.exe202⤵
-
\??\c:\hhnntn.exec:\hhnntn.exe203⤵
-
\??\c:\dpdpj.exec:\dpdpj.exe204⤵
-
\??\c:\jjpvv.exec:\jjpvv.exe205⤵
-
\??\c:\7frrfxf.exec:\7frrfxf.exe206⤵
-
\??\c:\5xrrlrl.exec:\5xrrlrl.exe207⤵
-
\??\c:\nbhhbh.exec:\nbhhbh.exe208⤵
-
\??\c:\tbhnhh.exec:\tbhnhh.exe209⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe210⤵
-
\??\c:\pjddv.exec:\pjddv.exe211⤵
-
\??\c:\xrlxlrf.exec:\xrlxlrf.exe212⤵
-
\??\c:\nhnnbb.exec:\nhnnbb.exe213⤵
-
\??\c:\hbtnhh.exec:\hbtnhh.exe214⤵
-
\??\c:\dvdpv.exec:\dvdpv.exe215⤵
-
\??\c:\5jdjv.exec:\5jdjv.exe216⤵
-
\??\c:\xxrffrf.exec:\xxrffrf.exe217⤵
-
\??\c:\9xxlxfr.exec:\9xxlxfr.exe218⤵
-
\??\c:\5hhhtb.exec:\5hhhtb.exe219⤵
-
\??\c:\tnhtbb.exec:\tnhtbb.exe220⤵
-
\??\c:\vpjvj.exec:\vpjvj.exe221⤵
-
\??\c:\3xxfxlr.exec:\3xxfxlr.exe222⤵
-
\??\c:\lffxxfl.exec:\lffxxfl.exe223⤵
-
\??\c:\rfrfrrx.exec:\rfrfrrx.exe224⤵
-
\??\c:\bnbhbb.exec:\bnbhbb.exe225⤵
-
\??\c:\3tntbb.exec:\3tntbb.exe226⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe227⤵
-
\??\c:\dvvdj.exec:\dvvdj.exe228⤵
-
\??\c:\9llrffr.exec:\9llrffr.exe229⤵
-
\??\c:\llxfxfl.exec:\llxfxfl.exe230⤵
-
\??\c:\ttnnhh.exec:\ttnnhh.exe231⤵
-
\??\c:\1bhnnt.exec:\1bhnnt.exe232⤵
-
\??\c:\dvdpj.exec:\dvdpj.exe233⤵
-
\??\c:\fxffflr.exec:\fxffflr.exe234⤵
-
\??\c:\rffflrf.exec:\rffflrf.exe235⤵
-
\??\c:\nhtthn.exec:\nhtthn.exe236⤵
-
\??\c:\thnhhb.exec:\thnhhb.exe237⤵
-
\??\c:\ddjvj.exec:\ddjvj.exe238⤵
-
\??\c:\xflfrrl.exec:\xflfrrl.exe239⤵
-
\??\c:\rlxxffl.exec:\rlxxffl.exe240⤵
-
\??\c:\1thbnn.exec:\1thbnn.exe241⤵