Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20/05/2024, 21:30
General
-
Target
3ee111342e2fb553aaf13f4951e55100957189c12fd74528ba0d68426b9021dd.exe
-
Size
54KB
-
MD5
9b0f28af14e89f1fdfd7002c175f185c
-
SHA1
713dfbfc00953464f34337976e79c899a591092f
-
SHA256
3ee111342e2fb553aaf13f4951e55100957189c12fd74528ba0d68426b9021dd
-
SHA512
8295cae3911d7a702814421fd7ec12c089028ab212a5068a9ec4f0f842776559349d9e2ce6a1f738c4081829baf016d1650e3c18a9f98e6d044a81805445c117
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFPl:ymb3NkkiQ3mdBjFIFPl
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ee111342e2fb553aaf13f4951e55100957189c12fd74528ba0d68426b9021dd.exe"C:\Users\Admin\AppData\Local\Temp\3ee111342e2fb553aaf13f4951e55100957189c12fd74528ba0d68426b9021dd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tdxntdh.exec:\tdxntdh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fnjptp.exec:\fnjptp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfllnt.exec:\rfllnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bvhftx.exec:\bvhftx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pftbfl.exec:\pftbfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pplhbxr.exec:\pplhbxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bdfbvhn.exec:\bdfbvhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lvdxbl.exec:\lvdxbl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fhhlh.exec:\fhhlh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tppvnpx.exec:\tppvnpx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vlnnfn.exec:\vlnnfn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xnxhdp.exec:\xnxhdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dbpjnrn.exec:\dbpjnrn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jhtbjp.exec:\jhtbjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lftxfpb.exec:\lftxfpb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xhndr.exec:\xhndr.exe17⤵
- Executes dropped EXE
-
\??\c:\ftrtpb.exec:\ftrtpb.exe18⤵
- Executes dropped EXE
-
\??\c:\nxbtrd.exec:\nxbtrd.exe19⤵
- Executes dropped EXE
-
\??\c:\xlbpfpl.exec:\xlbpfpl.exe20⤵
- Executes dropped EXE
-
\??\c:\dfrtbnd.exec:\dfrtbnd.exe21⤵
- Executes dropped EXE
-
\??\c:\htfnpn.exec:\htfnpn.exe22⤵
- Executes dropped EXE
-
\??\c:\nbtntx.exec:\nbtntx.exe23⤵
- Executes dropped EXE
-
\??\c:\drptxn.exec:\drptxn.exe24⤵
- Executes dropped EXE
-
\??\c:\lxtfp.exec:\lxtfp.exe25⤵
- Executes dropped EXE
-
\??\c:\bphvl.exec:\bphvl.exe26⤵
- Executes dropped EXE
-
\??\c:\jrhnvt.exec:\jrhnvt.exe27⤵
- Executes dropped EXE
-
\??\c:\xdrhfh.exec:\xdrhfh.exe28⤵
- Executes dropped EXE
-
\??\c:\jbnbdvv.exec:\jbnbdvv.exe29⤵
- Executes dropped EXE
-
\??\c:\xpjbrl.exec:\xpjbrl.exe30⤵
- Executes dropped EXE
-
\??\c:\vntbvn.exec:\vntbvn.exe31⤵
- Executes dropped EXE
-
\??\c:\nptpxtt.exec:\nptpxtt.exe32⤵
- Executes dropped EXE
-
\??\c:\jdlplt.exec:\jdlplt.exe33⤵
- Executes dropped EXE
-
\??\c:\bvbdr.exec:\bvbdr.exe34⤵
- Executes dropped EXE
-
\??\c:\vrvrh.exec:\vrvrh.exe35⤵
- Executes dropped EXE
-
\??\c:\fbhjd.exec:\fbhjd.exe36⤵
- Executes dropped EXE
-
\??\c:\txxdvl.exec:\txxdvl.exe37⤵
- Executes dropped EXE
-
\??\c:\ntvtx.exec:\ntvtx.exe38⤵
- Executes dropped EXE
-
\??\c:\fhplrp.exec:\fhplrp.exe39⤵
- Executes dropped EXE
-
\??\c:\fljfp.exec:\fljfp.exe40⤵
- Executes dropped EXE
-
\??\c:\dbrtnrf.exec:\dbrtnrf.exe41⤵
- Executes dropped EXE
-
\??\c:\drdxxvb.exec:\drdxxvb.exe42⤵
- Executes dropped EXE
-
\??\c:\ltdxpfr.exec:\ltdxpfr.exe43⤵
- Executes dropped EXE
-
\??\c:\brldv.exec:\brldv.exe44⤵
- Executes dropped EXE
-
\??\c:\vbhdhhj.exec:\vbhdhhj.exe45⤵
- Executes dropped EXE
-
\??\c:\hjxbbb.exec:\hjxbbb.exe46⤵
- Executes dropped EXE
-
\??\c:\llrnfpj.exec:\llrnfpj.exe47⤵
- Executes dropped EXE
-
\??\c:\rxrvnl.exec:\rxrvnl.exe48⤵
- Executes dropped EXE
-
\??\c:\xxrdjlt.exec:\xxrdjlt.exe49⤵
- Executes dropped EXE
-
\??\c:\tvdhdv.exec:\tvdhdv.exe50⤵
- Executes dropped EXE
-
\??\c:\rhjhvlp.exec:\rhjhvlp.exe51⤵
- Executes dropped EXE
-
\??\c:\jpljv.exec:\jpljv.exe52⤵
- Executes dropped EXE
-
\??\c:\pphjtf.exec:\pphjtf.exe53⤵
- Executes dropped EXE
-
\??\c:\pbxddhl.exec:\pbxddhl.exe54⤵
- Executes dropped EXE
-
\??\c:\bflvtxl.exec:\bflvtxl.exe55⤵
- Executes dropped EXE
-
\??\c:\jbrfjf.exec:\jbrfjf.exe56⤵
- Executes dropped EXE
-
\??\c:\rlflrhp.exec:\rlflrhp.exe57⤵
- Executes dropped EXE
-
\??\c:\vbjtnln.exec:\vbjtnln.exe58⤵
- Executes dropped EXE
-
\??\c:\bxpxxxh.exec:\bxpxxxh.exe59⤵
- Executes dropped EXE
-
\??\c:\hxlvj.exec:\hxlvj.exe60⤵
- Executes dropped EXE
-
\??\c:\tphjr.exec:\tphjr.exe61⤵
- Executes dropped EXE
-
\??\c:\pfbbfj.exec:\pfbbfj.exe62⤵
- Executes dropped EXE
-
\??\c:\vjtdrvb.exec:\vjtdrvb.exe63⤵
- Executes dropped EXE
-
\??\c:\fxblxj.exec:\fxblxj.exe64⤵
- Executes dropped EXE
-
\??\c:\dptfvv.exec:\dptfvv.exe65⤵
- Executes dropped EXE
-
\??\c:\vxvtthj.exec:\vxvtthj.exe66⤵
-
\??\c:\tjndfl.exec:\tjndfl.exe67⤵
-
\??\c:\vprhfr.exec:\vprhfr.exe68⤵
-
\??\c:\lrvlxr.exec:\lrvlxr.exe69⤵
-
\??\c:\xljvvhd.exec:\xljvvhd.exe70⤵
-
\??\c:\lrhtfh.exec:\lrhtfh.exe71⤵
-
\??\c:\rjpjpvp.exec:\rjpjpvp.exe72⤵
-
\??\c:\bxxbj.exec:\bxxbj.exe73⤵
-
\??\c:\pvlfr.exec:\pvlfr.exe74⤵
-
\??\c:\txpfjd.exec:\txpfjd.exe75⤵
-
\??\c:\rftvpvd.exec:\rftvpvd.exe76⤵
-
\??\c:\fdxfljf.exec:\fdxfljf.exe77⤵
-
\??\c:\rvhpdh.exec:\rvhpdh.exe78⤵
-
\??\c:\xnhfhnx.exec:\xnhfhnx.exe79⤵
-
\??\c:\bxbdbj.exec:\bxbdbj.exe80⤵
-
\??\c:\pdrhh.exec:\pdrhh.exe81⤵
-
\??\c:\vpfrdnx.exec:\vpfrdnx.exe82⤵
-
\??\c:\prplj.exec:\prplj.exe83⤵
-
\??\c:\vvljvpj.exec:\vvljvpj.exe84⤵
-
\??\c:\dbbhpf.exec:\dbbhpf.exe85⤵
-
\??\c:\jbddbxf.exec:\jbddbxf.exe86⤵
-
\??\c:\pdpflp.exec:\pdpflp.exe87⤵
-
\??\c:\pdhhndj.exec:\pdhhndj.exe88⤵
-
\??\c:\xhbtr.exec:\xhbtr.exe89⤵
-
\??\c:\nrpvf.exec:\nrpvf.exe90⤵
-
\??\c:\dlplb.exec:\dlplb.exe91⤵
-
\??\c:\jtfvrh.exec:\jtfvrh.exe92⤵
-
\??\c:\dxjhrfp.exec:\dxjhrfp.exe93⤵
-
\??\c:\tdlxd.exec:\tdlxd.exe94⤵
-
\??\c:\bpxpff.exec:\bpxpff.exe95⤵
-
\??\c:\jjltlh.exec:\jjltlh.exe96⤵
-
\??\c:\vvbtnv.exec:\vvbtnv.exe97⤵
-
\??\c:\rrtllj.exec:\rrtllj.exe98⤵
-
\??\c:\nrnvv.exec:\nrnvv.exe99⤵
-
\??\c:\vvpxnhr.exec:\vvpxnhr.exe100⤵
-
\??\c:\fffpxvf.exec:\fffpxvf.exe101⤵
-
\??\c:\nxtfxpl.exec:\nxtfxpl.exe102⤵
-
\??\c:\vlprxnh.exec:\vlprxnh.exe103⤵
-
\??\c:\bntlv.exec:\bntlv.exe104⤵
-
\??\c:\dhtjvtp.exec:\dhtjvtp.exe105⤵
-
\??\c:\thhrld.exec:\thhrld.exe106⤵
-
\??\c:\djpbv.exec:\djpbv.exe107⤵
-
\??\c:\fdjvlj.exec:\fdjvlj.exe108⤵
-
\??\c:\nbttptf.exec:\nbttptf.exe109⤵
-
\??\c:\htpfpb.exec:\htpfpb.exe110⤵
-
\??\c:\ftrplfl.exec:\ftrplfl.exe111⤵
-
\??\c:\xdlbnrp.exec:\xdlbnrp.exe112⤵
-
\??\c:\nfjvdd.exec:\nfjvdd.exe113⤵
-
\??\c:\llprdr.exec:\llprdr.exe114⤵
-
\??\c:\dlrdf.exec:\dlrdf.exe115⤵
-
\??\c:\ptplxlv.exec:\ptplxlv.exe116⤵
-
\??\c:\jfplt.exec:\jfplt.exe117⤵
-
\??\c:\fxftr.exec:\fxftr.exe118⤵
-
\??\c:\lvftr.exec:\lvftr.exe119⤵
-
\??\c:\xhldtt.exec:\xhldtt.exe120⤵
-
\??\c:\lthhd.exec:\lthhd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-