Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20/05/2024, 03:34
General
-
Target
dbf04b99da3490327b583b18dc7f295cf027b6876cd2c2305b00a484e8359a82.exe
-
Size
345KB
-
MD5
190831908333df1dbde6f87601ea90b6
-
SHA1
7ce05d6cc63a19b512521e1515417ff3e7c4d214
-
SHA256
dbf04b99da3490327b583b18dc7f295cf027b6876cd2c2305b00a484e8359a82
-
SHA512
8d1887df78b9c083d13403fee900ae0f118f5067fc7902bd92c2a860917d0d261724a4e34b81cb225296cc80db6b6cd17d5fa3d51130c862c802ac78fcb04e0a
-
SSDEEP
6144:n3C9BRo/AIX2MUXownfWQkyCpxwJz9e0pQowLh3EhToK9cT085mnFhXjmnwJQyIl:n3C9uDnUXoSWlnwJv90aKToFqwfIBL
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
UPX dump on OEP (original entry point) 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbf04b99da3490327b583b18dc7f295cf027b6876cd2c2305b00a484e8359a82.exe"C:\Users\Admin\AppData\Local\Temp\dbf04b99da3490327b583b18dc7f295cf027b6876cd2c2305b00a484e8359a82.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppd.exec:\pdppd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrllff.exec:\rxrllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hnbht.exec:\9hnbht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pddv.exec:\5pddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlxrrl.exec:\9rlxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrxrlf.exec:\frrxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdpd.exec:\vvdpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfffxx.exec:\xlfffxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjjj.exec:\vjjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrrxx.exec:\xrxrrxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jjvp.exec:\3jjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtbb.exec:\tnbtbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnnn.exec:\bntnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfffx.exec:\rflfffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tntth.exec:\1tntth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlxllx.exec:\xrlxllx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdpd.exec:\vvdpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xllrxr.exec:\1xllrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlflll.exec:\fxlflll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpv.exec:\jdvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxxfrl.exec:\xlxxfrl.exe23⤵
- Executes dropped EXE
-
\??\c:\hhnhnt.exec:\hhnhnt.exe24⤵
- Executes dropped EXE
-
\??\c:\jpvvv.exec:\jpvvv.exe25⤵
- Executes dropped EXE
-
\??\c:\lfrfrrx.exec:\lfrfrrx.exe26⤵
- Executes dropped EXE
-
\??\c:\httnhn.exec:\httnhn.exe27⤵
- Executes dropped EXE
-
\??\c:\rrlfxxf.exec:\rrlfxxf.exe28⤵
- Executes dropped EXE
-
\??\c:\llllfff.exec:\llllfff.exe29⤵
- Executes dropped EXE
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe30⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe31⤵
- Executes dropped EXE
-
\??\c:\djjpp.exec:\djjpp.exe32⤵
- Executes dropped EXE
-
\??\c:\xrxrlxr.exec:\xrxrlxr.exe33⤵
- Executes dropped EXE
-
\??\c:\bthbtb.exec:\bthbtb.exe34⤵
- Executes dropped EXE
-
\??\c:\1vdpj.exec:\1vdpj.exe35⤵
- Executes dropped EXE
-
\??\c:\xffxrff.exec:\xffxrff.exe36⤵
- Executes dropped EXE
-
\??\c:\fxxrlll.exec:\fxxrlll.exe37⤵
- Executes dropped EXE
-
\??\c:\btthnb.exec:\btthnb.exe38⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe39⤵
- Executes dropped EXE
-
\??\c:\frflfxr.exec:\frflfxr.exe40⤵
- Executes dropped EXE
-
\??\c:\lfrlffx.exec:\lfrlffx.exe41⤵
- Executes dropped EXE
-
\??\c:\bhhhbt.exec:\bhhhbt.exe42⤵
- Executes dropped EXE
-
\??\c:\jvvdv.exec:\jvvdv.exe43⤵
- Executes dropped EXE
-
\??\c:\9fffxxr.exec:\9fffxxr.exe44⤵
- Executes dropped EXE
-
\??\c:\tbnnht.exec:\tbnnht.exe45⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe46⤵
- Executes dropped EXE
-
\??\c:\pjvpd.exec:\pjvpd.exe47⤵
- Executes dropped EXE
-
\??\c:\5lfxlrf.exec:\5lfxlrf.exe48⤵
- Executes dropped EXE
-
\??\c:\5bbbtt.exec:\5bbbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\btnbnh.exec:\btnbnh.exe50⤵
- Executes dropped EXE
-
\??\c:\3pvpp.exec:\3pvpp.exe51⤵
- Executes dropped EXE
-
\??\c:\lrfrffx.exec:\lrfrffx.exe52⤵
- Executes dropped EXE
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe53⤵
- Executes dropped EXE
-
\??\c:\bnnhhh.exec:\bnnhhh.exe54⤵
- Executes dropped EXE
-
\??\c:\vjvjj.exec:\vjvjj.exe55⤵
- Executes dropped EXE
-
\??\c:\jvdpj.exec:\jvdpj.exe56⤵
- Executes dropped EXE
-
\??\c:\xrlrlrr.exec:\xrlrlrr.exe57⤵
- Executes dropped EXE
-
\??\c:\7ntnhh.exec:\7ntnhh.exe58⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe59⤵
- Executes dropped EXE
-
\??\c:\7lrlfll.exec:\7lrlfll.exe60⤵
- Executes dropped EXE
-
\??\c:\lfllrxx.exec:\lfllrxx.exe61⤵
- Executes dropped EXE
-
\??\c:\bhnnnt.exec:\bhnnnt.exe62⤵
- Executes dropped EXE
-
\??\c:\jdjdv.exec:\jdjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\rlrlffx.exec:\rlrlffx.exe64⤵
- Executes dropped EXE
-
\??\c:\htbbtt.exec:\htbbtt.exe65⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe66⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe67⤵
-
\??\c:\fffxxxr.exec:\fffxxxr.exe68⤵
-
\??\c:\nbnnnn.exec:\nbnnnn.exe69⤵
-
\??\c:\vpdvp.exec:\vpdvp.exe70⤵
-
\??\c:\vvvvd.exec:\vvvvd.exe71⤵
-
\??\c:\fxlfxrf.exec:\fxlfxrf.exe72⤵
-
\??\c:\nbhhbn.exec:\nbhhbn.exe73⤵
-
\??\c:\9dvpp.exec:\9dvpp.exe74⤵
-
\??\c:\fllfrrf.exec:\fllfrrf.exe75⤵
-
\??\c:\llrlffx.exec:\llrlffx.exe76⤵
-
\??\c:\hbtnhb.exec:\hbtnhb.exe77⤵
-
\??\c:\pvvpp.exec:\pvvpp.exe78⤵
-
\??\c:\xffxrll.exec:\xffxrll.exe79⤵
-
\??\c:\ttnhnn.exec:\ttnhnn.exe80⤵
-
\??\c:\ddvpd.exec:\ddvpd.exe81⤵
-
\??\c:\rlllffx.exec:\rlllffx.exe82⤵
-
\??\c:\ntbttt.exec:\ntbttt.exe83⤵
-
\??\c:\7ppdv.exec:\7ppdv.exe84⤵
-
\??\c:\vvddd.exec:\vvddd.exe85⤵
-
\??\c:\1xrllrr.exec:\1xrllrr.exe86⤵
-
\??\c:\nnttnh.exec:\nnttnh.exe87⤵
-
\??\c:\3bbthh.exec:\3bbthh.exe88⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe89⤵
-
\??\c:\xxfxrll.exec:\xxfxrll.exe90⤵
-
\??\c:\7xxfrfl.exec:\7xxfrfl.exe91⤵
-
\??\c:\5ttnhn.exec:\5ttnhn.exe92⤵
-
\??\c:\5jdjp.exec:\5jdjp.exe93⤵
-
\??\c:\3llfxxr.exec:\3llfxxr.exe94⤵
-
\??\c:\xflfrlr.exec:\xflfrlr.exe95⤵
-
\??\c:\9nnbbb.exec:\9nnbbb.exe96⤵
-
\??\c:\jpvvv.exec:\jpvvv.exe97⤵
-
\??\c:\vppdv.exec:\vppdv.exe98⤵
-
\??\c:\lrfxfrl.exec:\lrfxfrl.exe99⤵
-
\??\c:\7bthnb.exec:\7bthnb.exe100⤵
-
\??\c:\3tbtnh.exec:\3tbtnh.exe101⤵
-
\??\c:\fxflxxr.exec:\fxflxxr.exe102⤵
-
\??\c:\xfffffx.exec:\xfffffx.exe103⤵
-
\??\c:\bnbbtt.exec:\bnbbtt.exe104⤵
-
\??\c:\vvpjv.exec:\vvpjv.exe105⤵
-
\??\c:\5jdpp.exec:\5jdpp.exe106⤵
-
\??\c:\lrxrffr.exec:\lrxrffr.exe107⤵
-
\??\c:\thnhbb.exec:\thnhbb.exe108⤵
-
\??\c:\nhhbtt.exec:\nhhbtt.exe109⤵
-
\??\c:\vdpdj.exec:\vdpdj.exe110⤵
-
\??\c:\jvpdv.exec:\jvpdv.exe111⤵
-
\??\c:\xlrlrxf.exec:\xlrlrxf.exe112⤵
-
\??\c:\hntnhb.exec:\hntnhb.exe113⤵
-
\??\c:\7ntnnn.exec:\7ntnnn.exe114⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe115⤵
-
\??\c:\rflfxfx.exec:\rflfxfx.exe116⤵
-
\??\c:\xlxrrll.exec:\xlxrrll.exe117⤵
-
\??\c:\hbbthh.exec:\hbbthh.exe118⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe119⤵
-
\??\c:\7jppv.exec:\7jppv.exe120⤵
-
\??\c:\5llfxxr.exec:\5llfxxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-