Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20/05/2024, 03:52
General
-
Target
e3c2408226b42557641f58b5b13798dd41aace3a4d9e9b64cd3554da0931fb38.exe
-
Size
63KB
-
MD5
ae610220bf3e55e861668d718ea60f7f
-
SHA1
aa3a18aaa60a5f1ed6d4505dc76fe51f74fe478b
-
SHA256
e3c2408226b42557641f58b5b13798dd41aace3a4d9e9b64cd3554da0931fb38
-
SHA512
ff92e7e2f45c98fd357fda166d5ed3ff1bb5d2174b9d547e715607c7b20239f1c7381d26e01cbe9c6ede82c64da65f4d28365d837bef13cbf4dbef7a5bcf5bc7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh127:ymb3NkkiQ3mdBjFIFdJmA
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3c2408226b42557641f58b5b13798dd41aace3a4d9e9b64cd3554da0931fb38.exe"C:\Users\Admin\AppData\Local\Temp\e3c2408226b42557641f58b5b13798dd41aace3a4d9e9b64cd3554da0931fb38.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffrrx.exec:\lfffrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbnn.exec:\btnbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vvvp.exec:\3vvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffflxxr.exec:\ffflxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnhh.exec:\ttnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvddv.exec:\dvddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlrxx.exec:\rlrlrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvdvp.exec:\vvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfxlxr.exec:\llfxlxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhttb.exec:\nhhttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxrflr.exec:\ffxrflr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntnnt.exec:\nntnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvv.exec:\jpvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfrflf.exec:\rrfrflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvjd.exec:\ddvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrrxlx.exec:\frrrxlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hhttn.exec:\5hhttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxlrxr.exec:\lrxlrxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfxxxf.exec:\rrfxxxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntthbn.exec:\ntthbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjv.exec:\pjpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrxxl.exec:\lxxrxxl.exe23⤵
- Executes dropped EXE
-
\??\c:\thhtnh.exec:\thhtnh.exe24⤵
- Executes dropped EXE
-
\??\c:\djjjj.exec:\djjjj.exe25⤵
- Executes dropped EXE
-
\??\c:\1tbhtn.exec:\1tbhtn.exe26⤵
- Executes dropped EXE
-
\??\c:\9jvpd.exec:\9jvpd.exe27⤵
- Executes dropped EXE
-
\??\c:\llxxxrr.exec:\llxxxrr.exe28⤵
- Executes dropped EXE
-
\??\c:\tnttnn.exec:\tnttnn.exe29⤵
- Executes dropped EXE
-
\??\c:\jdpjj.exec:\jdpjj.exe30⤵
- Executes dropped EXE
-
\??\c:\rllxrlx.exec:\rllxrlx.exe31⤵
- Executes dropped EXE
-
\??\c:\jpvdj.exec:\jpvdj.exe32⤵
- Executes dropped EXE
-
\??\c:\xrxrlrr.exec:\xrxrlrr.exe33⤵
- Executes dropped EXE
-
\??\c:\5btbhn.exec:\5btbhn.exe34⤵
- Executes dropped EXE
-
\??\c:\nnhbbb.exec:\nnhbbb.exe35⤵
- Executes dropped EXE
-
\??\c:\vvvpv.exec:\vvvpv.exe36⤵
- Executes dropped EXE
-
\??\c:\xrffxfr.exec:\xrffxfr.exe37⤵
- Executes dropped EXE
-
\??\c:\rrrxlfr.exec:\rrrxlfr.exe38⤵
- Executes dropped EXE
-
\??\c:\nnnhhb.exec:\nnnhhb.exe39⤵
- Executes dropped EXE
-
\??\c:\7jpdj.exec:\7jpdj.exe40⤵
- Executes dropped EXE
-
\??\c:\tnthtb.exec:\tnthtb.exe41⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe42⤵
- Executes dropped EXE
-
\??\c:\jjjjd.exec:\jjjjd.exe43⤵
- Executes dropped EXE
-
\??\c:\xrxxrlf.exec:\xrxxrlf.exe44⤵
- Executes dropped EXE
-
\??\c:\nnhttt.exec:\nnhttt.exe45⤵
- Executes dropped EXE
-
\??\c:\jpvvj.exec:\jpvvj.exe46⤵
- Executes dropped EXE
-
\??\c:\9rfrfxl.exec:\9rfrfxl.exe47⤵
- Executes dropped EXE
-
\??\c:\xlfrfxl.exec:\xlfrfxl.exe48⤵
- Executes dropped EXE
-
\??\c:\btthnt.exec:\btthnt.exe49⤵
- Executes dropped EXE
-
\??\c:\pdjjj.exec:\pdjjj.exe50⤵
- Executes dropped EXE
-
\??\c:\rxfxxll.exec:\rxfxxll.exe51⤵
- Executes dropped EXE
-
\??\c:\btnnnh.exec:\btnnnh.exe52⤵
- Executes dropped EXE
-
\??\c:\ttbttt.exec:\ttbttt.exe53⤵
- Executes dropped EXE
-
\??\c:\pvvpp.exec:\pvvpp.exe54⤵
- Executes dropped EXE
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe55⤵
- Executes dropped EXE
-
\??\c:\bhtbbh.exec:\bhtbbh.exe56⤵
- Executes dropped EXE
-
\??\c:\nhnhhh.exec:\nhnhhh.exe57⤵
- Executes dropped EXE
-
\??\c:\jjpjd.exec:\jjpjd.exe58⤵
- Executes dropped EXE
-
\??\c:\xxffxrl.exec:\xxffxrl.exe59⤵
- Executes dropped EXE
-
\??\c:\7nnhhh.exec:\7nnhhh.exe60⤵
- Executes dropped EXE
-
\??\c:\ppvpv.exec:\ppvpv.exe61⤵
- Executes dropped EXE
-
\??\c:\7vdjd.exec:\7vdjd.exe62⤵
- Executes dropped EXE
-
\??\c:\fxlllrr.exec:\fxlllrr.exe63⤵
- Executes dropped EXE
-
\??\c:\ttthhb.exec:\ttthhb.exe64⤵
- Executes dropped EXE
-
\??\c:\nbbthh.exec:\nbbthh.exe65⤵
- Executes dropped EXE
-
\??\c:\lrrrffx.exec:\lrrrffx.exe66⤵
-
\??\c:\rlfxflx.exec:\rlfxflx.exe67⤵
-
\??\c:\hhtbnh.exec:\hhtbnh.exe68⤵
-
\??\c:\9pjdj.exec:\9pjdj.exe69⤵
-
\??\c:\fxfrflf.exec:\fxfrflf.exe70⤵
-
\??\c:\thhhth.exec:\thhhth.exe71⤵
-
\??\c:\jppvj.exec:\jppvj.exe72⤵
-
\??\c:\rfrxffl.exec:\rfrxffl.exe73⤵
-
\??\c:\xfrrflr.exec:\xfrrflr.exe74⤵
-
\??\c:\hnbttt.exec:\hnbttt.exe75⤵
-
\??\c:\jddpp.exec:\jddpp.exe76⤵
-
\??\c:\lxrxffx.exec:\lxrxffx.exe77⤵
-
\??\c:\fxxlxlr.exec:\fxxlxlr.exe78⤵
-
\??\c:\thnhtn.exec:\thnhtn.exe79⤵
-
\??\c:\jvpdv.exec:\jvpdv.exe80⤵
-
\??\c:\rxxrrll.exec:\rxxrrll.exe81⤵
-
\??\c:\rfflxlx.exec:\rfflxlx.exe82⤵
-
\??\c:\hnntbh.exec:\hnntbh.exe83⤵
-
\??\c:\vdppp.exec:\vdppp.exe84⤵
-
\??\c:\lflrxlx.exec:\lflrxlx.exe85⤵
-
\??\c:\hbnhnh.exec:\hbnhnh.exe86⤵
-
\??\c:\thnhtt.exec:\thnhtt.exe87⤵
-
\??\c:\jjdvj.exec:\jjdvj.exe88⤵
-
\??\c:\tththb.exec:\tththb.exe89⤵
-
\??\c:\jvvjd.exec:\jvvjd.exe90⤵
-
\??\c:\rfrxflf.exec:\rfrxflf.exe91⤵
-
\??\c:\dpddj.exec:\dpddj.exe92⤵
-
\??\c:\xrfxrxx.exec:\xrfxrxx.exe93⤵
-
\??\c:\bnttbt.exec:\bnttbt.exe94⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe95⤵
-
\??\c:\fflfxrl.exec:\fflfxrl.exe96⤵
-
\??\c:\bhthbt.exec:\bhthbt.exe97⤵
-
\??\c:\ttnnht.exec:\ttnnht.exe98⤵
-
\??\c:\jvjvv.exec:\jvjvv.exe99⤵
-
\??\c:\1frllll.exec:\1frllll.exe100⤵
-
\??\c:\flrxxxf.exec:\flrxxxf.exe101⤵
-
\??\c:\thtntb.exec:\thtntb.exe102⤵
-
\??\c:\vvjdd.exec:\vvjdd.exe103⤵
-
\??\c:\ddjjj.exec:\ddjjj.exe104⤵
-
\??\c:\xrxllll.exec:\xrxllll.exe105⤵
-
\??\c:\bnthth.exec:\bnthth.exe106⤵
-
\??\c:\bhnbnn.exec:\bhnbnn.exe107⤵
-
\??\c:\djdvp.exec:\djdvp.exe108⤵
-
\??\c:\lxxlxxl.exec:\lxxlxxl.exe109⤵
-
\??\c:\xrlllff.exec:\xrlllff.exe110⤵
-
\??\c:\nhnnnh.exec:\nhnnnh.exe111⤵
-
\??\c:\dddvp.exec:\dddvp.exe112⤵
-
\??\c:\llrllll.exec:\llrllll.exe113⤵
-
\??\c:\jjjjj.exec:\jjjjj.exe114⤵
-
\??\c:\jpjvp.exec:\jpjvp.exe115⤵
-
\??\c:\lffxxxx.exec:\lffxxxx.exe116⤵
-
\??\c:\bnhnhn.exec:\bnhnhn.exe117⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe118⤵
-
\??\c:\vjvdv.exec:\vjvdv.exe119⤵
-
\??\c:\bbhhhh.exec:\bbhhhh.exe120⤵
-
\??\c:\pvvvp.exec:\pvvvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-