Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-05-2024 04:45
General
-
Target
f9a07b5820823118d27c2673715c773a861bf9826354da6e4e77fa80cb78dc33.exe
-
Size
367KB
-
MD5
c0775051313ca9feeade793c7ca32f6a
-
SHA1
a3c00259faca2e487d1d8630738e757661d86d5b
-
SHA256
f9a07b5820823118d27c2673715c773a861bf9826354da6e4e77fa80cb78dc33
-
SHA512
0f2ebb1317a87489102332a20ec4da4c688df57e32c7638dc961c14fec626cad95b2f5235f310a4d48f64750287c704f4e46e8089f98243b8d4132ffe1bf81e7
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOFltH4tiAlSpgFZAzwdjcIlSpgFZZr3GSM/xG:y4wFHoS3eFplAlSpgFZAKjcIlSpgFZZD
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 50 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9a07b5820823118d27c2673715c773a861bf9826354da6e4e77fa80cb78dc33.exe"C:\Users\Admin\AppData\Local\Temp\f9a07b5820823118d27c2673715c773a861bf9826354da6e4e77fa80cb78dc33.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdpp.exec:\jjdpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrrxlf.exec:\rxrrxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflrxrx.exec:\fflrxrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxrxx.exec:\lxfxrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrxxx.exec:\fxxrxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnhtt.exec:\hnnhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2204468.exec:\2204468.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbtb.exec:\bnbbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20046.exec:\20046.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\44442.exec:\44442.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnnb.exec:\thtnnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0806668.exec:\0806668.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxfrrx.exec:\flxfrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6846460.exec:\6846460.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04284.exec:\04284.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\882800.exec:\882800.exe17⤵
- Executes dropped EXE
-
\??\c:\hhttbb.exec:\hhttbb.exe18⤵
- Executes dropped EXE
-
\??\c:\40882.exec:\40882.exe19⤵
- Executes dropped EXE
-
\??\c:\260668.exec:\260668.exe20⤵
- Executes dropped EXE
-
\??\c:\02806.exec:\02806.exe21⤵
- Executes dropped EXE
-
\??\c:\ppdjv.exec:\ppdjv.exe22⤵
- Executes dropped EXE
-
\??\c:\4488080.exec:\4488080.exe23⤵
- Executes dropped EXE
-
\??\c:\k40886.exec:\k40886.exe24⤵
- Executes dropped EXE
-
\??\c:\u482804.exec:\u482804.exe25⤵
- Executes dropped EXE
-
\??\c:\tthbnt.exec:\tthbnt.exe26⤵
- Executes dropped EXE
-
\??\c:\1hnbnb.exec:\1hnbnb.exe27⤵
- Executes dropped EXE
-
\??\c:\022240.exec:\022240.exe28⤵
- Executes dropped EXE
-
\??\c:\462288.exec:\462288.exe29⤵
- Executes dropped EXE
-
\??\c:\7rlxrxl.exec:\7rlxrxl.exe30⤵
- Executes dropped EXE
-
\??\c:\82846.exec:\82846.exe31⤵
- Executes dropped EXE
-
\??\c:\fxrrxll.exec:\fxrrxll.exe32⤵
- Executes dropped EXE
-
\??\c:\s6420.exec:\s6420.exe33⤵
- Executes dropped EXE
-
\??\c:\vddpv.exec:\vddpv.exe34⤵
- Executes dropped EXE
-
\??\c:\640002.exec:\640002.exe35⤵
- Executes dropped EXE
-
\??\c:\886666.exec:\886666.exe36⤵
- Executes dropped EXE
-
\??\c:\0480668.exec:\0480668.exe37⤵
- Executes dropped EXE
-
\??\c:\tthbnn.exec:\tthbnn.exe38⤵
- Executes dropped EXE
-
\??\c:\440862.exec:\440862.exe39⤵
- Executes dropped EXE
-
\??\c:\tnnnbb.exec:\tnnnbb.exe40⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe41⤵
- Executes dropped EXE
-
\??\c:\602248.exec:\602248.exe42⤵
- Executes dropped EXE
-
\??\c:\c642062.exec:\c642062.exe43⤵
- Executes dropped EXE
-
\??\c:\0422064.exec:\0422064.exe44⤵
- Executes dropped EXE
-
\??\c:\nbnhnh.exec:\nbnhnh.exe45⤵
- Executes dropped EXE
-
\??\c:\xrflxxl.exec:\xrflxxl.exe46⤵
- Executes dropped EXE
-
\??\c:\88680.exec:\88680.exe47⤵
- Executes dropped EXE
-
\??\c:\880684.exec:\880684.exe48⤵
- Executes dropped EXE
-
\??\c:\ffrlllx.exec:\ffrlllx.exe49⤵
- Executes dropped EXE
-
\??\c:\84844.exec:\84844.exe50⤵
- Executes dropped EXE
-
\??\c:\7thttb.exec:\7thttb.exe51⤵
- Executes dropped EXE
-
\??\c:\a8868.exec:\a8868.exe52⤵
- Executes dropped EXE
-
\??\c:\a6406.exec:\a6406.exe53⤵
- Executes dropped EXE
-
\??\c:\4824428.exec:\4824428.exe54⤵
- Executes dropped EXE
-
\??\c:\662604.exec:\662604.exe55⤵
- Executes dropped EXE
-
\??\c:\8644400.exec:\8644400.exe56⤵
- Executes dropped EXE
-
\??\c:\3lfflrf.exec:\3lfflrf.exe57⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe58⤵
- Executes dropped EXE
-
\??\c:\7tnhnn.exec:\7tnhnn.exe59⤵
- Executes dropped EXE
-
\??\c:\0484224.exec:\0484224.exe60⤵
- Executes dropped EXE
-
\??\c:\dvpdp.exec:\dvpdp.exe61⤵
- Executes dropped EXE
-
\??\c:\0206482.exec:\0206482.exe62⤵
- Executes dropped EXE
-
\??\c:\9dvvj.exec:\9dvvj.exe63⤵
- Executes dropped EXE
-
\??\c:\vdjdd.exec:\vdjdd.exe64⤵
- Executes dropped EXE
-
\??\c:\244664.exec:\244664.exe65⤵
- Executes dropped EXE
-
\??\c:\g6408.exec:\g6408.exe66⤵
-
\??\c:\1ttbnn.exec:\1ttbnn.exe67⤵
-
\??\c:\xxlxrxr.exec:\xxlxrxr.exe68⤵
-
\??\c:\dvvvj.exec:\dvvvj.exe69⤵
-
\??\c:\bhtthn.exec:\bhtthn.exe70⤵
-
\??\c:\86842.exec:\86842.exe71⤵
-
\??\c:\i606224.exec:\i606224.exe72⤵
-
\??\c:\llrrlxf.exec:\llrrlxf.exe73⤵
-
\??\c:\u240262.exec:\u240262.exe74⤵
-
\??\c:\6080066.exec:\6080066.exe75⤵
-
\??\c:\q22200.exec:\q22200.exe76⤵
-
\??\c:\vdvpj.exec:\vdvpj.exe77⤵
-
\??\c:\bbhbhn.exec:\bbhbhn.exe78⤵
-
\??\c:\pvvjd.exec:\pvvjd.exe79⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe80⤵
-
\??\c:\pjjjp.exec:\pjjjp.exe81⤵
-
\??\c:\vpppj.exec:\vpppj.exe82⤵
-
\??\c:\i862824.exec:\i862824.exe83⤵
-
\??\c:\486646.exec:\486646.exe84⤵
-
\??\c:\rlxxflx.exec:\rlxxflx.exe85⤵
-
\??\c:\dvdpp.exec:\dvdpp.exe86⤵
-
\??\c:\hbnbht.exec:\hbnbht.exe87⤵
-
\??\c:\lfxfllx.exec:\lfxfllx.exe88⤵
-
\??\c:\4866262.exec:\4866262.exe89⤵
-
\??\c:\1bnthh.exec:\1bnthh.exe90⤵
-
\??\c:\2688806.exec:\2688806.exe91⤵
-
\??\c:\82208.exec:\82208.exe92⤵
-
\??\c:\w08088.exec:\w08088.exe93⤵
-
\??\c:\3btnnn.exec:\3btnnn.exe94⤵
-
\??\c:\tnnbnt.exec:\tnnbnt.exe95⤵
-
\??\c:\0446404.exec:\0446404.exe96⤵
-
\??\c:\llflfrx.exec:\llflfrx.exe97⤵
-
\??\c:\4200602.exec:\4200602.exe98⤵
-
\??\c:\26824.exec:\26824.exe99⤵
-
\??\c:\640688.exec:\640688.exe100⤵
-
\??\c:\o088002.exec:\o088002.exe101⤵
-
\??\c:\q66868.exec:\q66868.exe102⤵
-
\??\c:\62026.exec:\62026.exe103⤵
-
\??\c:\i888024.exec:\i888024.exe104⤵
-
\??\c:\8802088.exec:\8802088.exe105⤵
-
\??\c:\tbhbhn.exec:\tbhbhn.exe106⤵
-
\??\c:\jpjjd.exec:\jpjjd.exe107⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe108⤵
-
\??\c:\rflxlxx.exec:\rflxlxx.exe109⤵
-
\??\c:\dpddp.exec:\dpddp.exe110⤵
-
\??\c:\606688.exec:\606688.exe111⤵
-
\??\c:\0044642.exec:\0044642.exe112⤵
-
\??\c:\88422.exec:\88422.exe113⤵
-
\??\c:\02286.exec:\02286.exe114⤵
-
\??\c:\ttntnt.exec:\ttntnt.exe115⤵
-
\??\c:\04240.exec:\04240.exe116⤵
-
\??\c:\u648480.exec:\u648480.exe117⤵
-
\??\c:\022060.exec:\022060.exe118⤵
-
\??\c:\8244668.exec:\8244668.exe119⤵
-
\??\c:\vvjpj.exec:\vvjpj.exe120⤵
-
\??\c:\28046.exec:\28046.exe121⤵
-
\??\c:\628080.exec:\628080.exe122⤵
-
\??\c:\pvdvp.exec:\pvdvp.exe123⤵
-
\??\c:\ddpjd.exec:\ddpjd.exe124⤵
-
\??\c:\vddjp.exec:\vddjp.exe125⤵
-
\??\c:\48064.exec:\48064.exe126⤵
-
\??\c:\882428.exec:\882428.exe127⤵
-
\??\c:\04284.exec:\04284.exe128⤵
-
\??\c:\pjdpv.exec:\pjdpv.exe129⤵
-
\??\c:\fxrrfrx.exec:\fxrrfrx.exe130⤵
-
\??\c:\86228.exec:\86228.exe131⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe132⤵
-
\??\c:\48068.exec:\48068.exe133⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe134⤵
-
\??\c:\pjdjv.exec:\pjdjv.exe135⤵
-
\??\c:\00200.exec:\00200.exe136⤵
-
\??\c:\820680.exec:\820680.exe137⤵
-
\??\c:\vjjjp.exec:\vjjjp.exe138⤵
-
\??\c:\a4862.exec:\a4862.exe139⤵
-
\??\c:\444484.exec:\444484.exe140⤵
-
\??\c:\nhthhb.exec:\nhthhb.exe141⤵
-
\??\c:\jjdjj.exec:\jjdjj.exe142⤵
-
\??\c:\2648440.exec:\2648440.exe143⤵
-
\??\c:\42802.exec:\42802.exe144⤵
-
\??\c:\pddvv.exec:\pddvv.exe145⤵
-
\??\c:\42606.exec:\42606.exe146⤵
-
\??\c:\4866824.exec:\4866824.exe147⤵
-
\??\c:\e86462.exec:\e86462.exe148⤵
-
\??\c:\btnhtt.exec:\btnhtt.exe149⤵
-
\??\c:\nhntht.exec:\nhntht.exe150⤵
-
\??\c:\lrlrxff.exec:\lrlrxff.exe151⤵
-
\??\c:\48686.exec:\48686.exe152⤵
-
\??\c:\bnhntb.exec:\bnhntb.exe153⤵
-
\??\c:\flflxfr.exec:\flflxfr.exe154⤵
-
\??\c:\frxflrf.exec:\frxflrf.exe155⤵
-
\??\c:\m8466.exec:\m8466.exe156⤵
-
\??\c:\86044.exec:\86044.exe157⤵
-
\??\c:\pdjdd.exec:\pdjdd.exe158⤵
-
\??\c:\04064.exec:\04064.exe159⤵
-
\??\c:\20668.exec:\20668.exe160⤵
-
\??\c:\80066.exec:\80066.exe161⤵
-
\??\c:\3xrffxr.exec:\3xrffxr.exe162⤵
-
\??\c:\tththn.exec:\tththn.exe163⤵
-
\??\c:\62682.exec:\62682.exe164⤵
-
\??\c:\600606.exec:\600606.exe165⤵
-
\??\c:\ntbnnt.exec:\ntbnnt.exe166⤵
-
\??\c:\ddvdp.exec:\ddvdp.exe167⤵
-
\??\c:\thbhtt.exec:\thbhtt.exe168⤵
-
\??\c:\6022044.exec:\6022044.exe169⤵
-
\??\c:\pppvj.exec:\pppvj.exe170⤵
-
\??\c:\606844.exec:\606844.exe171⤵
-
\??\c:\806822.exec:\806822.exe172⤵
-
\??\c:\pdjvp.exec:\pdjvp.exe173⤵
-
\??\c:\nhhnbn.exec:\nhhnbn.exe174⤵
-
\??\c:\fxrxflr.exec:\fxrxflr.exe175⤵
-
\??\c:\ppjjv.exec:\ppjjv.exe176⤵
-
\??\c:\480662.exec:\480662.exe177⤵
-
\??\c:\2282680.exec:\2282680.exe178⤵
-
\??\c:\6602662.exec:\6602662.exe179⤵
-
\??\c:\04628.exec:\04628.exe180⤵
-
\??\c:\602044.exec:\602044.exe181⤵
-
\??\c:\m0240.exec:\m0240.exe182⤵
-
\??\c:\jddvp.exec:\jddvp.exe183⤵
-
\??\c:\2086408.exec:\2086408.exe184⤵
-
\??\c:\44646.exec:\44646.exe185⤵
-
\??\c:\i000006.exec:\i000006.exe186⤵
-
\??\c:\646628.exec:\646628.exe187⤵
-
\??\c:\1nbbbt.exec:\1nbbbt.exe188⤵
-
\??\c:\u462462.exec:\u462462.exe189⤵
-
\??\c:\vvvjd.exec:\vvvjd.exe190⤵
-
\??\c:\xrxrxff.exec:\xrxrxff.exe191⤵
-
\??\c:\e26828.exec:\e26828.exe192⤵
-
\??\c:\s6406.exec:\s6406.exe193⤵
-
\??\c:\2602064.exec:\2602064.exe194⤵
-
\??\c:\86400.exec:\86400.exe195⤵
-
\??\c:\q86840.exec:\q86840.exe196⤵
-
\??\c:\004288.exec:\004288.exe197⤵
-
\??\c:\60228.exec:\60228.exe198⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe199⤵
-
\??\c:\ppvdp.exec:\ppvdp.exe200⤵
-
\??\c:\2084262.exec:\2084262.exe201⤵
-
\??\c:\dpjvj.exec:\dpjvj.exe202⤵
-
\??\c:\664026.exec:\664026.exe203⤵
-
\??\c:\88862.exec:\88862.exe204⤵
-
\??\c:\8664068.exec:\8664068.exe205⤵
-
\??\c:\vvvjj.exec:\vvvjj.exe206⤵
-
\??\c:\i640420.exec:\i640420.exe207⤵
-
\??\c:\pjvjd.exec:\pjvjd.exe208⤵
-
\??\c:\djdpj.exec:\djdpj.exe209⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe210⤵
-
\??\c:\a2204.exec:\a2204.exe211⤵
-
\??\c:\260266.exec:\260266.exe212⤵
-
\??\c:\nhhnbb.exec:\nhhnbb.exe213⤵
-
\??\c:\llrffll.exec:\llrffll.exe214⤵
-
\??\c:\4806846.exec:\4806846.exe215⤵
-
\??\c:\828406.exec:\828406.exe216⤵
-
\??\c:\o084062.exec:\o084062.exe217⤵
-
\??\c:\jpjjd.exec:\jpjjd.exe218⤵
-
\??\c:\88064.exec:\88064.exe219⤵
-
\??\c:\rrlfxrf.exec:\rrlfxrf.exe220⤵
-
\??\c:\rrxlxrl.exec:\rrxlxrl.exe221⤵
-
\??\c:\tnbhbb.exec:\tnbhbb.exe222⤵
-
\??\c:\44860.exec:\44860.exe223⤵
-
\??\c:\828406.exec:\828406.exe224⤵
-
\??\c:\rxrxflx.exec:\rxrxflx.exe225⤵
-
\??\c:\tnhntb.exec:\tnhntb.exe226⤵
-
\??\c:\000660.exec:\000660.exe227⤵
-
\??\c:\1dvdj.exec:\1dvdj.exe228⤵
-
\??\c:\vpdpv.exec:\vpdpv.exe229⤵
-
\??\c:\ttntht.exec:\ttntht.exe230⤵
-
\??\c:\4866882.exec:\4866882.exe231⤵
-
\??\c:\864688.exec:\864688.exe232⤵
-
\??\c:\6482280.exec:\6482280.exe233⤵
-
\??\c:\0480880.exec:\0480880.exe234⤵
-
\??\c:\g6002.exec:\g6002.exe235⤵
-
\??\c:\7xrxllx.exec:\7xrxllx.exe236⤵
-
\??\c:\vjppp.exec:\vjppp.exe237⤵
-
\??\c:\284280.exec:\284280.exe238⤵
-
\??\c:\688226.exec:\688226.exe239⤵
-
\??\c:\vpvdp.exec:\vpvdp.exe240⤵
-
\??\c:\0084620.exec:\0084620.exe241⤵