Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22/05/2024, 23:25
General
-
Target
57244ab2c66659f38d556926ec71cd045dbcce4813d3408566ae255f8376beae.exe
-
Size
63KB
-
MD5
253e3214d0f06ef4374eba8811696c30
-
SHA1
4d01b7cd8ab1ede7a7b43a74b4e8c7ac4b37284b
-
SHA256
57244ab2c66659f38d556926ec71cd045dbcce4813d3408566ae255f8376beae
-
SHA512
b2f4c785ee2ca566f884662ac3e2e4b87b223e205d44fb206ef4f90c9ab5e300efef4b6dc1412f173353fe3247ca287945624c1b96bc04e96cb6efaef22d0dc3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3A1:ymb3NkkiQ3mdBjFI46TQ1
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\57244ab2c66659f38d556926ec71cd045dbcce4813d3408566ae255f8376beae.exe"C:\Users\Admin\AppData\Local\Temp\57244ab2c66659f38d556926ec71cd045dbcce4813d3408566ae255f8376beae.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\468226.exec:\468226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrrrll.exec:\3rrrrll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbth.exec:\bbbbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6404882.exec:\6404882.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i600004.exec:\i600004.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\628222.exec:\628222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\244224.exec:\244224.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnnhh.exec:\thnnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjd.exec:\vvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjvv.exec:\dvjvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\062822.exec:\062822.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4622600.exec:\4622600.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdvv.exec:\jjdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\280088.exec:\280088.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4088226.exec:\4088226.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82060.exec:\82060.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60860.exec:\60860.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthbbb.exec:\hthbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24606.exec:\24606.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbbh.exec:\hbbbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60806.exec:\60806.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20420.exec:\20420.exe23⤵
- Executes dropped EXE
-
\??\c:\42802.exec:\42802.exe24⤵
- Executes dropped EXE
-
\??\c:\06226.exec:\06226.exe25⤵
- Executes dropped EXE
-
\??\c:\608666.exec:\608666.exe26⤵
- Executes dropped EXE
-
\??\c:\hhbtbb.exec:\hhbtbb.exe27⤵
- Executes dropped EXE
-
\??\c:\2808826.exec:\2808826.exe28⤵
- Executes dropped EXE
-
\??\c:\4024444.exec:\4024444.exe29⤵
- Executes dropped EXE
-
\??\c:\jddvv.exec:\jddvv.exe30⤵
- Executes dropped EXE
-
\??\c:\446600.exec:\446600.exe31⤵
- Executes dropped EXE
-
\??\c:\pdddv.exec:\pdddv.exe32⤵
- Executes dropped EXE
-
\??\c:\hbtntt.exec:\hbtntt.exe33⤵
- Executes dropped EXE
-
\??\c:\nthbhb.exec:\nthbhb.exe34⤵
- Executes dropped EXE
-
\??\c:\flrrxrx.exec:\flrrxrx.exe35⤵
- Executes dropped EXE
-
\??\c:\lllflxx.exec:\lllflxx.exe36⤵
- Executes dropped EXE
-
\??\c:\jjpvp.exec:\jjpvp.exe37⤵
- Executes dropped EXE
-
\??\c:\4846486.exec:\4846486.exe38⤵
- Executes dropped EXE
-
\??\c:\686422.exec:\686422.exe39⤵
- Executes dropped EXE
-
\??\c:\jddjj.exec:\jddjj.exe40⤵
- Executes dropped EXE
-
\??\c:\024888.exec:\024888.exe41⤵
- Executes dropped EXE
-
\??\c:\tntbtt.exec:\tntbtt.exe42⤵
- Executes dropped EXE
-
\??\c:\26660.exec:\26660.exe43⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe44⤵
- Executes dropped EXE
-
\??\c:\llfxxrx.exec:\llfxxrx.exe45⤵
- Executes dropped EXE
-
\??\c:\2404060.exec:\2404060.exe46⤵
- Executes dropped EXE
-
\??\c:\o280284.exec:\o280284.exe47⤵
- Executes dropped EXE
-
\??\c:\xfxrxlf.exec:\xfxrxlf.exe48⤵
- Executes dropped EXE
-
\??\c:\20646.exec:\20646.exe49⤵
- Executes dropped EXE
-
\??\c:\xrfrrrr.exec:\xrfrrrr.exe50⤵
- Executes dropped EXE
-
\??\c:\tttnnn.exec:\tttnnn.exe51⤵
- Executes dropped EXE
-
\??\c:\28204.exec:\28204.exe52⤵
- Executes dropped EXE
-
\??\c:\060802.exec:\060802.exe53⤵
- Executes dropped EXE
-
\??\c:\vvdvv.exec:\vvdvv.exe54⤵
- Executes dropped EXE
-
\??\c:\4688006.exec:\4688006.exe55⤵
- Executes dropped EXE
-
\??\c:\468446.exec:\468446.exe56⤵
- Executes dropped EXE
-
\??\c:\228026.exec:\228026.exe57⤵
- Executes dropped EXE
-
\??\c:\pvvjv.exec:\pvvjv.exe58⤵
- Executes dropped EXE
-
\??\c:\86482.exec:\86482.exe59⤵
- Executes dropped EXE
-
\??\c:\jpjjd.exec:\jpjjd.exe60⤵
- Executes dropped EXE
-
\??\c:\xlfxfrf.exec:\xlfxfrf.exe61⤵
- Executes dropped EXE
-
\??\c:\4684280.exec:\4684280.exe62⤵
- Executes dropped EXE
-
\??\c:\80604.exec:\80604.exe63⤵
- Executes dropped EXE
-
\??\c:\llxrxxl.exec:\llxrxxl.exe64⤵
- Executes dropped EXE
-
\??\c:\6666884.exec:\6666884.exe65⤵
- Executes dropped EXE
-
\??\c:\5pjvd.exec:\5pjvd.exe66⤵
-
\??\c:\8466448.exec:\8466448.exe67⤵
-
\??\c:\htbbtt.exec:\htbbtt.exe68⤵
-
\??\c:\8240882.exec:\8240882.exe69⤵
-
\??\c:\2006220.exec:\2006220.exe70⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe71⤵
-
\??\c:\280200.exec:\280200.exe72⤵
-
\??\c:\pppjv.exec:\pppjv.exe73⤵
-
\??\c:\8288666.exec:\8288666.exe74⤵
-
\??\c:\6040002.exec:\6040002.exe75⤵
-
\??\c:\xfffllr.exec:\xfffllr.exe76⤵
-
\??\c:\2086088.exec:\2086088.exe77⤵
-
\??\c:\bnbbnt.exec:\bnbbnt.exe78⤵
-
\??\c:\rrrrxlf.exec:\rrrrxlf.exe79⤵
-
\??\c:\tthhnn.exec:\tthhnn.exe80⤵
-
\??\c:\ntbhnn.exec:\ntbhnn.exe81⤵
-
\??\c:\804622.exec:\804622.exe82⤵
-
\??\c:\02282.exec:\02282.exe83⤵
-
\??\c:\62866.exec:\62866.exe84⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe85⤵
-
\??\c:\00666.exec:\00666.exe86⤵
-
\??\c:\44000.exec:\44000.exe87⤵
-
\??\c:\ddddv.exec:\ddddv.exe88⤵
-
\??\c:\ttnnnt.exec:\ttnnnt.exe89⤵
-
\??\c:\nntttt.exec:\nntttt.exe90⤵
-
\??\c:\2268468.exec:\2268468.exe91⤵
-
\??\c:\884488.exec:\884488.exe92⤵
-
\??\c:\00060.exec:\00060.exe93⤵
-
\??\c:\6400044.exec:\6400044.exe94⤵
-
\??\c:\228688.exec:\228688.exe95⤵
-
\??\c:\000428.exec:\000428.exe96⤵
-
\??\c:\frfffrx.exec:\frfffrx.exe97⤵
-
\??\c:\9ddvv.exec:\9ddvv.exe98⤵
-
\??\c:\7hnnbb.exec:\7hnnbb.exe99⤵
-
\??\c:\40046.exec:\40046.exe100⤵
-
\??\c:\hnthbt.exec:\hnthbt.exe101⤵
-
\??\c:\002644.exec:\002644.exe102⤵
-
\??\c:\222024.exec:\222024.exe103⤵
-
\??\c:\662862.exec:\662862.exe104⤵
-
\??\c:\22006.exec:\22006.exe105⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe106⤵
-
\??\c:\hbbnbn.exec:\hbbnbn.exe107⤵
-
\??\c:\662268.exec:\662268.exe108⤵
-
\??\c:\066686.exec:\066686.exe109⤵
-
\??\c:\tnthnn.exec:\tnthnn.exe110⤵
-
\??\c:\1nbbhh.exec:\1nbbhh.exe111⤵
-
\??\c:\48606.exec:\48606.exe112⤵
-
\??\c:\nbbbtn.exec:\nbbbtn.exe113⤵
-
\??\c:\680488.exec:\680488.exe114⤵
-
\??\c:\7htnhb.exec:\7htnhb.exe115⤵
-
\??\c:\66886.exec:\66886.exe116⤵
-
\??\c:\djjjv.exec:\djjjv.exe117⤵
-
\??\c:\nbbthh.exec:\nbbthh.exe118⤵
-
\??\c:\68440.exec:\68440.exe119⤵
-
\??\c:\llllfff.exec:\llllfff.exe120⤵
-
\??\c:\m2804.exec:\m2804.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-