Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 01:34
General
-
Target
7b4efaf72c980ebcb34f03e02f3b1f871aeb0a8aeab06bd9fdb659aaa8a5ee8e.exe
-
Size
275KB
-
MD5
ab54a64b426e6a2116e6cf3f05ad2b9e
-
SHA1
6e45b1278c894a98cd972134b52302c004312f64
-
SHA256
7b4efaf72c980ebcb34f03e02f3b1f871aeb0a8aeab06bd9fdb659aaa8a5ee8e
-
SHA512
cb901ff29f64779cc1d7eb573a5b126407ec6a1f99f6fd415cdca438a5c9757ff2ae2aa919027c3aae634336ebb34308975720258a067b0aed7936cd6cf90c28
-
SSDEEP
3072:8hOm2sI93UufdC67cimD5t251UrRE9TTFfR:8cm7ImGddXmNt251UriZFfR
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b4efaf72c980ebcb34f03e02f3b1f871aeb0a8aeab06bd9fdb659aaa8a5ee8e.exe"C:\Users\Admin\AppData\Local\Temp\7b4efaf72c980ebcb34f03e02f3b1f871aeb0a8aeab06bd9fdb659aaa8a5ee8e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbbt.exec:\tnnbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbhh.exec:\bthbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllfflr.exec:\lllfflr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0664606.exec:\0664606.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q62266.exec:\q62266.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\802840.exec:\802840.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82226.exec:\82226.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrxrlx.exec:\rrrxrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvd.exec:\jdjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrllrr.exec:\fxrllrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddd.exec:\jvddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tbtnh.exec:\1tbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbhn.exec:\bbhbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\682462.exec:\682462.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bhbtt.exec:\7bhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbth.exec:\hbnbth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w02266.exec:\w02266.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\84660.exec:\84660.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8800068.exec:\8800068.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpj.exec:\pjjpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllllf.exec:\fxllllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpj.exec:\pjjpj.exe23⤵
- Executes dropped EXE
-
\??\c:\fflflll.exec:\fflflll.exe24⤵
- Executes dropped EXE
-
\??\c:\frxrrlx.exec:\frxrrlx.exe25⤵
- Executes dropped EXE
-
\??\c:\hhbbhb.exec:\hhbbhb.exe26⤵
- Executes dropped EXE
-
\??\c:\4648826.exec:\4648826.exe27⤵
- Executes dropped EXE
-
\??\c:\6206060.exec:\6206060.exe28⤵
- Executes dropped EXE
-
\??\c:\m6266.exec:\m6266.exe29⤵
- Executes dropped EXE
-
\??\c:\828200.exec:\828200.exe30⤵
- Executes dropped EXE
-
\??\c:\tbtthn.exec:\tbtthn.exe31⤵
- Executes dropped EXE
-
\??\c:\22826.exec:\22826.exe32⤵
- Executes dropped EXE
-
\??\c:\s0648.exec:\s0648.exe33⤵
- Executes dropped EXE
-
\??\c:\2664482.exec:\2664482.exe34⤵
- Executes dropped EXE
-
\??\c:\0882260.exec:\0882260.exe35⤵
- Executes dropped EXE
-
\??\c:\80666.exec:\80666.exe36⤵
- Executes dropped EXE
-
\??\c:\rxffxxr.exec:\rxffxxr.exe37⤵
- Executes dropped EXE
-
\??\c:\rfrffff.exec:\rfrffff.exe38⤵
- Executes dropped EXE
-
\??\c:\9ffrlrx.exec:\9ffrlrx.exe39⤵
- Executes dropped EXE
-
\??\c:\20688.exec:\20688.exe40⤵
- Executes dropped EXE
-
\??\c:\2086206.exec:\2086206.exe41⤵
- Executes dropped EXE
-
\??\c:\u064820.exec:\u064820.exe42⤵
- Executes dropped EXE
-
\??\c:\888244.exec:\888244.exe43⤵
- Executes dropped EXE
-
\??\c:\rffxrfl.exec:\rffxrfl.exe44⤵
- Executes dropped EXE
-
\??\c:\vvdvp.exec:\vvdvp.exe45⤵
- Executes dropped EXE
-
\??\c:\c448260.exec:\c448260.exe46⤵
- Executes dropped EXE
-
\??\c:\thbnbt.exec:\thbnbt.exe47⤵
- Executes dropped EXE
-
\??\c:\20082.exec:\20082.exe48⤵
- Executes dropped EXE
-
\??\c:\3btnbb.exec:\3btnbb.exe49⤵
- Executes dropped EXE
-
\??\c:\dvdvv.exec:\dvdvv.exe50⤵
- Executes dropped EXE
-
\??\c:\bnhtbt.exec:\bnhtbt.exe51⤵
- Executes dropped EXE
-
\??\c:\nhnhbh.exec:\nhnhbh.exe52⤵
- Executes dropped EXE
-
\??\c:\1bhbbt.exec:\1bhbbt.exe53⤵
- Executes dropped EXE
-
\??\c:\248824.exec:\248824.exe54⤵
- Executes dropped EXE
-
\??\c:\i060882.exec:\i060882.exe55⤵
- Executes dropped EXE
-
\??\c:\424428.exec:\424428.exe56⤵
- Executes dropped EXE
-
\??\c:\jjvpv.exec:\jjvpv.exe57⤵
- Executes dropped EXE
-
\??\c:\0448484.exec:\0448484.exe58⤵
- Executes dropped EXE
-
\??\c:\0848824.exec:\0848824.exe59⤵
- Executes dropped EXE
-
\??\c:\hbthtb.exec:\hbthtb.exe60⤵
- Executes dropped EXE
-
\??\c:\tntntt.exec:\tntntt.exe61⤵
- Executes dropped EXE
-
\??\c:\tbnbnn.exec:\tbnbnn.exe62⤵
- Executes dropped EXE
-
\??\c:\thbbtn.exec:\thbbtn.exe63⤵
- Executes dropped EXE
-
\??\c:\hhhbnh.exec:\hhhbnh.exe64⤵
- Executes dropped EXE
-
\??\c:\jpjdp.exec:\jpjdp.exe65⤵
- Executes dropped EXE
-
\??\c:\20266.exec:\20266.exe66⤵
-
\??\c:\nhbthb.exec:\nhbthb.exe67⤵
-
\??\c:\868222.exec:\868222.exe68⤵
-
\??\c:\tbbtnh.exec:\tbbtnh.exe69⤵
-
\??\c:\xfxlxrf.exec:\xfxlxrf.exe70⤵
-
\??\c:\bttnbb.exec:\bttnbb.exe71⤵
-
\??\c:\7tnhtn.exec:\7tnhtn.exe72⤵
-
\??\c:\vpjdd.exec:\vpjdd.exe73⤵
-
\??\c:\s2860.exec:\s2860.exe74⤵
-
\??\c:\062604.exec:\062604.exe75⤵
-
\??\c:\dvjdp.exec:\dvjdp.exe76⤵
-
\??\c:\s6088.exec:\s6088.exe77⤵
-
\??\c:\28048.exec:\28048.exe78⤵
-
\??\c:\c004260.exec:\c004260.exe79⤵
-
\??\c:\5ddvp.exec:\5ddvp.exe80⤵
-
\??\c:\60260.exec:\60260.exe81⤵
-
\??\c:\862428.exec:\862428.exe82⤵
-
\??\c:\bhhhbt.exec:\bhhhbt.exe83⤵
-
\??\c:\u220466.exec:\u220466.exe84⤵
-
\??\c:\ffxxxxr.exec:\ffxxxxr.exe85⤵
-
\??\c:\8244888.exec:\8244888.exe86⤵
-
\??\c:\5dvvv.exec:\5dvvv.exe87⤵
-
\??\c:\60604.exec:\60604.exe88⤵
-
\??\c:\tbnnbb.exec:\tbnnbb.exe89⤵
-
\??\c:\a0260.exec:\a0260.exe90⤵
-
\??\c:\602222.exec:\602222.exe91⤵
-
\??\c:\5flfrrr.exec:\5flfrrr.exe92⤵
-
\??\c:\2408886.exec:\2408886.exe93⤵
-
\??\c:\o888882.exec:\o888882.exe94⤵
-
\??\c:\hbhnnn.exec:\hbhnnn.exe95⤵
-
\??\c:\c028260.exec:\c028260.exe96⤵
-
\??\c:\0288222.exec:\0288222.exe97⤵
-
\??\c:\llrrxxr.exec:\llrrxxr.exe98⤵
-
\??\c:\5vddv.exec:\5vddv.exe99⤵
-
\??\c:\tntttb.exec:\tntttb.exe100⤵
-
\??\c:\lllrrrr.exec:\lllrrrr.exe101⤵
-
\??\c:\ntbttn.exec:\ntbttn.exe102⤵
-
\??\c:\nntttt.exec:\nntttt.exe103⤵
-
\??\c:\e88080.exec:\e88080.exe104⤵
-
\??\c:\84048.exec:\84048.exe105⤵
-
\??\c:\9tbbtb.exec:\9tbbtb.exe106⤵
-
\??\c:\tthbhb.exec:\tthbhb.exe107⤵
-
\??\c:\0842262.exec:\0842262.exe108⤵
-
\??\c:\0400004.exec:\0400004.exe109⤵
-
\??\c:\8282226.exec:\8282226.exe110⤵
-
\??\c:\3jpjj.exec:\3jpjj.exe111⤵
-
\??\c:\ffrlllr.exec:\ffrlllr.exe112⤵
-
\??\c:\7lrlfff.exec:\7lrlfff.exe113⤵
-
\??\c:\u200662.exec:\u200662.exe114⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe115⤵
-
\??\c:\66600.exec:\66600.exe116⤵
-
\??\c:\k24444.exec:\k24444.exe117⤵
-
\??\c:\dddjv.exec:\dddjv.exe118⤵
-
\??\c:\8022288.exec:\8022288.exe119⤵
-
\??\c:\600222.exec:\600222.exe120⤵
-
\??\c:\xflfxxr.exec:\xflfxxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-