Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 07:15
General
-
Target
c6d139a695d9529c634b1dbe018d0d29b87751a566e2b7f68c9acbc0f86e5a80.exe
-
Size
440KB
-
MD5
8b53bc41a4643fe72619ddcb8f25ed9d
-
SHA1
efecc4025310aba83a59fe6ccc5494d400519429
-
SHA256
c6d139a695d9529c634b1dbe018d0d29b87751a566e2b7f68c9acbc0f86e5a80
-
SHA512
4d95ba4c7ba64aaef06104f8ce8b890f71b64af0c29d44585ad84a8596bea412491d77854564783c50ea58351b32010b110876aafab2781f1cf6d25bdb0616d7
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH91:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMJ
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d139a695d9529c634b1dbe018d0d29b87751a566e2b7f68c9acbc0f86e5a80.exe"C:\Users\Admin\AppData\Local\Temp\c6d139a695d9529c634b1dbe018d0d29b87751a566e2b7f68c9acbc0f86e5a80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\2626222.exec:\2626222.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60882.exec:\60882.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttttnt.exec:\ttttnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\88464.exec:\88464.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxlfr.exec:\fffxlfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\828602.exec:\828602.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxlxr.exec:\xrfxlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\026660.exec:\026660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpp.exec:\vvvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\222204.exec:\222204.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bbnhb.exec:\7bbnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ddpj.exec:\1ddpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvpjv.exec:\jvpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w64866.exec:\w64866.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8802064.exec:\8802064.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06222.exec:\06222.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxrrrr.exec:\ffxrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0666004.exec:\0666004.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djppv.exec:\djppv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfxlfx.exec:\flfxlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddjd.exec:\dddjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6000482.exec:\6000482.exe23⤵
- Executes dropped EXE
-
\??\c:\tntnbt.exec:\tntnbt.exe24⤵
- Executes dropped EXE
-
\??\c:\2888626.exec:\2888626.exe25⤵
- Executes dropped EXE
-
\??\c:\086482.exec:\086482.exe26⤵
- Executes dropped EXE
-
\??\c:\bhtthb.exec:\bhtthb.exe27⤵
- Executes dropped EXE
-
\??\c:\5nhnht.exec:\5nhnht.exe28⤵
- Executes dropped EXE
-
\??\c:\8688406.exec:\8688406.exe29⤵
- Executes dropped EXE
-
\??\c:\2060820.exec:\2060820.exe30⤵
- Executes dropped EXE
-
\??\c:\ttttbt.exec:\ttttbt.exe31⤵
- Executes dropped EXE
-
\??\c:\40608.exec:\40608.exe32⤵
- Executes dropped EXE
-
\??\c:\hnnnbt.exec:\hnnnbt.exe33⤵
- Executes dropped EXE
-
\??\c:\488862.exec:\488862.exe34⤵
- Executes dropped EXE
-
\??\c:\dvdjv.exec:\dvdjv.exe35⤵
- Executes dropped EXE
-
\??\c:\5jdpp.exec:\5jdpp.exe36⤵
- Executes dropped EXE
-
\??\c:\7djvp.exec:\7djvp.exe37⤵
- Executes dropped EXE
-
\??\c:\86882.exec:\86882.exe38⤵
- Executes dropped EXE
-
\??\c:\00282.exec:\00282.exe39⤵
- Executes dropped EXE
-
\??\c:\3pjpd.exec:\3pjpd.exe40⤵
- Executes dropped EXE
-
\??\c:\8888268.exec:\8888268.exe41⤵
- Executes dropped EXE
-
\??\c:\2008688.exec:\2008688.exe42⤵
- Executes dropped EXE
-
\??\c:\hntntn.exec:\hntntn.exe43⤵
- Executes dropped EXE
-
\??\c:\pddpj.exec:\pddpj.exe44⤵
- Executes dropped EXE
-
\??\c:\4026266.exec:\4026266.exe45⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe46⤵
- Executes dropped EXE
-
\??\c:\440482.exec:\440482.exe47⤵
- Executes dropped EXE
-
\??\c:\40288.exec:\40288.exe48⤵
- Executes dropped EXE
-
\??\c:\vppjp.exec:\vppjp.exe49⤵
- Executes dropped EXE
-
\??\c:\0422606.exec:\0422606.exe50⤵
- Executes dropped EXE
-
\??\c:\rffxlfx.exec:\rffxlfx.exe51⤵
- Executes dropped EXE
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe52⤵
- Executes dropped EXE
-
\??\c:\668222.exec:\668222.exe53⤵
- Executes dropped EXE
-
\??\c:\224226.exec:\224226.exe54⤵
- Executes dropped EXE
-
\??\c:\282822.exec:\282822.exe55⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe56⤵
- Executes dropped EXE
-
\??\c:\9vdpj.exec:\9vdpj.exe57⤵
- Executes dropped EXE
-
\??\c:\nbhbtn.exec:\nbhbtn.exe58⤵
- Executes dropped EXE
-
\??\c:\822682.exec:\822682.exe59⤵
- Executes dropped EXE
-
\??\c:\bnhtth.exec:\bnhtth.exe60⤵
- Executes dropped EXE
-
\??\c:\468266.exec:\468266.exe61⤵
- Executes dropped EXE
-
\??\c:\vvpjp.exec:\vvpjp.exe62⤵
- Executes dropped EXE
-
\??\c:\484400.exec:\484400.exe63⤵
- Executes dropped EXE
-
\??\c:\i466004.exec:\i466004.exe64⤵
- Executes dropped EXE
-
\??\c:\62826.exec:\62826.exe65⤵
- Executes dropped EXE
-
\??\c:\28448.exec:\28448.exe66⤵
-
\??\c:\884480.exec:\884480.exe67⤵
-
\??\c:\hbbbtt.exec:\hbbbtt.exe68⤵
-
\??\c:\rrfxxxf.exec:\rrfxxxf.exe69⤵
-
\??\c:\xlxrxxf.exec:\xlxrxxf.exe70⤵
-
\??\c:\i404888.exec:\i404888.exe71⤵
-
\??\c:\fflfxxr.exec:\fflfxxr.exe72⤵
-
\??\c:\406044.exec:\406044.exe73⤵
-
\??\c:\6842660.exec:\6842660.exe74⤵
-
\??\c:\fflffff.exec:\fflffff.exe75⤵
-
\??\c:\884084.exec:\884084.exe76⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe77⤵
-
\??\c:\62848.exec:\62848.exe78⤵
-
\??\c:\006008.exec:\006008.exe79⤵
-
\??\c:\pdjdd.exec:\pdjdd.exe80⤵
-
\??\c:\lflfffx.exec:\lflfffx.exe81⤵
-
\??\c:\1nttnn.exec:\1nttnn.exe82⤵
-
\??\c:\rfxlflf.exec:\rfxlflf.exe83⤵
-
\??\c:\a6826.exec:\a6826.exe84⤵
-
\??\c:\66226.exec:\66226.exe85⤵
-
\??\c:\tttbht.exec:\tttbht.exe86⤵
-
\??\c:\2004888.exec:\2004888.exe87⤵
-
\??\c:\660000.exec:\660000.exe88⤵
-
\??\c:\jjvdd.exec:\jjvdd.exe89⤵
-
\??\c:\bttnhh.exec:\bttnhh.exe90⤵
-
\??\c:\488822.exec:\488822.exe91⤵
-
\??\c:\864006.exec:\864006.exe92⤵
-
\??\c:\82822.exec:\82822.exe93⤵
-
\??\c:\tbbtnh.exec:\tbbtnh.exe94⤵
-
\??\c:\i026666.exec:\i026666.exe95⤵
-
\??\c:\82226.exec:\82226.exe96⤵
-
\??\c:\6662626.exec:\6662626.exe97⤵
-
\??\c:\u446026.exec:\u446026.exe98⤵
-
\??\c:\082268.exec:\082268.exe99⤵
-
\??\c:\8288222.exec:\8288222.exe100⤵
-
\??\c:\q64044.exec:\q64044.exe101⤵
-
\??\c:\284488.exec:\284488.exe102⤵
-
\??\c:\frllfxx.exec:\frllfxx.exe103⤵
-
\??\c:\tnnhbn.exec:\tnnhbn.exe104⤵
-
\??\c:\htbtnt.exec:\htbtnt.exe105⤵
-
\??\c:\btbthh.exec:\btbthh.exe106⤵
-
\??\c:\02400.exec:\02400.exe107⤵
-
\??\c:\82006.exec:\82006.exe108⤵
-
\??\c:\42848.exec:\42848.exe109⤵
-
\??\c:\2684686.exec:\2684686.exe110⤵
-
\??\c:\pdjdd.exec:\pdjdd.exe111⤵
-
\??\c:\5lxxflf.exec:\5lxxflf.exe112⤵
-
\??\c:\llxrrfl.exec:\llxrrfl.exe113⤵
-
\??\c:\04040.exec:\04040.exe114⤵
-
\??\c:\044246.exec:\044246.exe115⤵
-
\??\c:\htbhbh.exec:\htbhbh.exe116⤵
-
\??\c:\62448.exec:\62448.exe117⤵
-
\??\c:\204882.exec:\204882.exe118⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe119⤵
-
\??\c:\840486.exec:\840486.exe120⤵
-
\??\c:\pjvjd.exec:\pjvjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-