Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 21:29
General
-
Target
528671e5449fdf7eabbf505d008038d674a55c77d05c6631f149a2a68f4801f2.exe
-
Size
55KB
-
MD5
240ae36362e7797920b7bfd386f2868a
-
SHA1
43a9fdaec5ff2cc5247ad64229843b4834e1e43f
-
SHA256
528671e5449fdf7eabbf505d008038d674a55c77d05c6631f149a2a68f4801f2
-
SHA512
b95c272fb669ed021a1646891f2042f57a1c9aff88f71aa2ec7497d399fd02efeeeaaa43b69469ebf5fb1436fde09689bb6c792f0e247eb5daa4c84f829f7453
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIfEVA:ymb3NkkiQ3mdBjFIv
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
UPX dump on OEP (original entry point) 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\528671e5449fdf7eabbf505d008038d674a55c77d05c6631f149a2a68f4801f2.exe"C:\Users\Admin\AppData\Local\Temp\528671e5449fdf7eabbf505d008038d674a55c77d05c6631f149a2a68f4801f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvp.exec:\dvdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrxrr.exec:\rlxrxrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhhh.exec:\bthhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpjd.exec:\ddpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rfllrr.exec:\1rfllrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhhhn.exec:\hhhhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvvp.exec:\jvvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfrxxxf.exec:\xfrxxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntbbb.exec:\hntbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbthhb.exec:\nbthhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpddv.exec:\dpddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrlxl.exec:\xrfrlxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnhhh.exec:\tbnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlfxr.exec:\flrlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rrlxxx.exec:\9rrlxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbttt.exec:\hnbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjpj.exec:\vdjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxllrr.exec:\lrxllrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhthb.exec:\hhhthb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpp.exec:\jjvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9llfxlx.exec:\9llfxlx.exe23⤵
- Executes dropped EXE
-
\??\c:\ttnnhh.exec:\ttnnhh.exe24⤵
- Executes dropped EXE
-
\??\c:\9jdpp.exec:\9jdpp.exe25⤵
- Executes dropped EXE
-
\??\c:\xrrrrrl.exec:\xrrrrrl.exe26⤵
- Executes dropped EXE
-
\??\c:\llffrfr.exec:\llffrfr.exe27⤵
- Executes dropped EXE
-
\??\c:\vvvdd.exec:\vvvdd.exe28⤵
- Executes dropped EXE
-
\??\c:\llfrfff.exec:\llfrfff.exe29⤵
- Executes dropped EXE
-
\??\c:\fxrrrxx.exec:\fxrrrxx.exe30⤵
- Executes dropped EXE
-
\??\c:\3tnnhh.exec:\3tnnhh.exe31⤵
- Executes dropped EXE
-
\??\c:\jvvvv.exec:\jvvvv.exe32⤵
- Executes dropped EXE
-
\??\c:\llrrxxl.exec:\llrrxxl.exe33⤵
- Executes dropped EXE
-
\??\c:\9nbhhh.exec:\9nbhhh.exe34⤵
- Executes dropped EXE
-
\??\c:\vvvjd.exec:\vvvjd.exe35⤵
- Executes dropped EXE
-
\??\c:\ffrrfxx.exec:\ffrrfxx.exe36⤵
- Executes dropped EXE
-
\??\c:\xfrrrxx.exec:\xfrrrxx.exe37⤵
- Executes dropped EXE
-
\??\c:\ntbhhn.exec:\ntbhhn.exe38⤵
- Executes dropped EXE
-
\??\c:\jvjjp.exec:\jvjjp.exe39⤵
- Executes dropped EXE
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe40⤵
- Executes dropped EXE
-
\??\c:\tbhhbh.exec:\tbhhbh.exe41⤵
- Executes dropped EXE
-
\??\c:\ntbbhn.exec:\ntbbhn.exe42⤵
- Executes dropped EXE
-
\??\c:\1djdd.exec:\1djdd.exe43⤵
- Executes dropped EXE
-
\??\c:\fxfxrxr.exec:\fxfxrxr.exe44⤵
- Executes dropped EXE
-
\??\c:\nhnbnb.exec:\nhnbnb.exe45⤵
- Executes dropped EXE
-
\??\c:\tbtnhn.exec:\tbtnhn.exe46⤵
- Executes dropped EXE
-
\??\c:\vvvvp.exec:\vvvvp.exe47⤵
- Executes dropped EXE
-
\??\c:\xfrrlrr.exec:\xfrrlrr.exe48⤵
- Executes dropped EXE
-
\??\c:\rrflfff.exec:\rrflfff.exe49⤵
- Executes dropped EXE
-
\??\c:\bbbbbn.exec:\bbbbbn.exe50⤵
- Executes dropped EXE
-
\??\c:\bbtbnb.exec:\bbtbnb.exe51⤵
- Executes dropped EXE
-
\??\c:\1jppv.exec:\1jppv.exe52⤵
- Executes dropped EXE
-
\??\c:\9vdvp.exec:\9vdvp.exe53⤵
- Executes dropped EXE
-
\??\c:\llfrllr.exec:\llfrllr.exe54⤵
- Executes dropped EXE
-
\??\c:\ttnntt.exec:\ttnntt.exe55⤵
- Executes dropped EXE
-
\??\c:\nhthnt.exec:\nhthnt.exe56⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe57⤵
- Executes dropped EXE
-
\??\c:\xlxrrfx.exec:\xlxrrfx.exe58⤵
- Executes dropped EXE
-
\??\c:\bthbbn.exec:\bthbbn.exe59⤵
- Executes dropped EXE
-
\??\c:\nbtnbb.exec:\nbtnbb.exe60⤵
- Executes dropped EXE
-
\??\c:\9pvpd.exec:\9pvpd.exe61⤵
- Executes dropped EXE
-
\??\c:\1ffxrll.exec:\1ffxrll.exe62⤵
- Executes dropped EXE
-
\??\c:\bnnhhn.exec:\bnnhhn.exe63⤵
- Executes dropped EXE
-
\??\c:\nthhhn.exec:\nthhhn.exe64⤵
- Executes dropped EXE
-
\??\c:\fxfxlxr.exec:\fxfxlxr.exe65⤵
- Executes dropped EXE
-
\??\c:\ntbhth.exec:\ntbhth.exe66⤵
-
\??\c:\5jjdd.exec:\5jjdd.exe67⤵
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe68⤵
-
\??\c:\nnhhhn.exec:\nnhhhn.exe69⤵
-
\??\c:\jvddv.exec:\jvddv.exe70⤵
-
\??\c:\5vpvj.exec:\5vpvj.exe71⤵
-
\??\c:\rrxxrrr.exec:\rrxxrrr.exe72⤵
-
\??\c:\nthttt.exec:\nthttt.exe73⤵
-
\??\c:\tnnnhh.exec:\tnnnhh.exe74⤵
-
\??\c:\pjppj.exec:\pjppj.exe75⤵
-
\??\c:\lrrxxrx.exec:\lrrxxrx.exe76⤵
-
\??\c:\bnhtbh.exec:\bnhtbh.exe77⤵
-
\??\c:\hnnnht.exec:\hnnnht.exe78⤵
-
\??\c:\vvjjp.exec:\vvjjp.exe79⤵
-
\??\c:\llffxxx.exec:\llffxxx.exe80⤵
-
\??\c:\9rfllfx.exec:\9rfllfx.exe81⤵
-
\??\c:\lffllrr.exec:\lffllrr.exe82⤵
-
\??\c:\3htttt.exec:\3htttt.exe83⤵
-
\??\c:\vjjjj.exec:\vjjjj.exe84⤵
-
\??\c:\lllxrlf.exec:\lllxrlf.exe85⤵
-
\??\c:\3fxrlll.exec:\3fxrlll.exe86⤵
-
\??\c:\thnntt.exec:\thnntt.exe87⤵
-
\??\c:\ttbbbb.exec:\ttbbbb.exe88⤵
-
\??\c:\vdddv.exec:\vdddv.exe89⤵
-
\??\c:\rllfffx.exec:\rllfffx.exe90⤵
-
\??\c:\xxllrrx.exec:\xxllrrx.exe91⤵
-
\??\c:\bthhnt.exec:\bthhnt.exe92⤵
-
\??\c:\7bhbtb.exec:\7bhbtb.exe93⤵
-
\??\c:\dvppp.exec:\dvppp.exe94⤵
-
\??\c:\7vvvp.exec:\7vvvp.exe95⤵
-
\??\c:\rlllfff.exec:\rlllfff.exe96⤵
-
\??\c:\rfxlfff.exec:\rfxlfff.exe97⤵
-
\??\c:\5tttnn.exec:\5tttnn.exe98⤵
-
\??\c:\nnhhnt.exec:\nnhhnt.exe99⤵
-
\??\c:\jpvdd.exec:\jpvdd.exe100⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe101⤵
-
\??\c:\fflfllr.exec:\fflfllr.exe102⤵
-
\??\c:\frrrlll.exec:\frrrlll.exe103⤵
-
\??\c:\nbtnht.exec:\nbtnht.exe104⤵
-
\??\c:\dvdjd.exec:\dvdjd.exe105⤵
-
\??\c:\5dppj.exec:\5dppj.exe106⤵
-
\??\c:\lfxxfxx.exec:\lfxxfxx.exe107⤵
-
\??\c:\lrfllrl.exec:\lrfllrl.exe108⤵
-
\??\c:\bbtthn.exec:\bbtthn.exe109⤵
-
\??\c:\ddjpp.exec:\ddjpp.exe110⤵
-
\??\c:\vppdp.exec:\vppdp.exe111⤵
-
\??\c:\3rrlffx.exec:\3rrlffx.exe112⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe113⤵
-
\??\c:\lrxfrff.exec:\lrxfrff.exe114⤵
-
\??\c:\7xffflf.exec:\7xffflf.exe115⤵
-
\??\c:\hhtntt.exec:\hhtntt.exe116⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe117⤵
-
\??\c:\vjjjp.exec:\vjjjp.exe118⤵
-
\??\c:\flxlxrx.exec:\flxlxrx.exe119⤵
-
\??\c:\ntnhbt.exec:\ntnhbt.exe120⤵
-
\??\c:\jpjjj.exec:\jpjjj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-