Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 23:00
General
-
Target
7037e920982dad4bdc081538e5cf92c6cbfee2889e8d0e77de5b23522a0c79b9.exe
-
Size
83KB
-
MD5
7aff5e75a3477642fc6a928189343a72
-
SHA1
05ff9b5b7bbfb5194e09b5111f15d014ac91c58d
-
SHA256
7037e920982dad4bdc081538e5cf92c6cbfee2889e8d0e77de5b23522a0c79b9
-
SHA512
9fe3c8b7695026d6b49d01adeb7ddf285f7a46f7fbc7151ef2910bbb055acf02944927682fdfd270f95b48fc611a030af8e550d4852be49293fa11a8e0cf8159
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73yqKH/KjvHo+WdNV:ymb3NkkiQ3mdBjFo73yX+vI+qX
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
UPX dump on OEP (original entry point) 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7037e920982dad4bdc081538e5cf92c6cbfee2889e8d0e77de5b23522a0c79b9.exe"C:\Users\Admin\AppData\Local\Temp\7037e920982dad4bdc081538e5cf92c6cbfee2889e8d0e77de5b23522a0c79b9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pppdv.exec:\pppdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllllr.exec:\fxllllr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbntn.exec:\hnbntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdjv.exec:\jpdjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxllxr.exec:\rrxllxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhtt.exec:\bthhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hntbh.exec:\9hntbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pddd.exec:\5pddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxflrxf.exec:\fxflrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxlll.exec:\lfrxlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9btttb.exec:\9btttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjvv.exec:\pdjvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jvjp.exec:\5jvjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxrrrl.exec:\xfxrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rflrxl.exec:\9rflrxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhntbt.exec:\nhntbt.exe17⤵
- Executes dropped EXE
-
\??\c:\7nhhnn.exec:\7nhhnn.exe18⤵
- Executes dropped EXE
-
\??\c:\9jvvd.exec:\9jvvd.exe19⤵
- Executes dropped EXE
-
\??\c:\7rxfllx.exec:\7rxfllx.exe20⤵
- Executes dropped EXE
-
\??\c:\9rflllr.exec:\9rflllr.exe21⤵
- Executes dropped EXE
-
\??\c:\7nnbhn.exec:\7nnbhn.exe22⤵
- Executes dropped EXE
-
\??\c:\nbhhhn.exec:\nbhhhn.exe23⤵
- Executes dropped EXE
-
\??\c:\3pppj.exec:\3pppj.exe24⤵
- Executes dropped EXE
-
\??\c:\vjjvv.exec:\vjjvv.exe25⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe26⤵
- Executes dropped EXE
-
\??\c:\7bbbhh.exec:\7bbbhh.exe27⤵
- Executes dropped EXE
-
\??\c:\3pvvd.exec:\3pvvd.exe28⤵
- Executes dropped EXE
-
\??\c:\pjpjj.exec:\pjpjj.exe29⤵
- Executes dropped EXE
-
\??\c:\rlrxflr.exec:\rlrxflr.exe30⤵
- Executes dropped EXE
-
\??\c:\rlxllrx.exec:\rlxllrx.exe31⤵
- Executes dropped EXE
-
\??\c:\tthntb.exec:\tthntb.exe32⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe33⤵
- Executes dropped EXE
-
\??\c:\3dvpp.exec:\3dvpp.exe34⤵
- Executes dropped EXE
-
\??\c:\xlffllr.exec:\xlffllr.exe35⤵
- Executes dropped EXE
-
\??\c:\rlxfffr.exec:\rlxfffr.exe36⤵
- Executes dropped EXE
-
\??\c:\nhhhnh.exec:\nhhhnh.exe37⤵
- Executes dropped EXE
-
\??\c:\hbhhnn.exec:\hbhhnn.exe38⤵
- Executes dropped EXE
-
\??\c:\ddpvd.exec:\ddpvd.exe39⤵
- Executes dropped EXE
-
\??\c:\xrxxlxf.exec:\xrxxlxf.exe40⤵
- Executes dropped EXE
-
\??\c:\3xrlllr.exec:\3xrlllr.exe41⤵
- Executes dropped EXE
-
\??\c:\bnntth.exec:\bnntth.exe42⤵
- Executes dropped EXE
-
\??\c:\tttbbn.exec:\tttbbn.exe43⤵
- Executes dropped EXE
-
\??\c:\1ddpd.exec:\1ddpd.exe44⤵
- Executes dropped EXE
-
\??\c:\ppdpj.exec:\ppdpj.exe45⤵
- Executes dropped EXE
-
\??\c:\xxxlxll.exec:\xxxlxll.exe46⤵
- Executes dropped EXE
-
\??\c:\llrrrlr.exec:\llrrrlr.exe47⤵
- Executes dropped EXE
-
\??\c:\thntbh.exec:\thntbh.exe48⤵
- Executes dropped EXE
-
\??\c:\bnttbb.exec:\bnttbb.exe49⤵
- Executes dropped EXE
-
\??\c:\dvdpd.exec:\dvdpd.exe50⤵
- Executes dropped EXE
-
\??\c:\3vpvp.exec:\3vpvp.exe51⤵
- Executes dropped EXE
-
\??\c:\1lfxrxx.exec:\1lfxrxx.exe52⤵
- Executes dropped EXE
-
\??\c:\fxlrrrr.exec:\fxlrrrr.exe53⤵
- Executes dropped EXE
-
\??\c:\nhbhhh.exec:\nhbhhh.exe54⤵
- Executes dropped EXE
-
\??\c:\vpvjv.exec:\vpvjv.exe55⤵
- Executes dropped EXE
-
\??\c:\vpvvp.exec:\vpvvp.exe56⤵
- Executes dropped EXE
-
\??\c:\3rrlllr.exec:\3rrlllr.exe57⤵
- Executes dropped EXE
-
\??\c:\lxlfrrx.exec:\lxlfrrx.exe58⤵
- Executes dropped EXE
-
\??\c:\nhbtbh.exec:\nhbtbh.exe59⤵
- Executes dropped EXE
-
\??\c:\bbhnth.exec:\bbhnth.exe60⤵
- Executes dropped EXE
-
\??\c:\vvdpv.exec:\vvdpv.exe61⤵
- Executes dropped EXE
-
\??\c:\rlxfrfr.exec:\rlxfrfr.exe62⤵
- Executes dropped EXE
-
\??\c:\5thnnn.exec:\5thnnn.exe63⤵
- Executes dropped EXE
-
\??\c:\nnntbb.exec:\nnntbb.exe64⤵
- Executes dropped EXE
-
\??\c:\7jdpj.exec:\7jdpj.exe65⤵
- Executes dropped EXE
-
\??\c:\dddvv.exec:\dddvv.exe66⤵
-
\??\c:\xxllllx.exec:\xxllllx.exe67⤵
-
\??\c:\1fflxxl.exec:\1fflxxl.exe68⤵
-
\??\c:\tnhnnb.exec:\tnhnnb.exe69⤵
-
\??\c:\nbnntn.exec:\nbnntn.exe70⤵
-
\??\c:\ddvjd.exec:\ddvjd.exe71⤵
-
\??\c:\rflllrx.exec:\rflllrx.exe72⤵
-
\??\c:\lrfrflx.exec:\lrfrflx.exe73⤵
-
\??\c:\hnnthn.exec:\hnnthn.exe74⤵
-
\??\c:\ttttnn.exec:\ttttnn.exe75⤵
-
\??\c:\9bhtbt.exec:\9bhtbt.exe76⤵
-
\??\c:\ddjvv.exec:\ddjvv.exe77⤵
-
\??\c:\pppjv.exec:\pppjv.exe78⤵
-
\??\c:\9flflrx.exec:\9flflrx.exe79⤵
-
\??\c:\xxrlllf.exec:\xxrlllf.exe80⤵
-
\??\c:\nthbtt.exec:\nthbtt.exe81⤵
-
\??\c:\5thnth.exec:\5thnth.exe82⤵
-
\??\c:\pjpjp.exec:\pjpjp.exe83⤵
-
\??\c:\jjvjv.exec:\jjvjv.exe84⤵
-
\??\c:\rlffrrx.exec:\rlffrrx.exe85⤵
-
\??\c:\nhbhhn.exec:\nhbhhn.exe86⤵
-
\??\c:\bnbbhb.exec:\bnbbhb.exe87⤵
-
\??\c:\ddppv.exec:\ddppv.exe88⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe89⤵
-
\??\c:\xfxllxf.exec:\xfxllxf.exe90⤵
-
\??\c:\lxllxfx.exec:\lxllxfx.exe91⤵
-
\??\c:\nhbhtb.exec:\nhbhtb.exe92⤵
-
\??\c:\pdpdp.exec:\pdpdp.exe93⤵
-
\??\c:\9vjdp.exec:\9vjdp.exe94⤵
-
\??\c:\vvpvd.exec:\vvpvd.exe95⤵
-
\??\c:\lllrfrr.exec:\lllrfrr.exe96⤵
-
\??\c:\lfflxxl.exec:\lfflxxl.exe97⤵
-
\??\c:\nhnnbb.exec:\nhnnbb.exe98⤵
-
\??\c:\hbntbh.exec:\hbntbh.exe99⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe100⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe101⤵
-
\??\c:\xrxlrfl.exec:\xrxlrfl.exe102⤵
-
\??\c:\7lxxlxr.exec:\7lxxlxr.exe103⤵
-
\??\c:\btbhnn.exec:\btbhnn.exe104⤵
-
\??\c:\7nhhhb.exec:\7nhhhb.exe105⤵
-
\??\c:\vjppv.exec:\vjppv.exe106⤵
-
\??\c:\dvvvj.exec:\dvvvj.exe107⤵
-
\??\c:\fxllrrf.exec:\fxllrrf.exe108⤵
-
\??\c:\ntbbbt.exec:\ntbbbt.exe109⤵
-
\??\c:\bnbntt.exec:\bnbntt.exe110⤵
-
\??\c:\djvpd.exec:\djvpd.exe111⤵
-
\??\c:\dvddp.exec:\dvddp.exe112⤵
-
\??\c:\rlrlrll.exec:\rlrlrll.exe113⤵
-
\??\c:\rrlrrfl.exec:\rrlrrfl.exe114⤵
-
\??\c:\nhbbhh.exec:\nhbbhh.exe115⤵
-
\??\c:\thnnhn.exec:\thnnhn.exe116⤵
-
\??\c:\pdvvj.exec:\pdvvj.exe117⤵
-
\??\c:\jjvdj.exec:\jjvdj.exe118⤵
-
\??\c:\3rfrfrr.exec:\3rfrfrr.exe119⤵
-
\??\c:\lfrflfl.exec:\lfrflfl.exe120⤵
-
\??\c:\3nhbhn.exec:\3nhbhn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-