Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 20:15
General
-
Target
3596387e5aca4ea3bc72292c420b26790d06df160759555fb2361d29245fa2bb.exe
-
Size
394KB
-
MD5
c9891e97727fe1108e57ef10e65ae58c
-
SHA1
c73c15d9de6ff81e2a0115ef0eb9a651f9509d49
-
SHA256
3596387e5aca4ea3bc72292c420b26790d06df160759555fb2361d29245fa2bb
-
SHA512
e016af180d1e3f2d92758ad2a74fe741a769c290248bc7120f8c650391d5642ce3d38825a8a7baca484ead070771919bc444a395bdc084f5dc1967e06ffeaf3a
-
SSDEEP
6144:n3C9BRo7tvnJ9oH0IRgZvjkobjcSbcY+CaQdaFOY4iGFYtRdu/n:n3C9ytvngQjZbz+xt4vFBv
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
UPX dump on OEP (original entry point) 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3596387e5aca4ea3bc72292c420b26790d06df160759555fb2361d29245fa2bb.exe"C:\Users\Admin\AppData\Local\Temp\3596387e5aca4ea3bc72292c420b26790d06df160759555fb2361d29245fa2bb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbthh.exec:\hbbthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frllrlx.exec:\frllrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5htnhh.exec:\5htnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjd.exec:\vjpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxxx.exec:\lfffxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbnbn.exec:\5bbnbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdv.exec:\pdjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpjd.exec:\djpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhtnt.exec:\tnhtnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btttnn.exec:\btttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jpjv.exec:\1jpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ffxflr.exec:\9ffxflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnthbt.exec:\bnthbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbtbt.exec:\5tbtbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjjd.exec:\jvjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdp.exec:\pdjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrlrrx.exec:\7lrlrrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thhbh.exec:\7thhbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhbb.exec:\hbhhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpp.exec:\jjvpp.exe23⤵
- Executes dropped EXE
-
\??\c:\rrxrffl.exec:\rrxrffl.exe24⤵
- Executes dropped EXE
-
\??\c:\rfxlxlf.exec:\rfxlxlf.exe25⤵
- Executes dropped EXE
-
\??\c:\bntthh.exec:\bntthh.exe26⤵
- Executes dropped EXE
-
\??\c:\vjpjv.exec:\vjpjv.exe27⤵
- Executes dropped EXE
-
\??\c:\9pvjp.exec:\9pvjp.exe28⤵
- Executes dropped EXE
-
\??\c:\lfflrlf.exec:\lfflrlf.exe29⤵
- Executes dropped EXE
-
\??\c:\7llfxrf.exec:\7llfxrf.exe30⤵
- Executes dropped EXE
-
\??\c:\bhhbtt.exec:\bhhbtt.exe31⤵
- Executes dropped EXE
-
\??\c:\9pdvj.exec:\9pdvj.exe32⤵
- Executes dropped EXE
-
\??\c:\pjjdp.exec:\pjjdp.exe33⤵
- Executes dropped EXE
-
\??\c:\xlrflfr.exec:\xlrflfr.exe34⤵
- Executes dropped EXE
-
\??\c:\llffrxl.exec:\llffrxl.exe35⤵
- Executes dropped EXE
-
\??\c:\5hhbtt.exec:\5hhbtt.exe36⤵
- Executes dropped EXE
-
\??\c:\pjpjd.exec:\pjpjd.exe37⤵
- Executes dropped EXE
-
\??\c:\dppjd.exec:\dppjd.exe38⤵
- Executes dropped EXE
-
\??\c:\xlllllr.exec:\xlllllr.exe39⤵
- Executes dropped EXE
-
\??\c:\bhtttt.exec:\bhtttt.exe40⤵
- Executes dropped EXE
-
\??\c:\5tthbt.exec:\5tthbt.exe41⤵
- Executes dropped EXE
-
\??\c:\dpvjd.exec:\dpvjd.exe42⤵
- Executes dropped EXE
-
\??\c:\xxfxlff.exec:\xxfxlff.exe43⤵
- Executes dropped EXE
-
\??\c:\3fffxff.exec:\3fffxff.exe44⤵
- Executes dropped EXE
-
\??\c:\bnttnn.exec:\bnttnn.exe45⤵
- Executes dropped EXE
-
\??\c:\bhtnhb.exec:\bhtnhb.exe46⤵
- Executes dropped EXE
-
\??\c:\dvjvv.exec:\dvjvv.exe47⤵
- Executes dropped EXE
-
\??\c:\frrlfxx.exec:\frrlfxx.exe48⤵
- Executes dropped EXE
-
\??\c:\7rffxrl.exec:\7rffxrl.exe49⤵
- Executes dropped EXE
-
\??\c:\bnbntn.exec:\bnbntn.exe50⤵
- Executes dropped EXE
-
\??\c:\pdjvj.exec:\pdjvj.exe51⤵
- Executes dropped EXE
-
\??\c:\dvpdd.exec:\dvpdd.exe52⤵
- Executes dropped EXE
-
\??\c:\frrrfxl.exec:\frrrfxl.exe53⤵
- Executes dropped EXE
-
\??\c:\btbnnn.exec:\btbnnn.exe54⤵
- Executes dropped EXE
-
\??\c:\thbhtt.exec:\thbhtt.exe55⤵
- Executes dropped EXE
-
\??\c:\1vpdv.exec:\1vpdv.exe56⤵
- Executes dropped EXE
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe57⤵
- Executes dropped EXE
-
\??\c:\xllfrlf.exec:\xllfrlf.exe58⤵
- Executes dropped EXE
-
\??\c:\tttnhb.exec:\tttnhb.exe59⤵
- Executes dropped EXE
-
\??\c:\jdvpv.exec:\jdvpv.exe60⤵
- Executes dropped EXE
-
\??\c:\jpvjv.exec:\jpvjv.exe61⤵
- Executes dropped EXE
-
\??\c:\1xlfrrf.exec:\1xlfrrf.exe62⤵
- Executes dropped EXE
-
\??\c:\xrfflxf.exec:\xrfflxf.exe63⤵
- Executes dropped EXE
-
\??\c:\5tnhbt.exec:\5tnhbt.exe64⤵
- Executes dropped EXE
-
\??\c:\vjdvj.exec:\vjdvj.exe65⤵
- Executes dropped EXE
-
\??\c:\dddvp.exec:\dddvp.exe66⤵
-
\??\c:\fxxrffx.exec:\fxxrffx.exe67⤵
-
\??\c:\jvpjd.exec:\jvpjd.exe68⤵
-
\??\c:\rrfxrxr.exec:\rrfxrxr.exe69⤵
-
\??\c:\hbnhhh.exec:\hbnhhh.exe70⤵
-
\??\c:\jjdvj.exec:\jjdvj.exe71⤵
-
\??\c:\3pjvp.exec:\3pjvp.exe72⤵
-
\??\c:\rrxlfxl.exec:\rrxlfxl.exe73⤵
-
\??\c:\5tbtbb.exec:\5tbtbb.exe74⤵
-
\??\c:\5htnhb.exec:\5htnhb.exe75⤵
-
\??\c:\3pvpv.exec:\3pvpv.exe76⤵
-
\??\c:\lllfxxx.exec:\lllfxxx.exe77⤵
-
\??\c:\7nhbtt.exec:\7nhbtt.exe78⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe79⤵
-
\??\c:\jdjvp.exec:\jdjvp.exe80⤵
-
\??\c:\hntthh.exec:\hntthh.exe81⤵
-
\??\c:\djjdp.exec:\djjdp.exe82⤵
-
\??\c:\lxlfxlx.exec:\lxlfxlx.exe83⤵
-
\??\c:\nntnhh.exec:\nntnhh.exe84⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe85⤵
-
\??\c:\dvjvp.exec:\dvjvp.exe86⤵
-
\??\c:\rrxrrlf.exec:\rrxrrlf.exe87⤵
-
\??\c:\3bbttt.exec:\3bbttt.exe88⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe89⤵
-
\??\c:\1ddvp.exec:\1ddvp.exe90⤵
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe91⤵
-
\??\c:\hbbttn.exec:\hbbttn.exe92⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe93⤵
-
\??\c:\1rrlfxx.exec:\1rrlfxx.exe94⤵
-
\??\c:\llxxrll.exec:\llxxrll.exe95⤵
-
\??\c:\9hhbnn.exec:\9hhbnn.exe96⤵
-
\??\c:\pjvdd.exec:\pjvdd.exe97⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe98⤵
-
\??\c:\fxxrrlf.exec:\fxxrrlf.exe99⤵
-
\??\c:\nbnhbh.exec:\nbnhbh.exe100⤵
-
\??\c:\hbbthb.exec:\hbbthb.exe101⤵
-
\??\c:\vjppj.exec:\vjppj.exe102⤵
-
\??\c:\lrffxxr.exec:\lrffxxr.exe103⤵
-
\??\c:\bttnhb.exec:\bttnhb.exe104⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe105⤵
-
\??\c:\flrlfxf.exec:\flrlfxf.exe106⤵
-
\??\c:\7ntnhb.exec:\7ntnhb.exe107⤵
-
\??\c:\hhnhnn.exec:\hhnhnn.exe108⤵
-
\??\c:\jjdvv.exec:\jjdvv.exe109⤵
-
\??\c:\1rrxllf.exec:\1rrxllf.exe110⤵
-
\??\c:\3fxrfxx.exec:\3fxrfxx.exe111⤵
-
\??\c:\bhnhbb.exec:\bhnhbb.exe112⤵
-
\??\c:\9rfrxrl.exec:\9rfrxrl.exe113⤵
-
\??\c:\bhhnhh.exec:\bhhnhh.exe114⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe115⤵
-
\??\c:\frxrrrl.exec:\frxrrrl.exe116⤵
-
\??\c:\nbtnht.exec:\nbtnht.exe117⤵
-
\??\c:\jvddv.exec:\jvddv.exe118⤵
-
\??\c:\lxrfxxr.exec:\lxrfxxr.exe119⤵
-
\??\c:\nnbhth.exec:\nnbhth.exe120⤵
-
\??\c:\9pvpj.exec:\9pvpj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-