Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 05:39
General
-
Target
fb80e352828809de7791de51ba2eb01d08e95a4f917482178d88d199c7e2c12d.exe
-
Size
277KB
-
MD5
45d305a22c0b0bcd6400096d779e5e08
-
SHA1
cf868088e7c5650fdb74e95bd89484f5b96098f8
-
SHA256
fb80e352828809de7791de51ba2eb01d08e95a4f917482178d88d199c7e2c12d
-
SHA512
e270fc1a1f847590514acb452a127578900ed56e496b406ab9dec8c18749455707483268ea786a6da47d552d53f7a7ff3da6c4c00016b2e7c30a81d75b77ea7b
-
SSDEEP
6144:n3C9BRIG0asYFm71m8+GdkB9yMu7VvemV3:n3C9uYA71kSMu/
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
UPX dump on OEP (original entry point) 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb80e352828809de7791de51ba2eb01d08e95a4f917482178d88d199c7e2c12d.exe"C:\Users\Admin\AppData\Local\Temp\fb80e352828809de7791de51ba2eb01d08e95a4f917482178d88d199c7e2c12d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrlfl.exec:\rlxrlfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtnth.exec:\nhtnth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdv.exec:\jjjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xlflxr.exec:\3xlflxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxlxll.exec:\lrxlxll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbthb.exec:\bhbthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdpd.exec:\jpdpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxlrfr.exec:\lfxlrfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthbbt.exec:\tthbbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvj.exec:\pjdvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxrll.exec:\rfxxrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdpj.exec:\pvdpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpj.exec:\ddvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbnh.exec:\tnnbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvp.exec:\jdjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flllfxl.exec:\flllfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnbht.exec:\tnnbht.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvd.exec:\dvpvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtnnh.exec:\nhtnnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvj.exec:\vpdvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvv.exec:\vpdvv.exe23⤵
- Executes dropped EXE
-
\??\c:\lrfrrlf.exec:\lrfrrlf.exe24⤵
- Executes dropped EXE
-
\??\c:\7bnhth.exec:\7bnhth.exe25⤵
- Executes dropped EXE
-
\??\c:\djddd.exec:\djddd.exe26⤵
- Executes dropped EXE
-
\??\c:\dvpdp.exec:\dvpdp.exe27⤵
- Executes dropped EXE
-
\??\c:\rrffrrr.exec:\rrffrrr.exe28⤵
- Executes dropped EXE
-
\??\c:\7lxrrxr.exec:\7lxrrxr.exe29⤵
- Executes dropped EXE
-
\??\c:\htbttn.exec:\htbttn.exe30⤵
- Executes dropped EXE
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe31⤵
- Executes dropped EXE
-
\??\c:\3llfxrf.exec:\3llfxrf.exe32⤵
- Executes dropped EXE
-
\??\c:\hhhhbt.exec:\hhhhbt.exe33⤵
- Executes dropped EXE
-
\??\c:\xflxffr.exec:\xflxffr.exe34⤵
- Executes dropped EXE
-
\??\c:\tbhbbb.exec:\tbhbbb.exe35⤵
- Executes dropped EXE
-
\??\c:\5jvpd.exec:\5jvpd.exe36⤵
- Executes dropped EXE
-
\??\c:\jpdpj.exec:\jpdpj.exe37⤵
- Executes dropped EXE
-
\??\c:\xrrfrfr.exec:\xrrfrfr.exe38⤵
- Executes dropped EXE
-
\??\c:\nhbthb.exec:\nhbthb.exe39⤵
- Executes dropped EXE
-
\??\c:\tbhtth.exec:\tbhtth.exe40⤵
- Executes dropped EXE
-
\??\c:\pvdpj.exec:\pvdpj.exe41⤵
- Executes dropped EXE
-
\??\c:\xrlflfx.exec:\xrlflfx.exe42⤵
- Executes dropped EXE
-
\??\c:\xlrfxxf.exec:\xlrfxxf.exe43⤵
- Executes dropped EXE
-
\??\c:\nbhtnb.exec:\nbhtnb.exe44⤵
- Executes dropped EXE
-
\??\c:\bhhtth.exec:\bhhtth.exe45⤵
- Executes dropped EXE
-
\??\c:\dvvjd.exec:\dvvjd.exe46⤵
- Executes dropped EXE
-
\??\c:\lllxxxl.exec:\lllxxxl.exe47⤵
- Executes dropped EXE
-
\??\c:\fffrfff.exec:\fffrfff.exe48⤵
- Executes dropped EXE
-
\??\c:\hhnnbt.exec:\hhnnbt.exe49⤵
- Executes dropped EXE
-
\??\c:\bnthbb.exec:\bnthbb.exe50⤵
- Executes dropped EXE
-
\??\c:\pvjdd.exec:\pvjdd.exe51⤵
- Executes dropped EXE
-
\??\c:\7xrfrrf.exec:\7xrfrrf.exe52⤵
- Executes dropped EXE
-
\??\c:\fllfrxl.exec:\fllfrxl.exe53⤵
- Executes dropped EXE
-
\??\c:\hbhbtn.exec:\hbhbtn.exe54⤵
- Executes dropped EXE
-
\??\c:\nhhbbb.exec:\nhhbbb.exe55⤵
- Executes dropped EXE
-
\??\c:\dpdvj.exec:\dpdvj.exe56⤵
- Executes dropped EXE
-
\??\c:\xrxrfxf.exec:\xrxrfxf.exe57⤵
- Executes dropped EXE
-
\??\c:\3ffxxrl.exec:\3ffxxrl.exe58⤵
- Executes dropped EXE
-
\??\c:\9nnhbt.exec:\9nnhbt.exe59⤵
- Executes dropped EXE
-
\??\c:\nnthbt.exec:\nnthbt.exe60⤵
- Executes dropped EXE
-
\??\c:\vdpdp.exec:\vdpdp.exe61⤵
- Executes dropped EXE
-
\??\c:\pjppj.exec:\pjppj.exe62⤵
- Executes dropped EXE
-
\??\c:\xxfflfx.exec:\xxfflfx.exe63⤵
- Executes dropped EXE
-
\??\c:\3xxlfxr.exec:\3xxlfxr.exe64⤵
- Executes dropped EXE
-
\??\c:\bhbthn.exec:\bhbthn.exe65⤵
- Executes dropped EXE
-
\??\c:\jdjvp.exec:\jdjvp.exe66⤵
-
\??\c:\vpvpd.exec:\vpvpd.exe67⤵
-
\??\c:\rlxrrlr.exec:\rlxrrlr.exe68⤵
-
\??\c:\thbbtn.exec:\thbbtn.exe69⤵
-
\??\c:\pjdpj.exec:\pjdpj.exe70⤵
-
\??\c:\xrrrlll.exec:\xrrrlll.exe71⤵
-
\??\c:\rflxrlf.exec:\rflxrlf.exe72⤵
-
\??\c:\1thbnh.exec:\1thbnh.exe73⤵
-
\??\c:\pppvp.exec:\pppvp.exe74⤵
-
\??\c:\rlrlllr.exec:\rlrlllr.exe75⤵
-
\??\c:\htnhbt.exec:\htnhbt.exe76⤵
-
\??\c:\tttntn.exec:\tttntn.exe77⤵
-
\??\c:\dvjdv.exec:\dvjdv.exe78⤵
-
\??\c:\7llfxfx.exec:\7llfxfx.exe79⤵
-
\??\c:\frlxfxf.exec:\frlxfxf.exe80⤵
-
\??\c:\nbbtnn.exec:\nbbtnn.exe81⤵
-
\??\c:\dppdv.exec:\dppdv.exe82⤵
-
\??\c:\pjdpj.exec:\pjdpj.exe83⤵
-
\??\c:\rrxrfrr.exec:\rrxrfrr.exe84⤵
-
\??\c:\bnnhtn.exec:\bnnhtn.exe85⤵
-
\??\c:\ttbbnn.exec:\ttbbnn.exe86⤵
-
\??\c:\vvpjv.exec:\vvpjv.exe87⤵
-
\??\c:\jdvjv.exec:\jdvjv.exe88⤵
-
\??\c:\xllrlfx.exec:\xllrlfx.exe89⤵
-
\??\c:\bnhtht.exec:\bnhtht.exe90⤵
-
\??\c:\htthtb.exec:\htthtb.exe91⤵
-
\??\c:\dppjv.exec:\dppjv.exe92⤵
-
\??\c:\5jdpd.exec:\5jdpd.exe93⤵
-
\??\c:\frxrrlr.exec:\frxrrlr.exe94⤵
-
\??\c:\frrlfxl.exec:\frrlfxl.exe95⤵
-
\??\c:\7nnhbb.exec:\7nnhbb.exe96⤵
-
\??\c:\9tbnnh.exec:\9tbnnh.exe97⤵
-
\??\c:\vdppj.exec:\vdppj.exe98⤵
-
\??\c:\9vjdv.exec:\9vjdv.exe99⤵
-
\??\c:\7rrfrlf.exec:\7rrfrlf.exe100⤵
-
\??\c:\bbtbnh.exec:\bbtbnh.exe101⤵
-
\??\c:\htnbtn.exec:\htnbtn.exe102⤵
-
\??\c:\ddjvj.exec:\ddjvj.exe103⤵
-
\??\c:\1dvjv.exec:\1dvjv.exe104⤵
-
\??\c:\3xxrfxl.exec:\3xxrfxl.exe105⤵
-
\??\c:\5xxrlfr.exec:\5xxrlfr.exe106⤵
-
\??\c:\bbbthb.exec:\bbbthb.exe107⤵
-
\??\c:\httnhb.exec:\httnhb.exe108⤵
-
\??\c:\ddjdj.exec:\ddjdj.exe109⤵
-
\??\c:\vdjdd.exec:\vdjdd.exe110⤵
-
\??\c:\5frlxfr.exec:\5frlxfr.exe111⤵
-
\??\c:\btthbt.exec:\btthbt.exe112⤵
-
\??\c:\rflxxxl.exec:\rflxxxl.exe113⤵
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe114⤵
-
\??\c:\3hnhtt.exec:\3hnhtt.exe115⤵
-
\??\c:\dvppj.exec:\dvppj.exe116⤵
-
\??\c:\pddpj.exec:\pddpj.exe117⤵
-
\??\c:\lxxfrfx.exec:\lxxfrfx.exe118⤵
-
\??\c:\rxrfxlx.exec:\rxrfxlx.exe119⤵
-
\??\c:\htnbtn.exec:\htnbtn.exe120⤵
-
\??\c:\7tbnnh.exec:\7tbnnh.exe121⤵
-
\??\c:\9jpdp.exec:\9jpdp.exe122⤵
-
\??\c:\dppdv.exec:\dppdv.exe123⤵
-
\??\c:\llrrlll.exec:\llrrlll.exe124⤵
-
\??\c:\fffxxxr.exec:\fffxxxr.exe125⤵
-
\??\c:\hntnbb.exec:\hntnbb.exe126⤵
-
\??\c:\7nthnh.exec:\7nthnh.exe127⤵
-
\??\c:\1jpjd.exec:\1jpjd.exe128⤵
-
\??\c:\djdvp.exec:\djdvp.exe129⤵
-
\??\c:\xlfrlrf.exec:\xlfrlrf.exe130⤵
-
\??\c:\hnhbnh.exec:\hnhbnh.exe131⤵
-
\??\c:\hnhtnh.exec:\hnhtnh.exe132⤵
-
\??\c:\1jpjv.exec:\1jpjv.exe133⤵
-
\??\c:\jdvjv.exec:\jdvjv.exe134⤵
-
\??\c:\1frrfrf.exec:\1frrfrf.exe135⤵
-
\??\c:\9ffrxrx.exec:\9ffrxrx.exe136⤵
-
\??\c:\ntnhbt.exec:\ntnhbt.exe137⤵
-
\??\c:\nntnbt.exec:\nntnbt.exe138⤵
-
\??\c:\pvvpj.exec:\pvvpj.exe139⤵
-
\??\c:\xlfrlfr.exec:\xlfrlfr.exe140⤵
-
\??\c:\rrrflff.exec:\rrrflff.exe141⤵
-
\??\c:\5nhtnh.exec:\5nhtnh.exe142⤵
-
\??\c:\btbtbt.exec:\btbtbt.exe143⤵
-
\??\c:\9pjvp.exec:\9pjvp.exe144⤵
-
\??\c:\fxrfrrl.exec:\fxrfrrl.exe145⤵
-
\??\c:\xrrlxrf.exec:\xrrlxrf.exe146⤵
-
\??\c:\5nthhb.exec:\5nthhb.exe147⤵
-
\??\c:\bnnbhb.exec:\bnnbhb.exe148⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe149⤵
-
\??\c:\7frllfx.exec:\7frllfx.exe150⤵
-
\??\c:\7fxrfxr.exec:\7fxrfxr.exe151⤵
-
\??\c:\3hbthb.exec:\3hbthb.exe152⤵
-
\??\c:\btnbnh.exec:\btnbnh.exe153⤵
-
\??\c:\3djvp.exec:\3djvp.exe154⤵
-
\??\c:\vppjd.exec:\vppjd.exe155⤵
-
\??\c:\5flxxrr.exec:\5flxxrr.exe156⤵
-
\??\c:\fxxrxxf.exec:\fxxrxxf.exe157⤵
-
\??\c:\thbnhh.exec:\thbnhh.exe158⤵
-
\??\c:\dpdpp.exec:\dpdpp.exe159⤵
-
\??\c:\5vpdv.exec:\5vpdv.exe160⤵
-
\??\c:\ffrxflr.exec:\ffrxflr.exe161⤵
-
\??\c:\7bbnbt.exec:\7bbnbt.exe162⤵
-
\??\c:\1nhbnh.exec:\1nhbnh.exe163⤵
-
\??\c:\dvpdd.exec:\dvpdd.exe164⤵
-
\??\c:\djppj.exec:\djppj.exe165⤵
-
\??\c:\xxfxllf.exec:\xxfxllf.exe166⤵
-
\??\c:\5xxllfx.exec:\5xxllfx.exe167⤵
-
\??\c:\bbtntt.exec:\bbtntt.exe168⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe169⤵
-
\??\c:\pjddp.exec:\pjddp.exe170⤵
-
\??\c:\ffrrxrf.exec:\ffrrxrf.exe171⤵
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe172⤵
-
\??\c:\tthbth.exec:\tthbth.exe173⤵
-
\??\c:\vdvpj.exec:\vdvpj.exe174⤵
-
\??\c:\rxfrlxl.exec:\rxfrlxl.exe175⤵
-
\??\c:\xrrrlfr.exec:\xrrrlfr.exe176⤵
-
\??\c:\dppvp.exec:\dppvp.exe177⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe178⤵
-
\??\c:\fffrlxr.exec:\fffrlxr.exe179⤵
-
\??\c:\1tnbtt.exec:\1tnbtt.exe180⤵
-
\??\c:\btnhtt.exec:\btnhtt.exe181⤵
-
\??\c:\3jdpj.exec:\3jdpj.exe182⤵
-
\??\c:\dppjd.exec:\dppjd.exe183⤵
-
\??\c:\9hthbn.exec:\9hthbn.exe184⤵
-
\??\c:\hnbttn.exec:\hnbttn.exe185⤵
-
\??\c:\9djdp.exec:\9djdp.exe186⤵
-
\??\c:\7xxrlfl.exec:\7xxrlfl.exe187⤵
-
\??\c:\tbbtnn.exec:\tbbtnn.exe188⤵
-
\??\c:\bbbnbb.exec:\bbbnbb.exe189⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe190⤵
-
\??\c:\dddjv.exec:\dddjv.exe191⤵
-
\??\c:\xrffllx.exec:\xrffllx.exe192⤵
-
\??\c:\nhbbhb.exec:\nhbbhb.exe193⤵
-
\??\c:\djpjp.exec:\djpjp.exe194⤵
-
\??\c:\5pppj.exec:\5pppj.exe195⤵
-
\??\c:\lxxlxxl.exec:\lxxlxxl.exe196⤵
-
\??\c:\rlxrlrl.exec:\rlxrlrl.exe197⤵
-
\??\c:\nnttbn.exec:\nnttbn.exe198⤵
-
\??\c:\9bhtnn.exec:\9bhtnn.exe199⤵
-
\??\c:\jddvp.exec:\jddvp.exe200⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe201⤵
-
\??\c:\lflxffl.exec:\lflxffl.exe202⤵
-
\??\c:\rxfxllx.exec:\rxfxllx.exe203⤵
-
\??\c:\hbbnhn.exec:\hbbnhn.exe204⤵
-
\??\c:\vdvpd.exec:\vdvpd.exe205⤵
-
\??\c:\jjjpd.exec:\jjjpd.exe206⤵
-
\??\c:\xfxrlll.exec:\xfxrlll.exe207⤵
-
\??\c:\nbbbtt.exec:\nbbbtt.exe208⤵
-
\??\c:\5jjdv.exec:\5jjdv.exe209⤵
-
\??\c:\jvvjv.exec:\jvvjv.exe210⤵
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe211⤵
-
\??\c:\9rxrlxr.exec:\9rxrlxr.exe212⤵
-
\??\c:\nhnnbt.exec:\nhnnbt.exe213⤵
-
\??\c:\3jdvp.exec:\3jdvp.exe214⤵
-
\??\c:\7jdvj.exec:\7jdvj.exe215⤵
-
\??\c:\5lrfxrf.exec:\5lrfxrf.exe216⤵
-
\??\c:\frrfxrl.exec:\frrfxrl.exe217⤵
-
\??\c:\tnntnt.exec:\tnntnt.exe218⤵
-
\??\c:\jvdpp.exec:\jvdpp.exe219⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe220⤵
-
\??\c:\xxrfxlf.exec:\xxrfxlf.exe221⤵
-
\??\c:\9nhtnh.exec:\9nhtnh.exe222⤵
-
\??\c:\hbbttn.exec:\hbbttn.exe223⤵
-
\??\c:\vjjdp.exec:\vjjdp.exe224⤵
-
\??\c:\djpdv.exec:\djpdv.exe225⤵
-
\??\c:\lrrlrxl.exec:\lrrlrxl.exe226⤵
-
\??\c:\nhbtnb.exec:\nhbtnb.exe227⤵
-
\??\c:\3tnhtt.exec:\3tnhtt.exe228⤵
-
\??\c:\jppdp.exec:\jppdp.exe229⤵
-
\??\c:\fxrlffx.exec:\fxrlffx.exe230⤵
-
\??\c:\xflfrlf.exec:\xflfrlf.exe231⤵
-
\??\c:\bhhhtn.exec:\bhhhtn.exe232⤵
-
\??\c:\bnhbnh.exec:\bnhbnh.exe233⤵
-
\??\c:\vdvjv.exec:\vdvjv.exe234⤵
-
\??\c:\5xrxlfx.exec:\5xrxlfx.exe235⤵
-
\??\c:\rlrlfrl.exec:\rlrlfrl.exe236⤵
-
\??\c:\nbthnh.exec:\nbthnh.exe237⤵
-
\??\c:\5jpdd.exec:\5jpdd.exe238⤵
-
\??\c:\jdvpd.exec:\jdvpd.exe239⤵
-
\??\c:\rffrlfx.exec:\rffrlfx.exe240⤵