Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26/05/2024, 22:59
General
-
Target
70a61c711351d78281993666f6520903ba1fca51bce98cdf849e58088a2dc36f.exe
-
Size
401KB
-
MD5
35d76ad4c29ed71577654ff32a3d0e73
-
SHA1
6129c83ea9d08672553791dc92dabd03732f6014
-
SHA256
70a61c711351d78281993666f6520903ba1fca51bce98cdf849e58088a2dc36f
-
SHA512
883294ffb9fa7058e4f099662af2061886ae7c7044ce084aae93d98a9f0e862dfd53af3cff3874673601139552728e23d9b900efe36f5a637dcf9a8d7e048935
-
SSDEEP
3072:ymb3NkkiQ3mdBjFIi/0RU6QeYQsm71vPmX5kr+uIBpkJITEEuR9XTVyXmGN:n3C9BRIG0asYFm71mJkr+uIBe1T8V
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
UPX dump on OEP (original entry point) 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\70a61c711351d78281993666f6520903ba1fca51bce98cdf849e58088a2dc36f.exe"C:\Users\Admin\AppData\Local\Temp\70a61c711351d78281993666f6520903ba1fca51bce98cdf849e58088a2dc36f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\8200840.exec:\8200840.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfffxf.exec:\xxfffxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnnbh.exec:\ntnnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\260266.exec:\260266.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlxrxl.exec:\frlxrxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nbhtt.exec:\7nbhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82028.exec:\82028.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2226482.exec:\2226482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\602844.exec:\602844.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btbbt.exec:\3btbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w24062.exec:\w24062.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0468068.exec:\0468068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\268088.exec:\268088.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0406402.exec:\0406402.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w42244.exec:\w42244.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrrxxr.exec:\lfrrxxr.exe17⤵
- Executes dropped EXE
-
\??\c:\nnhhth.exec:\nnhhth.exe18⤵
- Executes dropped EXE
-
\??\c:\ffrrrrf.exec:\ffrrrrf.exe19⤵
- Executes dropped EXE
-
\??\c:\4828068.exec:\4828068.exe20⤵
- Executes dropped EXE
-
\??\c:\tnhhbh.exec:\tnhhbh.exe21⤵
- Executes dropped EXE
-
\??\c:\hhbhnt.exec:\hhbhnt.exe22⤵
- Executes dropped EXE
-
\??\c:\7nttbb.exec:\7nttbb.exe23⤵
- Executes dropped EXE
-
\??\c:\g2668.exec:\g2668.exe24⤵
- Executes dropped EXE
-
\??\c:\5jdjv.exec:\5jdjv.exe25⤵
- Executes dropped EXE
-
\??\c:\lrllrfr.exec:\lrllrfr.exe26⤵
- Executes dropped EXE
-
\??\c:\w26206.exec:\w26206.exe27⤵
- Executes dropped EXE
-
\??\c:\hbbbnn.exec:\hbbbnn.exe28⤵
- Executes dropped EXE
-
\??\c:\846468.exec:\846468.exe29⤵
- Executes dropped EXE
-
\??\c:\848688.exec:\848688.exe30⤵
- Executes dropped EXE
-
\??\c:\1xrxflr.exec:\1xrxflr.exe31⤵
- Executes dropped EXE
-
\??\c:\8866462.exec:\8866462.exe32⤵
- Executes dropped EXE
-
\??\c:\4288002.exec:\4288002.exe33⤵
- Executes dropped EXE
-
\??\c:\064268.exec:\064268.exe34⤵
- Executes dropped EXE
-
\??\c:\1lfxrxl.exec:\1lfxrxl.exe35⤵
- Executes dropped EXE
-
\??\c:\222808.exec:\222808.exe36⤵
- Executes dropped EXE
-
\??\c:\pjpjj.exec:\pjpjj.exe37⤵
- Executes dropped EXE
-
\??\c:\5dppd.exec:\5dppd.exe38⤵
- Executes dropped EXE
-
\??\c:\48684.exec:\48684.exe39⤵
- Executes dropped EXE
-
\??\c:\22602.exec:\22602.exe40⤵
- Executes dropped EXE
-
\??\c:\dpppj.exec:\dpppj.exe41⤵
- Executes dropped EXE
-
\??\c:\42884.exec:\42884.exe42⤵
- Executes dropped EXE
-
\??\c:\frlxrrx.exec:\frlxrrx.exe43⤵
- Executes dropped EXE
-
\??\c:\fffxlrf.exec:\fffxlrf.exe44⤵
- Executes dropped EXE
-
\??\c:\26684.exec:\26684.exe45⤵
- Executes dropped EXE
-
\??\c:\00428.exec:\00428.exe46⤵
- Executes dropped EXE
-
\??\c:\6444064.exec:\6444064.exe47⤵
- Executes dropped EXE
-
\??\c:\6422068.exec:\6422068.exe48⤵
- Executes dropped EXE
-
\??\c:\htbtnb.exec:\htbtnb.exe49⤵
- Executes dropped EXE
-
\??\c:\1tntbh.exec:\1tntbh.exe50⤵
- Executes dropped EXE
-
\??\c:\nhthhb.exec:\nhthhb.exe51⤵
- Executes dropped EXE
-
\??\c:\bhnbhh.exec:\bhnbhh.exe52⤵
- Executes dropped EXE
-
\??\c:\flrlrll.exec:\flrlrll.exe53⤵
- Executes dropped EXE
-
\??\c:\0806848.exec:\0806848.exe54⤵
- Executes dropped EXE
-
\??\c:\440488.exec:\440488.exe55⤵
- Executes dropped EXE
-
\??\c:\88086.exec:\88086.exe56⤵
- Executes dropped EXE
-
\??\c:\lrfxfrf.exec:\lrfxfrf.exe57⤵
- Executes dropped EXE
-
\??\c:\llrxrfr.exec:\llrxrfr.exe58⤵
- Executes dropped EXE
-
\??\c:\s4864.exec:\s4864.exe59⤵
- Executes dropped EXE
-
\??\c:\608640.exec:\608640.exe60⤵
- Executes dropped EXE
-
\??\c:\nhbthh.exec:\nhbthh.exe61⤵
- Executes dropped EXE
-
\??\c:\6422440.exec:\6422440.exe62⤵
- Executes dropped EXE
-
\??\c:\480288.exec:\480288.exe63⤵
- Executes dropped EXE
-
\??\c:\202282.exec:\202282.exe64⤵
- Executes dropped EXE
-
\??\c:\jjpdd.exec:\jjpdd.exe65⤵
- Executes dropped EXE
-
\??\c:\3rffrlx.exec:\3rffrlx.exe66⤵
-
\??\c:\tnbhbb.exec:\tnbhbb.exe67⤵
-
\??\c:\hbtthh.exec:\hbtthh.exe68⤵
-
\??\c:\flxllrf.exec:\flxllrf.exe69⤵
-
\??\c:\800020.exec:\800020.exe70⤵
-
\??\c:\64288.exec:\64288.exe71⤵
-
\??\c:\646684.exec:\646684.exe72⤵
-
\??\c:\lxlrrrx.exec:\lxlrrrx.exe73⤵
-
\??\c:\m8220.exec:\m8220.exe74⤵
-
\??\c:\9lflrxf.exec:\9lflrxf.exe75⤵
-
\??\c:\3lfrrxl.exec:\3lfrrxl.exe76⤵
-
\??\c:\w40644.exec:\w40644.exe77⤵
-
\??\c:\xrfxflx.exec:\xrfxflx.exe78⤵
-
\??\c:\9jdpd.exec:\9jdpd.exe79⤵
-
\??\c:\9ntnbt.exec:\9ntnbt.exe80⤵
-
\??\c:\xxfllrr.exec:\xxfllrr.exe81⤵
-
\??\c:\frrrxrr.exec:\frrrxrr.exe82⤵
-
\??\c:\1hbntt.exec:\1hbntt.exe83⤵
-
\??\c:\082806.exec:\082806.exe84⤵
-
\??\c:\6006662.exec:\6006662.exe85⤵
-
\??\c:\dvddp.exec:\dvddp.exe86⤵
-
\??\c:\vpvjv.exec:\vpvjv.exe87⤵
-
\??\c:\pdpdj.exec:\pdpdj.exe88⤵
-
\??\c:\5rllxrx.exec:\5rllxrx.exe89⤵
-
\??\c:\vpjjv.exec:\vpjjv.exe90⤵
-
\??\c:\3dvvd.exec:\3dvvd.exe91⤵
-
\??\c:\pjddj.exec:\pjddj.exe92⤵
-
\??\c:\20064.exec:\20064.exe93⤵
-
\??\c:\llfflxl.exec:\llfflxl.exe94⤵
-
\??\c:\1ffxxfx.exec:\1ffxxfx.exe95⤵
-
\??\c:\48246.exec:\48246.exe96⤵
-
\??\c:\rxfxfxx.exec:\rxfxfxx.exe97⤵
-
\??\c:\886244.exec:\886244.exe98⤵
-
\??\c:\jpjvp.exec:\jpjvp.exe99⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe100⤵
-
\??\c:\1djdd.exec:\1djdd.exe101⤵
-
\??\c:\86488.exec:\86488.exe102⤵
-
\??\c:\0680842.exec:\0680842.exe103⤵
-
\??\c:\pjpdj.exec:\pjpdj.exe104⤵
-
\??\c:\dvddd.exec:\dvddd.exe105⤵
-
\??\c:\446606.exec:\446606.exe106⤵
-
\??\c:\8202008.exec:\8202008.exe107⤵
-
\??\c:\046226.exec:\046226.exe108⤵
-
\??\c:\8688028.exec:\8688028.exe109⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe110⤵
-
\??\c:\u268884.exec:\u268884.exe111⤵
-
\??\c:\tbnhth.exec:\tbnhth.exe112⤵
-
\??\c:\48842.exec:\48842.exe113⤵
-
\??\c:\9nbthb.exec:\9nbthb.exe114⤵
-
\??\c:\6626888.exec:\6626888.exe115⤵
-
\??\c:\vjpvv.exec:\vjpvv.exe116⤵
-
\??\c:\62804.exec:\62804.exe117⤵
-
\??\c:\2028028.exec:\2028028.exe118⤵
-
\??\c:\5thbhb.exec:\5thbhb.exe119⤵
-
\??\c:\8882822.exec:\8882822.exe120⤵
-
\??\c:\rffxllx.exec:\rffxllx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-