Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26-05-2024 20:43
General
-
Target
39f7ab2c42ea954636dfdb1629ec4bf1ac0e399976311321acad3dbbcc8e9b99.exe
-
Size
55KB
-
MD5
c28e502d21a67804ca110e38b7b7ec7a
-
SHA1
4d32e43149a99d228ac432eae3914f0daa417028
-
SHA256
39f7ab2c42ea954636dfdb1629ec4bf1ac0e399976311321acad3dbbcc8e9b99
-
SHA512
f683edbea339b5d62964bea028eae2b2f04eb24d447bdcbd6e7560427d3af21f8f2e513ad06f9f64c5d7dea585d594d774d2480a4f206234bb3433e083aae95c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIfEq:ymb3NkkiQ3mdBjFIB
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
UPX dump on OEP (original entry point) 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\39f7ab2c42ea954636dfdb1629ec4bf1ac0e399976311321acad3dbbcc8e9b99.exe"C:\Users\Admin\AppData\Local\Temp\39f7ab2c42ea954636dfdb1629ec4bf1ac0e399976311321acad3dbbcc8e9b99.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbtbb.exec:\bnbtbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nthnt.exec:\7nthnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c468406.exec:\c468406.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xllrxf.exec:\9xllrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26468.exec:\26468.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrllrxr.exec:\xrllrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hhbnt.exec:\1hhbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4282040.exec:\4282040.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvd.exec:\pjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i688228.exec:\i688228.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llflxxl.exec:\llflxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g6006.exec:\g6006.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtthn.exec:\thtthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjpv.exec:\jdjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6468440.exec:\6468440.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42402.exec:\42402.exe17⤵
- Executes dropped EXE
-
\??\c:\4620224.exec:\4620224.exe18⤵
- Executes dropped EXE
-
\??\c:\jdpvv.exec:\jdpvv.exe19⤵
- Executes dropped EXE
-
\??\c:\480682.exec:\480682.exe20⤵
- Executes dropped EXE
-
\??\c:\0840668.exec:\0840668.exe21⤵
- Executes dropped EXE
-
\??\c:\tnttbb.exec:\tnttbb.exe22⤵
- Executes dropped EXE
-
\??\c:\64228.exec:\64228.exe23⤵
- Executes dropped EXE
-
\??\c:\xfffrrf.exec:\xfffrrf.exe24⤵
- Executes dropped EXE
-
\??\c:\bhbhtb.exec:\bhbhtb.exe25⤵
- Executes dropped EXE
-
\??\c:\c026266.exec:\c026266.exe26⤵
- Executes dropped EXE
-
\??\c:\3rrlllr.exec:\3rrlllr.exe27⤵
- Executes dropped EXE
-
\??\c:\llflrxr.exec:\llflrxr.exe28⤵
- Executes dropped EXE
-
\??\c:\864066.exec:\864066.exe29⤵
- Executes dropped EXE
-
\??\c:\424004.exec:\424004.exe30⤵
- Executes dropped EXE
-
\??\c:\00662.exec:\00662.exe31⤵
- Executes dropped EXE
-
\??\c:\vjppd.exec:\vjppd.exe32⤵
- Executes dropped EXE
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe33⤵
- Executes dropped EXE
-
\??\c:\q28404.exec:\q28404.exe34⤵
- Executes dropped EXE
-
\??\c:\3hhbtn.exec:\3hhbtn.exe35⤵
- Executes dropped EXE
-
\??\c:\86880.exec:\86880.exe36⤵
-
\??\c:\xrllrrx.exec:\xrllrrx.exe37⤵
- Executes dropped EXE
-
\??\c:\vvddj.exec:\vvddj.exe38⤵
- Executes dropped EXE
-
\??\c:\644404.exec:\644404.exe39⤵
- Executes dropped EXE
-
\??\c:\42822.exec:\42822.exe40⤵
- Executes dropped EXE
-
\??\c:\lxllrlr.exec:\lxllrlr.exe41⤵
- Executes dropped EXE
-
\??\c:\bnnttb.exec:\bnnttb.exe42⤵
- Executes dropped EXE
-
\??\c:\0488440.exec:\0488440.exe43⤵
- Executes dropped EXE
-
\??\c:\frfffxx.exec:\frfffxx.exe44⤵
- Executes dropped EXE
-
\??\c:\20224.exec:\20224.exe45⤵
- Executes dropped EXE
-
\??\c:\g0000.exec:\g0000.exe46⤵
- Executes dropped EXE
-
\??\c:\20606.exec:\20606.exe47⤵
- Executes dropped EXE
-
\??\c:\jvdvd.exec:\jvdvd.exe48⤵
- Executes dropped EXE
-
\??\c:\202244.exec:\202244.exe49⤵
- Executes dropped EXE
-
\??\c:\2088440.exec:\2088440.exe50⤵
- Executes dropped EXE
-
\??\c:\rfllllr.exec:\rfllllr.exe51⤵
- Executes dropped EXE
-
\??\c:\1pdvd.exec:\1pdvd.exe52⤵
- Executes dropped EXE
-
\??\c:\4288446.exec:\4288446.exe53⤵
- Executes dropped EXE
-
\??\c:\2400044.exec:\2400044.exe54⤵
- Executes dropped EXE
-
\??\c:\02884.exec:\02884.exe55⤵
- Executes dropped EXE
-
\??\c:\268226.exec:\268226.exe56⤵
- Executes dropped EXE
-
\??\c:\dpddd.exec:\dpddd.exe57⤵
- Executes dropped EXE
-
\??\c:\7hhhbb.exec:\7hhhbb.exe58⤵
- Executes dropped EXE
-
\??\c:\1pvpv.exec:\1pvpv.exe59⤵
- Executes dropped EXE
-
\??\c:\424066.exec:\424066.exe60⤵
- Executes dropped EXE
-
\??\c:\rlfflfl.exec:\rlfflfl.exe61⤵
- Executes dropped EXE
-
\??\c:\3nbbnt.exec:\3nbbnt.exe62⤵
- Executes dropped EXE
-
\??\c:\1jvjv.exec:\1jvjv.exe63⤵
- Executes dropped EXE
-
\??\c:\xlrxxxx.exec:\xlrxxxx.exe64⤵
- Executes dropped EXE
-
\??\c:\080688.exec:\080688.exe65⤵
- Executes dropped EXE
-
\??\c:\i466444.exec:\i466444.exe66⤵
- Executes dropped EXE
-
\??\c:\1lffrxx.exec:\1lffrxx.exe67⤵
-
\??\c:\1ttttt.exec:\1ttttt.exe68⤵
-
\??\c:\66626.exec:\66626.exe69⤵
-
\??\c:\o860060.exec:\o860060.exe70⤵
-
\??\c:\822066.exec:\822066.exe71⤵
-
\??\c:\640404.exec:\640404.exe72⤵
-
\??\c:\k80600.exec:\k80600.exe73⤵
-
\??\c:\080022.exec:\080022.exe74⤵
-
\??\c:\fxlllrx.exec:\fxlllrx.exe75⤵
-
\??\c:\1pdvv.exec:\1pdvv.exe76⤵
-
\??\c:\3vppv.exec:\3vppv.exe77⤵
-
\??\c:\bntnhh.exec:\bntnhh.exe78⤵
-
\??\c:\0244406.exec:\0244406.exe79⤵
-
\??\c:\040066.exec:\040066.exe80⤵
-
\??\c:\08884.exec:\08884.exe81⤵
-
\??\c:\680400.exec:\680400.exe82⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe83⤵
-
\??\c:\3pddj.exec:\3pddj.exe84⤵
-
\??\c:\c686222.exec:\c686222.exe85⤵
-
\??\c:\4866820.exec:\4866820.exe86⤵
-
\??\c:\thnthh.exec:\thnthh.exe87⤵
-
\??\c:\7pvvd.exec:\7pvvd.exe88⤵
-
\??\c:\1thbhh.exec:\1thbhh.exe89⤵
-
\??\c:\dvjpp.exec:\dvjpp.exe90⤵
-
\??\c:\60224.exec:\60224.exe91⤵
-
\??\c:\0844444.exec:\0844444.exe92⤵
-
\??\c:\u804606.exec:\u804606.exe93⤵
-
\??\c:\268088.exec:\268088.exe94⤵
-
\??\c:\nhbttt.exec:\nhbttt.exe95⤵
-
\??\c:\20688.exec:\20688.exe96⤵
-
\??\c:\64404.exec:\64404.exe97⤵
-
\??\c:\8206286.exec:\8206286.exe98⤵
-
\??\c:\268840.exec:\268840.exe99⤵
-
\??\c:\86846.exec:\86846.exe100⤵
-
\??\c:\8060446.exec:\8060446.exe101⤵
-
\??\c:\fxxrffl.exec:\fxxrffl.exe102⤵
-
\??\c:\hbttbb.exec:\hbttbb.exe103⤵
-
\??\c:\i622828.exec:\i622828.exe104⤵
-
\??\c:\k80668.exec:\k80668.exe105⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe106⤵
-
\??\c:\fxffffl.exec:\fxffffl.exe107⤵
-
\??\c:\q88460.exec:\q88460.exe108⤵
-
\??\c:\48040.exec:\48040.exe109⤵
-
\??\c:\lxxxxfx.exec:\lxxxxfx.exe110⤵
-
\??\c:\9pdjp.exec:\9pdjp.exe111⤵
-
\??\c:\4284288.exec:\4284288.exe112⤵
-
\??\c:\42880.exec:\42880.exe113⤵
-
\??\c:\flrlrfl.exec:\flrlrfl.exe114⤵
-
\??\c:\860628.exec:\860628.exe115⤵
-
\??\c:\264460.exec:\264460.exe116⤵
-
\??\c:\lxlllff.exec:\lxlllff.exe117⤵
-
\??\c:\608408.exec:\608408.exe118⤵
-
\??\c:\tntnnh.exec:\tntnnh.exe119⤵
-
\??\c:\pjvpj.exec:\pjvpj.exe120⤵
-
\??\c:\c240262.exec:\c240262.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-