Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
27/05/2024, 23:19
General
-
Target
6b369b3c8b984e16a3465fc5e77baaea2b78d674c594b88a7e54f18dd842db02.exe
-
Size
76KB
-
MD5
84caa88a04483454194d721164a4e7b6
-
SHA1
dcfe83afc18498a9a97f7c466f97fb52ac65ecd2
-
SHA256
6b369b3c8b984e16a3465fc5e77baaea2b78d674c594b88a7e54f18dd842db02
-
SHA512
c828cf888b0ba31ea164916cab332d6516157d87d1658478eabc3fadd71284f5ab3704fe9ebcd9ce8e5fc9a769c504ff48a614a0d73c06b49b1a2e2ada071998
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC56r:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCQr
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
UPX dump on OEP (original entry point) 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b369b3c8b984e16a3465fc5e77baaea2b78d674c594b88a7e54f18dd842db02.exe"C:\Users\Admin\AppData\Local\Temp\6b369b3c8b984e16a3465fc5e77baaea2b78d674c594b88a7e54f18dd842db02.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3vvpp.exec:\3vvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlllfxr.exec:\rlllfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnnhh.exec:\1tnnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvd.exec:\pjdvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvp.exec:\pjdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfrfxl.exec:\xlfrfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllfxr.exec:\ffllfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbtn.exec:\tnhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bttnn.exec:\1bttnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbtbb.exec:\btbtbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpv.exec:\jdvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrrlfx.exec:\lrrrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnhh.exec:\bttnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvd.exec:\vddvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpppj.exec:\jpppj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflxrrl.exec:\lflxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhtn.exec:\tnnhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbttn.exec:\nbbttn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjpp.exec:\djjpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlfrrl.exec:\frlfrrl.exe23⤵
- Executes dropped EXE
-
\??\c:\lfffxxf.exec:\lfffxxf.exe24⤵
- Executes dropped EXE
-
\??\c:\1jddv.exec:\1jddv.exe25⤵
- Executes dropped EXE
-
\??\c:\pvvpp.exec:\pvvpp.exe26⤵
- Executes dropped EXE
-
\??\c:\fllfxxx.exec:\fllfxxx.exe27⤵
- Executes dropped EXE
-
\??\c:\7xfxxfx.exec:\7xfxxfx.exe28⤵
- Executes dropped EXE
-
\??\c:\nttnhh.exec:\nttnhh.exe29⤵
- Executes dropped EXE
-
\??\c:\7jppd.exec:\7jppd.exe30⤵
- Executes dropped EXE
-
\??\c:\fxrllll.exec:\fxrllll.exe31⤵
- Executes dropped EXE
-
\??\c:\pddpv.exec:\pddpv.exe32⤵
- Executes dropped EXE
-
\??\c:\djppd.exec:\djppd.exe33⤵
- Executes dropped EXE
-
\??\c:\xlfxxxx.exec:\xlfxxxx.exe34⤵
- Executes dropped EXE
-
\??\c:\tnhhbb.exec:\tnhhbb.exe35⤵
- Executes dropped EXE
-
\??\c:\nhnhbb.exec:\nhnhbb.exe36⤵
- Executes dropped EXE
-
\??\c:\dppjd.exec:\dppjd.exe37⤵
- Executes dropped EXE
-
\??\c:\vppjd.exec:\vppjd.exe38⤵
- Executes dropped EXE
-
\??\c:\hnbtnh.exec:\hnbtnh.exe39⤵
- Executes dropped EXE
-
\??\c:\tbhbtt.exec:\tbhbtt.exe40⤵
- Executes dropped EXE
-
\??\c:\jdvpp.exec:\jdvpp.exe41⤵
- Executes dropped EXE
-
\??\c:\ffxxxrr.exec:\ffxxxrr.exe42⤵
- Executes dropped EXE
-
\??\c:\rxfxrll.exec:\rxfxrll.exe43⤵
- Executes dropped EXE
-
\??\c:\bttnnh.exec:\bttnnh.exe44⤵
- Executes dropped EXE
-
\??\c:\ddjvd.exec:\ddjvd.exe45⤵
- Executes dropped EXE
-
\??\c:\pvdvp.exec:\pvdvp.exe46⤵
- Executes dropped EXE
-
\??\c:\frxrxlx.exec:\frxrxlx.exe47⤵
- Executes dropped EXE
-
\??\c:\nbbthb.exec:\nbbthb.exe48⤵
- Executes dropped EXE
-
\??\c:\pvvpd.exec:\pvvpd.exe49⤵
- Executes dropped EXE
-
\??\c:\ddjdj.exec:\ddjdj.exe50⤵
- Executes dropped EXE
-
\??\c:\xxffllr.exec:\xxffllr.exe51⤵
- Executes dropped EXE
-
\??\c:\bbhhnh.exec:\bbhhnh.exe52⤵
- Executes dropped EXE
-
\??\c:\hbnnnn.exec:\hbnnnn.exe53⤵
- Executes dropped EXE
-
\??\c:\lllfrrf.exec:\lllfrrf.exe54⤵
- Executes dropped EXE
-
\??\c:\fxxfxrr.exec:\fxxfxrr.exe55⤵
- Executes dropped EXE
-
\??\c:\hnnnhb.exec:\hnnnhb.exe56⤵
- Executes dropped EXE
-
\??\c:\pjjjv.exec:\pjjjv.exe57⤵
- Executes dropped EXE
-
\??\c:\7ppdp.exec:\7ppdp.exe58⤵
- Executes dropped EXE
-
\??\c:\lxrlxxx.exec:\lxrlxxx.exe59⤵
- Executes dropped EXE
-
\??\c:\nbhbbb.exec:\nbhbbb.exe60⤵
- Executes dropped EXE
-
\??\c:\vvdvp.exec:\vvdvp.exe61⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe62⤵
- Executes dropped EXE
-
\??\c:\lflfxrx.exec:\lflfxrx.exe63⤵
- Executes dropped EXE
-
\??\c:\tnhhtt.exec:\tnhhtt.exe64⤵
- Executes dropped EXE
-
\??\c:\nhnhbt.exec:\nhnhbt.exe65⤵
- Executes dropped EXE
-
\??\c:\pdvpd.exec:\pdvpd.exe66⤵
-
\??\c:\xrlxrlf.exec:\xrlxrlf.exe67⤵
-
\??\c:\tthhbb.exec:\tthhbb.exe68⤵
-
\??\c:\vddvp.exec:\vddvp.exe69⤵
-
\??\c:\xxflrxl.exec:\xxflrxl.exe70⤵
-
\??\c:\tthbhh.exec:\tthbhh.exe71⤵
-
\??\c:\vjdvd.exec:\vjdvd.exe72⤵
-
\??\c:\7dvpj.exec:\7dvpj.exe73⤵
-
\??\c:\rllfxxf.exec:\rllfxxf.exe74⤵
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe75⤵
-
\??\c:\tbbttt.exec:\tbbttt.exe76⤵
-
\??\c:\djppd.exec:\djppd.exe77⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe78⤵
-
\??\c:\llrlrrf.exec:\llrlrrf.exe79⤵
-
\??\c:\lrrrxxr.exec:\lrrrxxr.exe80⤵
-
\??\c:\hnnhbb.exec:\hnnhbb.exe81⤵
-
\??\c:\hhnhhh.exec:\hhnhhh.exe82⤵
-
\??\c:\jpvpp.exec:\jpvpp.exe83⤵
-
\??\c:\pjjjp.exec:\pjjjp.exe84⤵
-
\??\c:\rxxllfl.exec:\rxxllfl.exe85⤵
-
\??\c:\tnbbhh.exec:\tnbbhh.exe86⤵
-
\??\c:\hnbttn.exec:\hnbttn.exe87⤵
-
\??\c:\jjpjv.exec:\jjpjv.exe88⤵
-
\??\c:\5pvpd.exec:\5pvpd.exe89⤵
-
\??\c:\xrxxrrx.exec:\xrxxrrx.exe90⤵
-
\??\c:\9rrrllf.exec:\9rrrllf.exe91⤵
-
\??\c:\bbhtnn.exec:\bbhtnn.exe92⤵
-
\??\c:\bbtnhn.exec:\bbtnhn.exe93⤵
-
\??\c:\vppjd.exec:\vppjd.exe94⤵
-
\??\c:\jddjp.exec:\jddjp.exe95⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe96⤵
-
\??\c:\frlfrlf.exec:\frlfrlf.exe97⤵
-
\??\c:\lflrxrf.exec:\lflrxrf.exe98⤵
-
\??\c:\hbthbh.exec:\hbthbh.exe99⤵
-
\??\c:\dppjd.exec:\dppjd.exe100⤵
-
\??\c:\5ppjv.exec:\5ppjv.exe101⤵
-
\??\c:\vpppp.exec:\vpppp.exe102⤵
-
\??\c:\5llflfx.exec:\5llflfx.exe103⤵
-
\??\c:\lfflfll.exec:\lfflfll.exe104⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe105⤵
-
\??\c:\btbbtn.exec:\btbbtn.exe106⤵
-
\??\c:\1jjpd.exec:\1jjpd.exe107⤵
-
\??\c:\vvvdj.exec:\vvvdj.exe108⤵
-
\??\c:\xfffrrl.exec:\xfffrrl.exe109⤵
-
\??\c:\xxlffxx.exec:\xxlffxx.exe110⤵
-
\??\c:\5frlfll.exec:\5frlfll.exe111⤵
-
\??\c:\tnnbbb.exec:\tnnbbb.exe112⤵
-
\??\c:\tbbtnn.exec:\tbbtnn.exe113⤵
-
\??\c:\dpjjd.exec:\dpjjd.exe114⤵
-
\??\c:\jddvp.exec:\jddvp.exe115⤵
-
\??\c:\xfllllf.exec:\xfllllf.exe116⤵
-
\??\c:\xrllffx.exec:\xrllffx.exe117⤵
-
\??\c:\3bhbnn.exec:\3bhbnn.exe118⤵
-
\??\c:\bhhbtn.exec:\bhhbtn.exe119⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe120⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-