Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28/05/2024, 23:12
General
-
Target
809c5fc1547f340e8bea2d7a9fad5e44bcbcc594d6c56709bed15741f049a50f.exe
-
Size
73KB
-
MD5
0390225b08b783e4b3e8f34b47b464f6
-
SHA1
f80e008a0e5880c861871dfc64561ea0f55257d0
-
SHA256
809c5fc1547f340e8bea2d7a9fad5e44bcbcc594d6c56709bed15741f049a50f
-
SHA512
4ff9a365b4d6ec6c1443470e313a12ffda93436650cc3c36f3a21e3dd3895fe8f2f67aebed88f646d935b42d02f403a95bf6ec3ea282bceded5c64f7c2ec4dfd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIfv7+afCD+QsQbKQPVxL:ymb3NkkiQ3mdBjFIfvTfCD+HlQLL
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\809c5fc1547f340e8bea2d7a9fad5e44bcbcc594d6c56709bed15741f049a50f.exe"C:\Users\Admin\AppData\Local\Temp\809c5fc1547f340e8bea2d7a9fad5e44bcbcc594d6c56709bed15741f049a50f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddp.exec:\vpddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxxll.exec:\rffxxll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdj.exec:\pjvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0488008.exec:\0488008.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxxfxf.exec:\llxxfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnhtn.exec:\ntnhtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\220244.exec:\220244.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxrrff.exec:\xxxrrff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\420200.exec:\420200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rxrxlr.exec:\5rxrxlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m2640.exec:\m2640.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhnn.exec:\nnbhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrrxlx.exec:\7xrrxlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvv.exec:\pvdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflflfx.exec:\fflflfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6660602.exec:\6660602.exe17⤵
- Executes dropped EXE
-
\??\c:\8020428.exec:\8020428.exe18⤵
- Executes dropped EXE
-
\??\c:\hthhtt.exec:\hthhtt.exe19⤵
- Executes dropped EXE
-
\??\c:\s0608.exec:\s0608.exe20⤵
- Executes dropped EXE
-
\??\c:\48286.exec:\48286.exe21⤵
- Executes dropped EXE
-
\??\c:\fxflllx.exec:\fxflllx.exe22⤵
- Executes dropped EXE
-
\??\c:\xxxlrfr.exec:\xxxlrfr.exe23⤵
- Executes dropped EXE
-
\??\c:\220840.exec:\220840.exe24⤵
- Executes dropped EXE
-
\??\c:\82620.exec:\82620.exe25⤵
- Executes dropped EXE
-
\??\c:\88024.exec:\88024.exe26⤵
- Executes dropped EXE
-
\??\c:\4862068.exec:\4862068.exe27⤵
- Executes dropped EXE
-
\??\c:\tbnbtb.exec:\tbnbtb.exe28⤵
- Executes dropped EXE
-
\??\c:\284848.exec:\284848.exe29⤵
- Executes dropped EXE
-
\??\c:\ffrrrll.exec:\ffrrrll.exe30⤵
- Executes dropped EXE
-
\??\c:\8688006.exec:\8688006.exe31⤵
- Executes dropped EXE
-
\??\c:\vvpdj.exec:\vvpdj.exe32⤵
- Executes dropped EXE
-
\??\c:\g0666.exec:\g0666.exe33⤵
-
\??\c:\028028.exec:\028028.exe34⤵
- Executes dropped EXE
-
\??\c:\pjdpj.exec:\pjdpj.exe35⤵
- Executes dropped EXE
-
\??\c:\6028668.exec:\6028668.exe36⤵
- Executes dropped EXE
-
\??\c:\3pdjp.exec:\3pdjp.exe37⤵
- Executes dropped EXE
-
\??\c:\xlxlxxl.exec:\xlxlxxl.exe38⤵
- Executes dropped EXE
-
\??\c:\0484280.exec:\0484280.exe39⤵
- Executes dropped EXE
-
\??\c:\8862880.exec:\8862880.exe40⤵
- Executes dropped EXE
-
\??\c:\frlrxrl.exec:\frlrxrl.exe41⤵
- Executes dropped EXE
-
\??\c:\m2408.exec:\m2408.exe42⤵
- Executes dropped EXE
-
\??\c:\jppjj.exec:\jppjj.exe43⤵
- Executes dropped EXE
-
\??\c:\2884844.exec:\2884844.exe44⤵
- Executes dropped EXE
-
\??\c:\8448800.exec:\8448800.exe45⤵
- Executes dropped EXE
-
\??\c:\ppdpd.exec:\ppdpd.exe46⤵
- Executes dropped EXE
-
\??\c:\xxllrxf.exec:\xxllrxf.exe47⤵
- Executes dropped EXE
-
\??\c:\hhnthh.exec:\hhnthh.exe48⤵
- Executes dropped EXE
-
\??\c:\4802006.exec:\4802006.exe49⤵
- Executes dropped EXE
-
\??\c:\jjvdd.exec:\jjvdd.exe50⤵
- Executes dropped EXE
-
\??\c:\264646.exec:\264646.exe51⤵
- Executes dropped EXE
-
\??\c:\4206446.exec:\4206446.exe52⤵
- Executes dropped EXE
-
\??\c:\60468.exec:\60468.exe53⤵
- Executes dropped EXE
-
\??\c:\rflrrfl.exec:\rflrrfl.exe54⤵
- Executes dropped EXE
-
\??\c:\3xrxlrf.exec:\3xrxlrf.exe55⤵
- Executes dropped EXE
-
\??\c:\264684.exec:\264684.exe56⤵
- Executes dropped EXE
-
\??\c:\k60600.exec:\k60600.exe57⤵
- Executes dropped EXE
-
\??\c:\4084044.exec:\4084044.exe58⤵
- Executes dropped EXE
-
\??\c:\220046.exec:\220046.exe59⤵
- Executes dropped EXE
-
\??\c:\662868.exec:\662868.exe60⤵
- Executes dropped EXE
-
\??\c:\426402.exec:\426402.exe61⤵
- Executes dropped EXE
-
\??\c:\hhthbn.exec:\hhthbn.exe62⤵
- Executes dropped EXE
-
\??\c:\0862842.exec:\0862842.exe63⤵
- Executes dropped EXE
-
\??\c:\6668200.exec:\6668200.exe64⤵
- Executes dropped EXE
-
\??\c:\844044.exec:\844044.exe65⤵
- Executes dropped EXE
-
\??\c:\dpjvv.exec:\dpjvv.exe66⤵
- Executes dropped EXE
-
\??\c:\8822088.exec:\8822088.exe67⤵
-
\??\c:\46246.exec:\46246.exe68⤵
-
\??\c:\02662.exec:\02662.exe69⤵
-
\??\c:\o084062.exec:\o084062.exe70⤵
-
\??\c:\048026.exec:\048026.exe71⤵
-
\??\c:\3pjjv.exec:\3pjjv.exe72⤵
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe73⤵
-
\??\c:\a2820.exec:\a2820.exe74⤵
-
\??\c:\4208608.exec:\4208608.exe75⤵
-
\??\c:\22200.exec:\22200.exe76⤵
-
\??\c:\thbtbt.exec:\thbtbt.exe77⤵
-
\??\c:\1ttbnb.exec:\1ttbnb.exe78⤵
-
\??\c:\062626.exec:\062626.exe79⤵
-
\??\c:\nthnhn.exec:\nthnhn.exe80⤵
-
\??\c:\pddvj.exec:\pddvj.exe81⤵
-
\??\c:\djvjd.exec:\djvjd.exe82⤵
-
\??\c:\xlrxrrx.exec:\xlrxrrx.exe83⤵
-
\??\c:\60208.exec:\60208.exe84⤵
-
\??\c:\k60262.exec:\k60262.exe85⤵
-
\??\c:\868800.exec:\868800.exe86⤵
-
\??\c:\ffllrrx.exec:\ffllrrx.exe87⤵
-
\??\c:\a6462.exec:\a6462.exe88⤵
-
\??\c:\rfxlfrx.exec:\rfxlfrx.exe89⤵
-
\??\c:\9jjpp.exec:\9jjpp.exe90⤵
-
\??\c:\thhbbn.exec:\thhbbn.exe91⤵
-
\??\c:\0602420.exec:\0602420.exe92⤵
-
\??\c:\q08468.exec:\q08468.exe93⤵
-
\??\c:\82208.exec:\82208.exe94⤵
-
\??\c:\tbhhnh.exec:\tbhhnh.exe95⤵
-
\??\c:\xlrfrll.exec:\xlrfrll.exe96⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe97⤵
-
\??\c:\26686.exec:\26686.exe98⤵
-
\??\c:\k80244.exec:\k80244.exe99⤵
-
\??\c:\46460.exec:\46460.exe100⤵
-
\??\c:\rxxfrrl.exec:\rxxfrrl.exe101⤵
-
\??\c:\lxllxxx.exec:\lxllxxx.exe102⤵
-
\??\c:\22844.exec:\22844.exe103⤵
-
\??\c:\w28642.exec:\w28642.exe104⤵
-
\??\c:\fxffrlr.exec:\fxffrlr.exe105⤵
-
\??\c:\lxxrfrx.exec:\lxxrfrx.exe106⤵
-
\??\c:\nhnthh.exec:\nhnthh.exe107⤵
-
\??\c:\jpvjv.exec:\jpvjv.exe108⤵
-
\??\c:\2222400.exec:\2222400.exe109⤵
-
\??\c:\bbnhnb.exec:\bbnhnb.exe110⤵
-
\??\c:\88420.exec:\88420.exe111⤵
-
\??\c:\4886646.exec:\4886646.exe112⤵
-
\??\c:\0280488.exec:\0280488.exe113⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe114⤵
-
\??\c:\lrrlxrr.exec:\lrrlxrr.exe115⤵
-
\??\c:\k62662.exec:\k62662.exe116⤵
-
\??\c:\fxlfxlx.exec:\fxlfxlx.exe117⤵
-
\??\c:\3tnntt.exec:\3tnntt.exe118⤵
-
\??\c:\22282.exec:\22282.exe119⤵
-
\??\c:\48866.exec:\48866.exe120⤵
-
\??\c:\frflxfx.exec:\frflxfx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-