Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29/05/2024, 03:01
General
-
Target
d99b6046bdb797ca2c254f498c86643d307bdca61e6a063234d588ff9838c4d6.exe
-
Size
57KB
-
MD5
01212db9fcaa9528bf4c20eec6ed42f2
-
SHA1
e4845e81173d8145c391d66090358036369c8d16
-
SHA256
d99b6046bdb797ca2c254f498c86643d307bdca61e6a063234d588ff9838c4d6
-
SHA512
790fdcae3f4c4c3abf92afbc0c3bd2644635887e284804bada3a3888383383f09343449ddb2fcdee4c23f8f1aeb9f0fde16a0447b51a788fd932effce0a85dc9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuSwFNb:ymb3NkkiQ3mdBjFIvIFNb
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d99b6046bdb797ca2c254f498c86643d307bdca61e6a063234d588ff9838c4d6.exe"C:\Users\Admin\AppData\Local\Temp\d99b6046bdb797ca2c254f498c86643d307bdca61e6a063234d588ff9838c4d6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnnbb.exec:\hnnnbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdpj.exec:\pvdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrrxx.exec:\xrrrrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvdv.exec:\djvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ddvv.exec:\5ddvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlllf.exec:\lfrlllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djddp.exec:\djddp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jvvp.exec:\9jvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xffxfx.exec:\3xffxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bbbbh.exec:\9bbbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhntnt.exec:\nhntnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppddj.exec:\ppddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvvj.exec:\jjvvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhhhb.exec:\nnhhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7htttb.exec:\7htttb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppp.exec:\ppppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrflrrf.exec:\lrflrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbttt.exec:\hhbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpvp.exec:\pdpvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhthb.exec:\hbhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvjv.exec:\pvvjv.exe23⤵
- Executes dropped EXE
-
\??\c:\xrffxxl.exec:\xrffxxl.exe24⤵
- Executes dropped EXE
-
\??\c:\7nhbtt.exec:\7nhbtt.exe25⤵
- Executes dropped EXE
-
\??\c:\tnnnbn.exec:\tnnnbn.exe26⤵
- Executes dropped EXE
-
\??\c:\dvdjd.exec:\dvdjd.exe27⤵
- Executes dropped EXE
-
\??\c:\bnbhnh.exec:\bnbhnh.exe28⤵
- Executes dropped EXE
-
\??\c:\bnthhn.exec:\bnthhn.exe29⤵
- Executes dropped EXE
-
\??\c:\xfrflxf.exec:\xfrflxf.exe30⤵
- Executes dropped EXE
-
\??\c:\lxrrrlf.exec:\lxrrrlf.exe31⤵
- Executes dropped EXE
-
\??\c:\3tbttb.exec:\3tbttb.exe32⤵
- Executes dropped EXE
-
\??\c:\1vjdv.exec:\1vjdv.exe33⤵
- Executes dropped EXE
-
\??\c:\rrllfrf.exec:\rrllfrf.exe34⤵
- Executes dropped EXE
-
\??\c:\nbhbhb.exec:\nbhbhb.exe35⤵
- Executes dropped EXE
-
\??\c:\djdvp.exec:\djdvp.exe36⤵
- Executes dropped EXE
-
\??\c:\5ppvp.exec:\5ppvp.exe37⤵
- Executes dropped EXE
-
\??\c:\ffllfff.exec:\ffllfff.exe38⤵
- Executes dropped EXE
-
\??\c:\bhnhbh.exec:\bhnhbh.exe39⤵
- Executes dropped EXE
-
\??\c:\btnnhn.exec:\btnnhn.exe40⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe41⤵
- Executes dropped EXE
-
\??\c:\vvpjj.exec:\vvpjj.exe42⤵
- Executes dropped EXE
-
\??\c:\rxxrrll.exec:\rxxrrll.exe43⤵
- Executes dropped EXE
-
\??\c:\bhbttt.exec:\bhbttt.exe44⤵
- Executes dropped EXE
-
\??\c:\ttbttt.exec:\ttbttt.exe45⤵
- Executes dropped EXE
-
\??\c:\pjvpp.exec:\pjvpp.exe46⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe47⤵
- Executes dropped EXE
-
\??\c:\flllrxf.exec:\flllrxf.exe48⤵
- Executes dropped EXE
-
\??\c:\flrlrxl.exec:\flrlrxl.exe49⤵
- Executes dropped EXE
-
\??\c:\tthnht.exec:\tthnht.exe50⤵
- Executes dropped EXE
-
\??\c:\ddpvv.exec:\ddpvv.exe51⤵
- Executes dropped EXE
-
\??\c:\vvjpp.exec:\vvjpp.exe52⤵
- Executes dropped EXE
-
\??\c:\rxfxffl.exec:\rxfxffl.exe53⤵
- Executes dropped EXE
-
\??\c:\tbnnnn.exec:\tbnnnn.exe54⤵
- Executes dropped EXE
-
\??\c:\7htnhn.exec:\7htnhn.exe55⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe56⤵
- Executes dropped EXE
-
\??\c:\fllfrfx.exec:\fllfrfx.exe57⤵
- Executes dropped EXE
-
\??\c:\lfffffl.exec:\lfffffl.exe58⤵
- Executes dropped EXE
-
\??\c:\bbhtbh.exec:\bbhtbh.exe59⤵
- Executes dropped EXE
-
\??\c:\hhbttn.exec:\hhbttn.exe60⤵
- Executes dropped EXE
-
\??\c:\jvjdv.exec:\jvjdv.exe61⤵
- Executes dropped EXE
-
\??\c:\fxfffxx.exec:\fxfffxx.exe62⤵
- Executes dropped EXE
-
\??\c:\9ffxxxx.exec:\9ffxxxx.exe63⤵
- Executes dropped EXE
-
\??\c:\lrxfxff.exec:\lrxfxff.exe64⤵
- Executes dropped EXE
-
\??\c:\hntbhn.exec:\hntbhn.exe65⤵
- Executes dropped EXE
-
\??\c:\tbtnbb.exec:\tbtnbb.exe66⤵
- Executes dropped EXE
-
\??\c:\dvjjj.exec:\dvjjj.exe67⤵
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe68⤵
-
\??\c:\llfrlrx.exec:\llfrlrx.exe69⤵
-
\??\c:\bbhhhn.exec:\bbhhhn.exe70⤵
-
\??\c:\nnnttb.exec:\nnnttb.exe71⤵
-
\??\c:\jdjjd.exec:\jdjjd.exe72⤵
-
\??\c:\9vvjd.exec:\9vvjd.exe73⤵
-
\??\c:\llxxrxl.exec:\llxxrxl.exe74⤵
-
\??\c:\9rxffff.exec:\9rxffff.exe75⤵
-
\??\c:\ttnnhn.exec:\ttnnhn.exe76⤵
-
\??\c:\tthnbt.exec:\tthnbt.exe77⤵
-
\??\c:\ppdjj.exec:\ppdjj.exe78⤵
-
\??\c:\1jppv.exec:\1jppv.exe79⤵
-
\??\c:\rxffrrl.exec:\rxffrrl.exe80⤵
-
\??\c:\9frllll.exec:\9frllll.exe81⤵
-
\??\c:\nhnnnn.exec:\nhnnnn.exe82⤵
-
\??\c:\nhhttt.exec:\nhhttt.exe83⤵
-
\??\c:\vdpdj.exec:\vdpdj.exe84⤵
-
\??\c:\frffrfx.exec:\frffrfx.exe85⤵
-
\??\c:\tnhhtn.exec:\tnhhtn.exe86⤵
-
\??\c:\hhbthn.exec:\hhbthn.exe87⤵
-
\??\c:\1vppj.exec:\1vppj.exe88⤵
-
\??\c:\9lrrllf.exec:\9lrrllf.exe89⤵
-
\??\c:\bhbbbh.exec:\bhbbbh.exe90⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe91⤵
-
\??\c:\ffxlfll.exec:\ffxlfll.exe92⤵
-
\??\c:\tnhhbb.exec:\tnhhbb.exe93⤵
-
\??\c:\nnbbbb.exec:\nnbbbb.exe94⤵
-
\??\c:\vvvvv.exec:\vvvvv.exe95⤵
-
\??\c:\xrrlffr.exec:\xrrlffr.exe96⤵
-
\??\c:\tbntnt.exec:\tbntnt.exe97⤵
-
\??\c:\bbhnbb.exec:\bbhnbb.exe98⤵
-
\??\c:\pjdpp.exec:\pjdpp.exe99⤵
-
\??\c:\5rxfxxx.exec:\5rxfxxx.exe100⤵
-
\??\c:\fxxffff.exec:\fxxffff.exe101⤵
-
\??\c:\nnbnhb.exec:\nnbnhb.exe102⤵
-
\??\c:\vddvj.exec:\vddvj.exe103⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe104⤵
-
\??\c:\fxxrlxx.exec:\fxxrlxx.exe105⤵
-
\??\c:\fffxfxx.exec:\fffxfxx.exe106⤵
-
\??\c:\hbhnth.exec:\hbhnth.exe107⤵
-
\??\c:\7vvdd.exec:\7vvdd.exe108⤵
-
\??\c:\ppddj.exec:\ppddj.exe109⤵
-
\??\c:\9dpdv.exec:\9dpdv.exe110⤵
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe111⤵
-
\??\c:\rlxxrxr.exec:\rlxxrxr.exe112⤵
-
\??\c:\htnnnt.exec:\htnnnt.exe113⤵
-
\??\c:\ntnnnn.exec:\ntnnnn.exe114⤵
-
\??\c:\vvjdj.exec:\vvjdj.exe115⤵
-
\??\c:\9pddv.exec:\9pddv.exe116⤵
-
\??\c:\tttthn.exec:\tttthn.exe117⤵
-
\??\c:\hthtnt.exec:\hthtnt.exe118⤵
-
\??\c:\ddddj.exec:\ddddj.exe119⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe120⤵
-
\??\c:\lflffxx.exec:\lflffxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-