Analysis
-
max time kernel
136s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
29-05-2024 20:00
General
-
Target
2b3a15f041630e6c111da68ecf3878aa42a49f18116f6aa1642b6ed749013dd4.exe
-
Size
64KB
-
MD5
94d3f8eaa9f291bf002105b6f9b572b1
-
SHA1
85785395bc21bf763bdcdde850446fc94eab1f72
-
SHA256
2b3a15f041630e6c111da68ecf3878aa42a49f18116f6aa1642b6ed749013dd4
-
SHA512
d9cb8dcc30b4479dee9d3a666ee970072a5bf702eb623f1b0f05e9ef0b260e51d2570bb5ab71c235ede7d7fc453b5a14eb56d588ff8e879ce3dda2c47fce0e6d
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3AK:ymb3NkkiQ3mdBjFI46TQK
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
UPX dump on OEP (original entry point) 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b3a15f041630e6c111da68ecf3878aa42a49f18116f6aa1642b6ed749013dd4.exe"C:\Users\Admin\AppData\Local\Temp\2b3a15f041630e6c111da68ecf3878aa42a49f18116f6aa1642b6ed749013dd4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvdv.exec:\pdvdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrffr.exec:\xlxrffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnbnt.exec:\ttnbnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpd.exec:\dvjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdjj.exec:\vpdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdddj.exec:\vdddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllrfxl.exec:\rllrfxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflrrlx.exec:\xflrrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bbhth.exec:\9bbhth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbhn.exec:\bbtbhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjpd.exec:\vdjpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjd.exec:\jjjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llffrxl.exec:\llffrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrxrxx.exec:\7rrxrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hhnbh.exec:\1hhnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhhn.exec:\tnbhhn.exe17⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe18⤵
- Executes dropped EXE
-
\??\c:\3jjvj.exec:\3jjvj.exe19⤵
- Executes dropped EXE
-
\??\c:\vjdpd.exec:\vjdpd.exe20⤵
- Executes dropped EXE
-
\??\c:\3llrxfr.exec:\3llrxfr.exe21⤵
- Executes dropped EXE
-
\??\c:\rlfrffr.exec:\rlfrffr.exe22⤵
- Executes dropped EXE
-
\??\c:\bbbnht.exec:\bbbnht.exe23⤵
- Executes dropped EXE
-
\??\c:\nnhbbh.exec:\nnhbbh.exe24⤵
- Executes dropped EXE
-
\??\c:\jjjvd.exec:\jjjvd.exe25⤵
- Executes dropped EXE
-
\??\c:\jddpp.exec:\jddpp.exe26⤵
- Executes dropped EXE
-
\??\c:\lfllffx.exec:\lfllffx.exe27⤵
- Executes dropped EXE
-
\??\c:\frxlrfl.exec:\frxlrfl.exe28⤵
- Executes dropped EXE
-
\??\c:\nnhtbn.exec:\nnhtbn.exe29⤵
- Executes dropped EXE
-
\??\c:\bbbbtb.exec:\bbbbtb.exe30⤵
- Executes dropped EXE
-
\??\c:\ppjdp.exec:\ppjdp.exe31⤵
- Executes dropped EXE
-
\??\c:\dvvdj.exec:\dvvdj.exe32⤵
- Executes dropped EXE
-
\??\c:\rllxlrf.exec:\rllxlrf.exe33⤵
-
\??\c:\lrxflfr.exec:\lrxflfr.exe34⤵
- Executes dropped EXE
-
\??\c:\rxxxxrl.exec:\rxxxxrl.exe35⤵
- Executes dropped EXE
-
\??\c:\ttnthn.exec:\ttnthn.exe36⤵
- Executes dropped EXE
-
\??\c:\5hhbnn.exec:\5hhbnn.exe37⤵
- Executes dropped EXE
-
\??\c:\tbtbnt.exec:\tbtbnt.exe38⤵
- Executes dropped EXE
-
\??\c:\9pvvp.exec:\9pvvp.exe39⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe40⤵
- Executes dropped EXE
-
\??\c:\lfrrflx.exec:\lfrrflx.exe41⤵
- Executes dropped EXE
-
\??\c:\3ffflxl.exec:\3ffflxl.exe42⤵
- Executes dropped EXE
-
\??\c:\7htnbb.exec:\7htnbb.exe43⤵
- Executes dropped EXE
-
\??\c:\thnthh.exec:\thnthh.exe44⤵
- Executes dropped EXE
-
\??\c:\tnntbh.exec:\tnntbh.exe45⤵
- Executes dropped EXE
-
\??\c:\dvpvj.exec:\dvpvj.exe46⤵
- Executes dropped EXE
-
\??\c:\ppvvj.exec:\ppvvj.exe47⤵
- Executes dropped EXE
-
\??\c:\7jdjp.exec:\7jdjp.exe48⤵
- Executes dropped EXE
-
\??\c:\lllrlrx.exec:\lllrlrx.exe49⤵
- Executes dropped EXE
-
\??\c:\rrlrrxl.exec:\rrlrrxl.exe50⤵
- Executes dropped EXE
-
\??\c:\bbthbn.exec:\bbthbn.exe51⤵
- Executes dropped EXE
-
\??\c:\nntthh.exec:\nntthh.exe52⤵
- Executes dropped EXE
-
\??\c:\1hbhth.exec:\1hbhth.exe53⤵
- Executes dropped EXE
-
\??\c:\ddvdv.exec:\ddvdv.exe54⤵
- Executes dropped EXE
-
\??\c:\ppvpv.exec:\ppvpv.exe55⤵
- Executes dropped EXE
-
\??\c:\fxrxxlf.exec:\fxrxxlf.exe56⤵
- Executes dropped EXE
-
\??\c:\rlrrfff.exec:\rlrrfff.exe57⤵
- Executes dropped EXE
-
\??\c:\5nbhtt.exec:\5nbhtt.exe58⤵
- Executes dropped EXE
-
\??\c:\3nbnnb.exec:\3nbnnb.exe59⤵
- Executes dropped EXE
-
\??\c:\dvvjp.exec:\dvvjp.exe60⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe61⤵
- Executes dropped EXE
-
\??\c:\ppppp.exec:\ppppp.exe62⤵
- Executes dropped EXE
-
\??\c:\xrlxffr.exec:\xrlxffr.exe63⤵
- Executes dropped EXE
-
\??\c:\ffrxlrr.exec:\ffrxlrr.exe64⤵
- Executes dropped EXE
-
\??\c:\rllrxxf.exec:\rllrxxf.exe65⤵
- Executes dropped EXE
-
\??\c:\tntthh.exec:\tntthh.exe66⤵
- Executes dropped EXE
-
\??\c:\9hnhtt.exec:\9hnhtt.exe67⤵
-
\??\c:\3jjdd.exec:\3jjdd.exe68⤵
-
\??\c:\dpddp.exec:\dpddp.exe69⤵
-
\??\c:\5lrxlxf.exec:\5lrxlxf.exe70⤵
-
\??\c:\llrffrl.exec:\llrffrl.exe71⤵
-
\??\c:\3nbhnh.exec:\3nbhnh.exe72⤵
-
\??\c:\1tnntb.exec:\1tnntb.exe73⤵
-
\??\c:\5bnnnn.exec:\5bnnnn.exe74⤵
-
\??\c:\vpddp.exec:\vpddp.exe75⤵
-
\??\c:\ddddj.exec:\ddddj.exe76⤵
-
\??\c:\lfxrfll.exec:\lfxrfll.exe77⤵
-
\??\c:\flxxxfl.exec:\flxxxfl.exe78⤵
-
\??\c:\3nnntt.exec:\3nnntt.exe79⤵
-
\??\c:\tnbhnt.exec:\tnbhnt.exe80⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe81⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe82⤵
-
\??\c:\xllfrrr.exec:\xllfrrr.exe83⤵
-
\??\c:\xlxlfll.exec:\xlxlfll.exe84⤵
-
\??\c:\nbhbnh.exec:\nbhbnh.exe85⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe86⤵
-
\??\c:\jdvdd.exec:\jdvdd.exe87⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe88⤵
-
\??\c:\pjppv.exec:\pjppv.exe89⤵
-
\??\c:\fflffrl.exec:\fflffrl.exe90⤵
-
\??\c:\fffrrff.exec:\fffrrff.exe91⤵
-
\??\c:\nttnnb.exec:\nttnnb.exe92⤵
-
\??\c:\ntbttb.exec:\ntbttb.exe93⤵
-
\??\c:\nhtbhn.exec:\nhtbhn.exe94⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe95⤵
-
\??\c:\7dpjp.exec:\7dpjp.exe96⤵
-
\??\c:\xrflrxl.exec:\xrflrxl.exe97⤵
-
\??\c:\9lrllxr.exec:\9lrllxr.exe98⤵
-
\??\c:\lxfrrxr.exec:\lxfrrxr.exe99⤵
-
\??\c:\hnbhnt.exec:\hnbhnt.exe100⤵
-
\??\c:\bthbnt.exec:\bthbnt.exe101⤵
-
\??\c:\pjdpv.exec:\pjdpv.exe102⤵
-
\??\c:\ddppv.exec:\ddppv.exe103⤵
-
\??\c:\vvvdv.exec:\vvvdv.exe104⤵
-
\??\c:\lxxffxr.exec:\lxxffxr.exe105⤵
-
\??\c:\xlrrxrr.exec:\xlrrxrr.exe106⤵
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe107⤵
-
\??\c:\nhhttn.exec:\nhhttn.exe108⤵
-
\??\c:\htbhhh.exec:\htbhhh.exe109⤵
-
\??\c:\jjdvv.exec:\jjdvv.exe110⤵
-
\??\c:\jpjdv.exec:\jpjdv.exe111⤵
-
\??\c:\fxfrrxx.exec:\fxfrrxx.exe112⤵
-
\??\c:\xrfflfr.exec:\xrfflfr.exe113⤵
-
\??\c:\lfxrlrl.exec:\lfxrlrl.exe114⤵
-
\??\c:\hbtbtb.exec:\hbtbtb.exe115⤵
-
\??\c:\9tbbhn.exec:\9tbbhn.exe116⤵
-
\??\c:\ddvvd.exec:\ddvvd.exe117⤵
-
\??\c:\1jdpj.exec:\1jdpj.exe118⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe119⤵
-
\??\c:\1fxxxff.exec:\1fxxxff.exe120⤵
-
\??\c:\lxffffl.exec:\lxffffl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-