Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
31/05/2024, 23:48
General
-
Target
804be22d746b5283009a3f1d2f1b7b9e7b777918be77dae2db7d9460c0608527.exe
-
Size
393KB
-
MD5
66aec11d1bf222f301c43affc4c05ea3
-
SHA1
e715e421572a511a91c95cc58180bd77821c8f24
-
SHA256
804be22d746b5283009a3f1d2f1b7b9e7b777918be77dae2db7d9460c0608527
-
SHA512
b5b8b6c2e3787d3064c56a923bbcae9155d6cbcd29edd9b129015ca99c17ac0fc7a02abcd44e42a5f3e9f53d177d0bd9f09afa70fc1c53d1d162459bc5deb147
-
SSDEEP
6144:n3C9BRIG0asYFm71mPfkVB8dKwaO5CVwOs:n3C9uYA7okVqdKwaO5CVm
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
UPX dump on OEP (original entry point) 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\804be22d746b5283009a3f1d2f1b7b9e7b777918be77dae2db7d9460c0608527.exe"C:\Users\Admin\AppData\Local\Temp\804be22d746b5283009a3f1d2f1b7b9e7b777918be77dae2db7d9460c0608527.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddj.exec:\jdddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrfffl.exec:\fxrfffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbtnt.exec:\btbtnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhtt.exec:\nhnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjdd.exec:\vdjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlxfx.exec:\xrrlxfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnhhh.exec:\bnnhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnttnt.exec:\nnttnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppj.exec:\jdppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxrrff.exec:\llxrrff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvpv.exec:\ppvpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxflrr.exec:\fxxflrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnnnt.exec:\tbnnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrlll.exec:\flrrlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxfxr.exec:\xlfxfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnnn.exec:\bntnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllfrrr.exec:\lllfrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbtth.exec:\htbtth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxff.exec:\lfffxff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbntn.exec:\nnbntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppj.exec:\pdppj.exe23⤵
- Executes dropped EXE
-
\??\c:\pvppj.exec:\pvppj.exe24⤵
- Executes dropped EXE
-
\??\c:\tnnhtt.exec:\tnnhtt.exe25⤵
- Executes dropped EXE
-
\??\c:\rllfxfx.exec:\rllfxfx.exe26⤵
- Executes dropped EXE
-
\??\c:\9hnhhh.exec:\9hnhhh.exe27⤵
- Executes dropped EXE
-
\??\c:\dvddj.exec:\dvddj.exe28⤵
- Executes dropped EXE
-
\??\c:\htbbtn.exec:\htbbtn.exe29⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe30⤵
- Executes dropped EXE
-
\??\c:\xfxfllf.exec:\xfxfllf.exe31⤵
- Executes dropped EXE
-
\??\c:\bhhhhn.exec:\bhhhhn.exe32⤵
- Executes dropped EXE
-
\??\c:\jjppv.exec:\jjppv.exe33⤵
-
\??\c:\ffffrrr.exec:\ffffrrr.exe34⤵
- Executes dropped EXE
-
\??\c:\bhnnnn.exec:\bhnnnn.exe35⤵
- Executes dropped EXE
-
\??\c:\rffflfr.exec:\rffflfr.exe36⤵
- Executes dropped EXE
-
\??\c:\rlxxrrr.exec:\rlxxrrr.exe37⤵
- Executes dropped EXE
-
\??\c:\hhnhhh.exec:\hhnhhh.exe38⤵
- Executes dropped EXE
-
\??\c:\jdpjv.exec:\jdpjv.exe39⤵
- Executes dropped EXE
-
\??\c:\xlffxxx.exec:\xlffxxx.exe40⤵
- Executes dropped EXE
-
\??\c:\3frlllf.exec:\3frlllf.exe41⤵
- Executes dropped EXE
-
\??\c:\nnhhnn.exec:\nnhhnn.exe42⤵
- Executes dropped EXE
-
\??\c:\5vvpj.exec:\5vvpj.exe43⤵
- Executes dropped EXE
-
\??\c:\xxrlrff.exec:\xxrlrff.exe44⤵
- Executes dropped EXE
-
\??\c:\bhhbnh.exec:\bhhbnh.exe45⤵
- Executes dropped EXE
-
\??\c:\7pjdv.exec:\7pjdv.exe46⤵
- Executes dropped EXE
-
\??\c:\vdjjp.exec:\vdjjp.exe47⤵
- Executes dropped EXE
-
\??\c:\5rfxlrf.exec:\5rfxlrf.exe48⤵
- Executes dropped EXE
-
\??\c:\htnhtn.exec:\htnhtn.exe49⤵
- Executes dropped EXE
-
\??\c:\ththth.exec:\ththth.exe50⤵
- Executes dropped EXE
-
\??\c:\vjjjv.exec:\vjjjv.exe51⤵
- Executes dropped EXE
-
\??\c:\rllffxf.exec:\rllffxf.exe52⤵
- Executes dropped EXE
-
\??\c:\thbtnh.exec:\thbtnh.exe53⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe54⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe55⤵
- Executes dropped EXE
-
\??\c:\frrllfl.exec:\frrllfl.exe56⤵
- Executes dropped EXE
-
\??\c:\bhnnbt.exec:\bhnnbt.exe57⤵
- Executes dropped EXE
-
\??\c:\dvjdd.exec:\dvjdd.exe58⤵
- Executes dropped EXE
-
\??\c:\ppdvj.exec:\ppdvj.exe59⤵
- Executes dropped EXE
-
\??\c:\flffrrl.exec:\flffrrl.exe60⤵
- Executes dropped EXE
-
\??\c:\ntthnh.exec:\ntthnh.exe61⤵
- Executes dropped EXE
-
\??\c:\9hnhhb.exec:\9hnhhb.exe62⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe63⤵
- Executes dropped EXE
-
\??\c:\xrffrxr.exec:\xrffrxr.exe64⤵
- Executes dropped EXE
-
\??\c:\bnbtbb.exec:\bnbtbb.exe65⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe66⤵
- Executes dropped EXE
-
\??\c:\xxfrllf.exec:\xxfrllf.exe67⤵
-
\??\c:\xxrflrx.exec:\xxrflrx.exe68⤵
-
\??\c:\btnhhn.exec:\btnhhn.exe69⤵
-
\??\c:\djjpp.exec:\djjpp.exe70⤵
-
\??\c:\rffrlfx.exec:\rffrlfx.exe71⤵
-
\??\c:\9llfxfx.exec:\9llfxfx.exe72⤵
-
\??\c:\hhnhtn.exec:\hhnhtn.exe73⤵
-
\??\c:\pvdpj.exec:\pvdpj.exe74⤵
-
\??\c:\djpjv.exec:\djpjv.exe75⤵
-
\??\c:\lfxrrlf.exec:\lfxrrlf.exe76⤵
-
\??\c:\7bnbtt.exec:\7bnbtt.exe77⤵
-
\??\c:\hnthbt.exec:\hnthbt.exe78⤵
-
\??\c:\jvdvv.exec:\jvdvv.exe79⤵
-
\??\c:\lxffxff.exec:\lxffxff.exe80⤵
-
\??\c:\xrfxxlf.exec:\xrfxxlf.exe81⤵
-
\??\c:\hnnttn.exec:\hnnttn.exe82⤵
-
\??\c:\xffflrr.exec:\xffflrr.exe83⤵
-
\??\c:\btthhb.exec:\btthhb.exe84⤵
-
\??\c:\jvvpd.exec:\jvvpd.exe85⤵
-
\??\c:\fxxlffx.exec:\fxxlffx.exe86⤵
-
\??\c:\tnntbt.exec:\tnntbt.exe87⤵
-
\??\c:\hhthhh.exec:\hhthhh.exe88⤵
-
\??\c:\jjddv.exec:\jjddv.exe89⤵
-
\??\c:\rrxlrfx.exec:\rrxlrfx.exe90⤵
-
\??\c:\btbntt.exec:\btbntt.exe91⤵
-
\??\c:\7jjdp.exec:\7jjdp.exe92⤵
-
\??\c:\dpjvd.exec:\dpjvd.exe93⤵
-
\??\c:\fxfrrxr.exec:\fxfrrxr.exe94⤵
-
\??\c:\htnhhb.exec:\htnhhb.exe95⤵
-
\??\c:\ppvpj.exec:\ppvpj.exe96⤵
-
\??\c:\rrlffxf.exec:\rrlffxf.exe97⤵
-
\??\c:\lxxffxr.exec:\lxxffxr.exe98⤵
-
\??\c:\bnbtnn.exec:\bnbtnn.exe99⤵
-
\??\c:\9dddd.exec:\9dddd.exe100⤵
-
\??\c:\rllfxxr.exec:\rllfxxr.exe101⤵
-
\??\c:\9nhbnn.exec:\9nhbnn.exe102⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe103⤵
-
\??\c:\rfrlfxx.exec:\rfrlfxx.exe104⤵
-
\??\c:\9xlxxrl.exec:\9xlxxrl.exe105⤵
-
\??\c:\nhhbbb.exec:\nhhbbb.exe106⤵
-
\??\c:\djpdj.exec:\djpdj.exe107⤵
-
\??\c:\3frfxxr.exec:\3frfxxr.exe108⤵
-
\??\c:\bbbbtt.exec:\bbbbtt.exe109⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe110⤵
-
\??\c:\lfxrlff.exec:\lfxrlff.exe111⤵
-
\??\c:\bttnbn.exec:\bttnbn.exe112⤵
-
\??\c:\9vjdd.exec:\9vjdd.exe113⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe114⤵
-
\??\c:\rllrlfx.exec:\rllrlfx.exe115⤵
-
\??\c:\nnnhbb.exec:\nnnhbb.exe116⤵
-
\??\c:\jvpdp.exec:\jvpdp.exe117⤵
-
\??\c:\xrxrllf.exec:\xrxrllf.exe118⤵
-
\??\c:\hbnhtn.exec:\hbnhtn.exe119⤵
-
\??\c:\dpvjj.exec:\dpvjj.exe120⤵
-
\??\c:\pdpjv.exec:\pdpjv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-