Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
02/06/2024, 21:37
General
-
Target
4af2cd7e06ca7250693c47bd879df946de86b9be49be80a1a143ae346155491c.exe
-
Size
65KB
-
MD5
1d3b49c07e7cd1f47eaaea5eabac9d89
-
SHA1
13d6f7dab4e015be724e86045f09548f14709ec2
-
SHA256
4af2cd7e06ca7250693c47bd879df946de86b9be49be80a1a143ae346155491c
-
SHA512
0d4e69c3d0d510d82667971ff3ba0362e200ca845035319feb9ab3f59e2440c7a94677d907ed908a8ad6b6334d9ccbc5028c964031f373cf6f08beed91e11d82
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3AyXmPD:ymb3NkkiQ3mdBjFI46TQyXmPD
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
UPX dump on OEP (original entry point) 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4af2cd7e06ca7250693c47bd879df946de86b9be49be80a1a143ae346155491c.exe"C:\Users\Admin\AppData\Local\Temp\4af2cd7e06ca7250693c47bd879df946de86b9be49be80a1a143ae346155491c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\680488.exec:\680488.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82008.exec:\82008.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddpd.exec:\pddpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrlffx.exec:\rxrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06860.exec:\06860.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlfrrl.exec:\rrlfrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\604000.exec:\604000.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i448660.exec:\i448660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u404266.exec:\u404266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80644.exec:\80644.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\006088.exec:\006088.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4804266.exec:\4804266.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\462204.exec:\462204.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6466442.exec:\6466442.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttthbt.exec:\ttthbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlffx.exec:\xrrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08420.exec:\08420.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4404408.exec:\4404408.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4026464.exec:\4026464.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4248488.exec:\4248488.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvpj.exec:\vdvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06848.exec:\06848.exe23⤵
- Executes dropped EXE
-
\??\c:\fxrfxrr.exec:\fxrfxrr.exe24⤵
- Executes dropped EXE
-
\??\c:\4844882.exec:\4844882.exe25⤵
- Executes dropped EXE
-
\??\c:\flllffx.exec:\flllffx.exe26⤵
- Executes dropped EXE
-
\??\c:\1jjjp.exec:\1jjjp.exe27⤵
- Executes dropped EXE
-
\??\c:\lxlffff.exec:\lxlffff.exe28⤵
- Executes dropped EXE
-
\??\c:\jdjdd.exec:\jdjdd.exe29⤵
- Executes dropped EXE
-
\??\c:\xxllrrx.exec:\xxllrrx.exe30⤵
- Executes dropped EXE
-
\??\c:\40444.exec:\40444.exe31⤵
- Executes dropped EXE
-
\??\c:\1xfxllf.exec:\1xfxllf.exe32⤵
- Executes dropped EXE
-
\??\c:\nbhhhh.exec:\nbhhhh.exe33⤵
- Executes dropped EXE
-
\??\c:\c800466.exec:\c800466.exe34⤵
- Executes dropped EXE
-
\??\c:\jvvpv.exec:\jvvpv.exe35⤵
- Executes dropped EXE
-
\??\c:\0282226.exec:\0282226.exe36⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe37⤵
- Executes dropped EXE
-
\??\c:\828200.exec:\828200.exe38⤵
- Executes dropped EXE
-
\??\c:\7djpd.exec:\7djpd.exe39⤵
- Executes dropped EXE
-
\??\c:\nbbttt.exec:\nbbttt.exe40⤵
- Executes dropped EXE
-
\??\c:\624888.exec:\624888.exe41⤵
- Executes dropped EXE
-
\??\c:\46826.exec:\46826.exe42⤵
- Executes dropped EXE
-
\??\c:\800804.exec:\800804.exe43⤵
- Executes dropped EXE
-
\??\c:\24048.exec:\24048.exe44⤵
- Executes dropped EXE
-
\??\c:\flrlllf.exec:\flrlllf.exe45⤵
- Executes dropped EXE
-
\??\c:\7tbttn.exec:\7tbttn.exe46⤵
- Executes dropped EXE
-
\??\c:\60840.exec:\60840.exe47⤵
- Executes dropped EXE
-
\??\c:\62448.exec:\62448.exe48⤵
- Executes dropped EXE
-
\??\c:\xrrfflf.exec:\xrrfflf.exe49⤵
- Executes dropped EXE
-
\??\c:\282288.exec:\282288.exe50⤵
- Executes dropped EXE
-
\??\c:\nhnttt.exec:\nhnttt.exe51⤵
- Executes dropped EXE
-
\??\c:\280006.exec:\280006.exe52⤵
- Executes dropped EXE
-
\??\c:\rfffxrr.exec:\rfffxrr.exe53⤵
- Executes dropped EXE
-
\??\c:\606622.exec:\606622.exe54⤵
- Executes dropped EXE
-
\??\c:\226668.exec:\226668.exe55⤵
- Executes dropped EXE
-
\??\c:\4400004.exec:\4400004.exe56⤵
- Executes dropped EXE
-
\??\c:\ppjpp.exec:\ppjpp.exe57⤵
- Executes dropped EXE
-
\??\c:\fxfxxfl.exec:\fxfxxfl.exe58⤵
- Executes dropped EXE
-
\??\c:\rrxxffx.exec:\rrxxffx.exe59⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe60⤵
- Executes dropped EXE
-
\??\c:\lffxxrr.exec:\lffxxrr.exe61⤵
- Executes dropped EXE
-
\??\c:\24628.exec:\24628.exe62⤵
- Executes dropped EXE
-
\??\c:\pjjjd.exec:\pjjjd.exe63⤵
- Executes dropped EXE
-
\??\c:\frfrllf.exec:\frfrllf.exe64⤵
- Executes dropped EXE
-
\??\c:\20428.exec:\20428.exe65⤵
- Executes dropped EXE
-
\??\c:\jjpjd.exec:\jjpjd.exe66⤵
-
\??\c:\2404226.exec:\2404226.exe67⤵
-
\??\c:\ffxrlfx.exec:\ffxrlfx.exe68⤵
-
\??\c:\dpddd.exec:\dpddd.exe69⤵
-
\??\c:\400020.exec:\400020.exe70⤵
-
\??\c:\2420488.exec:\2420488.exe71⤵
-
\??\c:\btnhhh.exec:\btnhhh.exe72⤵
-
\??\c:\jdddp.exec:\jdddp.exe73⤵
-
\??\c:\668888.exec:\668888.exe74⤵
-
\??\c:\ffxxrxx.exec:\ffxxrxx.exe75⤵
-
\??\c:\020044.exec:\020044.exe76⤵
-
\??\c:\jjpjj.exec:\jjpjj.exe77⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe78⤵
-
\??\c:\606002.exec:\606002.exe79⤵
-
\??\c:\0026226.exec:\0026226.exe80⤵
-
\??\c:\26682.exec:\26682.exe81⤵
-
\??\c:\402604.exec:\402604.exe82⤵
-
\??\c:\nbbbbb.exec:\nbbbbb.exe83⤵
-
\??\c:\8844822.exec:\8844822.exe84⤵
-
\??\c:\7hhhhn.exec:\7hhhhn.exe85⤵
-
\??\c:\bttnbb.exec:\bttnbb.exe86⤵
-
\??\c:\26626.exec:\26626.exe87⤵
-
\??\c:\2848282.exec:\2848282.exe88⤵
-
\??\c:\hbhbhh.exec:\hbhbhh.exe89⤵
-
\??\c:\xflfrrr.exec:\xflfrrr.exe90⤵
-
\??\c:\jjdjd.exec:\jjdjd.exe91⤵
-
\??\c:\2626444.exec:\2626444.exe92⤵
-
\??\c:\rrxxllr.exec:\rrxxllr.exe93⤵
-
\??\c:\82440.exec:\82440.exe94⤵
-
\??\c:\lrxrllf.exec:\lrxrllf.exe95⤵
-
\??\c:\008248.exec:\008248.exe96⤵
-
\??\c:\80282.exec:\80282.exe97⤵
-
\??\c:\pvdvj.exec:\pvdvj.exe98⤵
-
\??\c:\m4822.exec:\m4822.exe99⤵
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe100⤵
-
\??\c:\bbthbt.exec:\bbthbt.exe101⤵
-
\??\c:\82400.exec:\82400.exe102⤵
-
\??\c:\xfxrlxr.exec:\xfxrlxr.exe103⤵
-
\??\c:\2882608.exec:\2882608.exe104⤵
-
\??\c:\86042.exec:\86042.exe105⤵
-
\??\c:\48064.exec:\48064.exe106⤵
-
\??\c:\1bhhtb.exec:\1bhhtb.exe107⤵
-
\??\c:\84608.exec:\84608.exe108⤵
-
\??\c:\846422.exec:\846422.exe109⤵
-
\??\c:\64486.exec:\64486.exe110⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe111⤵
-
\??\c:\vdpjd.exec:\vdpjd.exe112⤵
-
\??\c:\m6402.exec:\m6402.exe113⤵
-
\??\c:\446082.exec:\446082.exe114⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe115⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe116⤵
-
\??\c:\428428.exec:\428428.exe117⤵
-
\??\c:\rlxllfl.exec:\rlxllfl.exe118⤵
-
\??\c:\2626004.exec:\2626004.exe119⤵
-
\??\c:\tbtnhh.exec:\tbtnhh.exe120⤵
-
\??\c:\202004.exec:\202004.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-