Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
02-06-2024 19:30
General
-
Target
1c14ddbae36b721c5e1165ac622e65731b7e756075a9168dec666ac0976007e6.exe
-
Size
96KB
-
MD5
737d4f2be92988f2cd2280e52b65a53a
-
SHA1
083778f72a64a345f9dd17be3ddb070d9b011981
-
SHA256
1c14ddbae36b721c5e1165ac622e65731b7e756075a9168dec666ac0976007e6
-
SHA512
de5fecf9abc1ac94598928069c5a9d067ce45186daac3593bfc25c2395a254dd78e22cdebb294034d815993bad72ba8b7cdb8b20f659f14e752d27f12090f0f2
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIS7/b9EUeWpEC3alBlwtn8BLnnl:ymb3NkkiQ3mdBjFIi/REUZnKlbnv9
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
UPX dump on OEP (original entry point) 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c14ddbae36b721c5e1165ac622e65731b7e756075a9168dec666ac0976007e6.exe"C:\Users\Admin\AppData\Local\Temp\1c14ddbae36b721c5e1165ac622e65731b7e756075a9168dec666ac0976007e6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrflxl.exec:\ffrflxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjj.exec:\jjpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlrfrl.exec:\rrlrfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbbt.exec:\bhhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvjp.exec:\ppvjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxffrx.exec:\llxffrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nhhtt.exec:\1nhhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvdj.exec:\vpvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrxlxl.exec:\ffrxlxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbhtb.exec:\nnbhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpd.exec:\ddvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxlrf.exec:\lllxlrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlxllx.exec:\fxlxllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbhbh.exec:\nhbhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpj.exec:\vvvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllflxr.exec:\lllflxr.exe17⤵
- Executes dropped EXE
-
\??\c:\ntntbh.exec:\ntntbh.exe18⤵
- Executes dropped EXE
-
\??\c:\bbbnbh.exec:\bbbnbh.exe19⤵
- Executes dropped EXE
-
\??\c:\vddjp.exec:\vddjp.exe20⤵
- Executes dropped EXE
-
\??\c:\lfrxrxf.exec:\lfrxrxf.exe21⤵
- Executes dropped EXE
-
\??\c:\nhbnbb.exec:\nhbnbb.exe22⤵
- Executes dropped EXE
-
\??\c:\hbthbn.exec:\hbthbn.exe23⤵
- Executes dropped EXE
-
\??\c:\pdvpv.exec:\pdvpv.exe24⤵
- Executes dropped EXE
-
\??\c:\lrflfxx.exec:\lrflfxx.exe25⤵
- Executes dropped EXE
-
\??\c:\7hbhtb.exec:\7hbhtb.exe26⤵
- Executes dropped EXE
-
\??\c:\bbntht.exec:\bbntht.exe27⤵
- Executes dropped EXE
-
\??\c:\xrflrrx.exec:\xrflrrx.exe28⤵
- Executes dropped EXE
-
\??\c:\nhthtt.exec:\nhthtt.exe29⤵
- Executes dropped EXE
-
\??\c:\5djvp.exec:\5djvp.exe30⤵
- Executes dropped EXE
-
\??\c:\lrxlffr.exec:\lrxlffr.exe31⤵
- Executes dropped EXE
-
\??\c:\hnbbnh.exec:\hnbbnh.exe32⤵
- Executes dropped EXE
-
\??\c:\ppjdj.exec:\ppjdj.exe33⤵
- Executes dropped EXE
-
\??\c:\flxfrxl.exec:\flxfrxl.exe34⤵
- Executes dropped EXE
-
\??\c:\xxllflf.exec:\xxllflf.exe35⤵
- Executes dropped EXE
-
\??\c:\btnbnt.exec:\btnbnt.exe36⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe37⤵
- Executes dropped EXE
-
\??\c:\jdpjp.exec:\jdpjp.exe38⤵
- Executes dropped EXE
-
\??\c:\rfrxrrf.exec:\rfrxrrf.exe39⤵
- Executes dropped EXE
-
\??\c:\ffxrfff.exec:\ffxrfff.exe40⤵
- Executes dropped EXE
-
\??\c:\5bntbh.exec:\5bntbh.exe41⤵
- Executes dropped EXE
-
\??\c:\ddvpp.exec:\ddvpp.exe42⤵
- Executes dropped EXE
-
\??\c:\jvjvd.exec:\jvjvd.exe43⤵
- Executes dropped EXE
-
\??\c:\xflrxrf.exec:\xflrxrf.exe44⤵
- Executes dropped EXE
-
\??\c:\9lfrlrl.exec:\9lfrlrl.exe45⤵
- Executes dropped EXE
-
\??\c:\bttthn.exec:\bttthn.exe46⤵
- Executes dropped EXE
-
\??\c:\1ddjd.exec:\1ddjd.exe47⤵
- Executes dropped EXE
-
\??\c:\ddjdj.exec:\ddjdj.exe48⤵
- Executes dropped EXE
-
\??\c:\5llrxfr.exec:\5llrxfr.exe49⤵
- Executes dropped EXE
-
\??\c:\ttnthh.exec:\ttnthh.exe50⤵
- Executes dropped EXE
-
\??\c:\bbhbnn.exec:\bbhbnn.exe51⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe52⤵
- Executes dropped EXE
-
\??\c:\vddpp.exec:\vddpp.exe53⤵
- Executes dropped EXE
-
\??\c:\lrrlrrx.exec:\lrrlrrx.exe54⤵
- Executes dropped EXE
-
\??\c:\9lflrxf.exec:\9lflrxf.exe55⤵
- Executes dropped EXE
-
\??\c:\btnhbt.exec:\btnhbt.exe56⤵
- Executes dropped EXE
-
\??\c:\hhbhth.exec:\hhbhth.exe57⤵
- Executes dropped EXE
-
\??\c:\pvvdp.exec:\pvvdp.exe58⤵
- Executes dropped EXE
-
\??\c:\rxrfllf.exec:\rxrfllf.exe59⤵
- Executes dropped EXE
-
\??\c:\nnhbtn.exec:\nnhbtn.exe60⤵
- Executes dropped EXE
-
\??\c:\5hnttb.exec:\5hnttb.exe61⤵
- Executes dropped EXE
-
\??\c:\vppjd.exec:\vppjd.exe62⤵
- Executes dropped EXE
-
\??\c:\vvpjj.exec:\vvpjj.exe63⤵
- Executes dropped EXE
-
\??\c:\3lfxffl.exec:\3lfxffl.exe64⤵
- Executes dropped EXE
-
\??\c:\hnttbn.exec:\hnttbn.exe65⤵
- Executes dropped EXE
-
\??\c:\9bbbnb.exec:\9bbbnb.exe66⤵
-
\??\c:\jpjvj.exec:\jpjvj.exe67⤵
-
\??\c:\vjdpd.exec:\vjdpd.exe68⤵
-
\??\c:\lfxxrxx.exec:\lfxxrxx.exe69⤵
-
\??\c:\fflrlrx.exec:\fflrlrx.exe70⤵
-
\??\c:\ttttht.exec:\ttttht.exe71⤵
-
\??\c:\vvpdd.exec:\vvpdd.exe72⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe73⤵
-
\??\c:\3lffrxl.exec:\3lffrxl.exe74⤵
-
\??\c:\xrlxrrf.exec:\xrlxrrf.exe75⤵
-
\??\c:\bhnbhb.exec:\bhnbhb.exe76⤵
-
\??\c:\9dppd.exec:\9dppd.exe77⤵
-
\??\c:\dvddp.exec:\dvddp.exe78⤵
-
\??\c:\llfrllx.exec:\llfrllx.exe79⤵
-
\??\c:\xfrfxff.exec:\xfrfxff.exe80⤵
-
\??\c:\bbtnbh.exec:\bbtnbh.exe81⤵
-
\??\c:\bhtbnt.exec:\bhtbnt.exe82⤵
-
\??\c:\ddjvp.exec:\ddjvp.exe83⤵
-
\??\c:\ppddj.exec:\ppddj.exe84⤵
-
\??\c:\lfxfrxf.exec:\lfxfrxf.exe85⤵
-
\??\c:\5nbbnt.exec:\5nbbnt.exe86⤵
-
\??\c:\ttbbhh.exec:\ttbbhh.exe87⤵
-
\??\c:\1dvjj.exec:\1dvjj.exe88⤵
-
\??\c:\5frfxrf.exec:\5frfxrf.exe89⤵
-
\??\c:\hhtnbt.exec:\hhtnbt.exe90⤵
-
\??\c:\nnhhtt.exec:\nnhhtt.exe91⤵
-
\??\c:\djdvj.exec:\djdvj.exe92⤵
-
\??\c:\llffllx.exec:\llffllx.exe93⤵
-
\??\c:\ffrxrxx.exec:\ffrxrxx.exe94⤵
-
\??\c:\bbnnbn.exec:\bbnnbn.exe95⤵
-
\??\c:\ttntbh.exec:\ttntbh.exe96⤵
-
\??\c:\dvvdv.exec:\dvvdv.exe97⤵
-
\??\c:\xrflrlr.exec:\xrflrlr.exe98⤵
-
\??\c:\rrlrllx.exec:\rrlrllx.exe99⤵
-
\??\c:\nbbbnh.exec:\nbbbnh.exe100⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe101⤵
-
\??\c:\xxfxflf.exec:\xxfxflf.exe102⤵
-
\??\c:\tttntn.exec:\tttntn.exe103⤵
-
\??\c:\3ttntt.exec:\3ttntt.exe104⤵
-
\??\c:\1dvdv.exec:\1dvdv.exe105⤵
-
\??\c:\vpvjp.exec:\vpvjp.exe106⤵
-
\??\c:\xflflff.exec:\xflflff.exe107⤵
-
\??\c:\xrxlffl.exec:\xrxlffl.exe108⤵
-
\??\c:\3ttnbn.exec:\3ttnbn.exe109⤵
-
\??\c:\hnhnnb.exec:\hnhnnb.exe110⤵
-
\??\c:\djpdv.exec:\djpdv.exe111⤵
-
\??\c:\jjjpp.exec:\jjjpp.exe112⤵
-
\??\c:\xrllrlr.exec:\xrllrlr.exe113⤵
-
\??\c:\tnbhtb.exec:\tnbhtb.exe114⤵
-
\??\c:\nnnbth.exec:\nnnbth.exe115⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe116⤵
-
\??\c:\jjvvd.exec:\jjvvd.exe117⤵
-
\??\c:\lfxrrfr.exec:\lfxrrfr.exe118⤵
-
\??\c:\rlrxflx.exec:\rlrxflx.exe119⤵
-
\??\c:\bbnbhh.exec:\bbnbhh.exe120⤵
-
\??\c:\nbnnbh.exec:\nbnnbh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-