Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
04-06-2024 04:24
General
-
Target
e4bf7a8d4c3e0aab39a32c2398082a94dacfd67bbd23bb9c6d7842cd023d2d45.exe
-
Size
313KB
-
MD5
25b05699cbd7d41d71d8019781536cf4
-
SHA1
726585b933b77b6f3d39715c6c6697287aecf2b6
-
SHA256
e4bf7a8d4c3e0aab39a32c2398082a94dacfd67bbd23bb9c6d7842cd023d2d45
-
SHA512
df6e4db7f5945464b5fa807d2e78d60e7a9a1a8f495ca572c6c1dcdbb7c57fbc1627e30933ddb6352879729ecd566305a90e5aa9bd8a2e42664462c5c31b8d74
-
SSDEEP
6144:n3C9BRo/AIX2h97aUzpbBj3+b2ziJC39QS8hDJd+Q7ZLbjwc:n3C9uDC97aUFbZ42ziM39QS8hDJd+Q79
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 31 IoCs
-
UPX dump on OEP (original entry point) 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4bf7a8d4c3e0aab39a32c2398082a94dacfd67bbd23bb9c6d7842cd023d2d45.exe"C:\Users\Admin\AppData\Local\Temp\e4bf7a8d4c3e0aab39a32c2398082a94dacfd67bbd23bb9c6d7842cd023d2d45.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbhtb.exec:\hnbhtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdd.exec:\dpjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfllll.exec:\fxfllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhbnb.exec:\bnhbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppjd.exec:\pppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxrlf.exec:\fffxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnhtn.exec:\nhnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvpp.exec:\pvvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vjjd.exec:\3vjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffllll.exec:\lffllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnthbh.exec:\tnthbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djppd.exec:\djppd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvdv.exec:\vjvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfllxx.exec:\rlfllxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnhn.exec:\btnnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvd.exec:\pvdvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjj.exec:\vppjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxflfrf.exec:\rxflfrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnnth.exec:\bnnnth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjv.exec:\vvvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxxfl.exec:\xrxxxfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxlxrl.exec:\frxlxrl.exe23⤵
- Executes dropped EXE
-
\??\c:\7bbtnn.exec:\7bbtnn.exe24⤵
- Executes dropped EXE
-
\??\c:\1jdvp.exec:\1jdvp.exe25⤵
- Executes dropped EXE
-
\??\c:\lflfxxx.exec:\lflfxxx.exe26⤵
- Executes dropped EXE
-
\??\c:\flxllxr.exec:\flxllxr.exe27⤵
- Executes dropped EXE
-
\??\c:\hhnttb.exec:\hhnttb.exe28⤵
- Executes dropped EXE
-
\??\c:\7dpjd.exec:\7dpjd.exe29⤵
- Executes dropped EXE
-
\??\c:\jjpjd.exec:\jjpjd.exe30⤵
- Executes dropped EXE
-
\??\c:\flrlrll.exec:\flrlrll.exe31⤵
- Executes dropped EXE
-
\??\c:\hbhbtt.exec:\hbhbtt.exe32⤵
- Executes dropped EXE
-
\??\c:\btnttt.exec:\btnttt.exe33⤵
- Executes dropped EXE
-
\??\c:\pjpjd.exec:\pjpjd.exe34⤵
- Executes dropped EXE
-
\??\c:\llrrffx.exec:\llrrffx.exe35⤵
- Executes dropped EXE
-
\??\c:\flfxrrf.exec:\flfxrrf.exe36⤵
- Executes dropped EXE
-
\??\c:\thnhbb.exec:\thnhbb.exe37⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe38⤵
- Executes dropped EXE
-
\??\c:\ppjdd.exec:\ppjdd.exe39⤵
- Executes dropped EXE
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe40⤵
- Executes dropped EXE
-
\??\c:\nhtntn.exec:\nhtntn.exe41⤵
- Executes dropped EXE
-
\??\c:\ddvpp.exec:\ddvpp.exe42⤵
- Executes dropped EXE
-
\??\c:\dddpp.exec:\dddpp.exe43⤵
- Executes dropped EXE
-
\??\c:\fxlrrll.exec:\fxlrrll.exe44⤵
- Executes dropped EXE
-
\??\c:\7nbttt.exec:\7nbttt.exe45⤵
- Executes dropped EXE
-
\??\c:\btnnhb.exec:\btnnhb.exe46⤵
- Executes dropped EXE
-
\??\c:\jpjdj.exec:\jpjdj.exe47⤵
- Executes dropped EXE
-
\??\c:\lfrrrlf.exec:\lfrrrlf.exe48⤵
- Executes dropped EXE
-
\??\c:\tnbnbb.exec:\tnbnbb.exe49⤵
- Executes dropped EXE
-
\??\c:\ddvpj.exec:\ddvpj.exe50⤵
- Executes dropped EXE
-
\??\c:\xfllfff.exec:\xfllfff.exe51⤵
- Executes dropped EXE
-
\??\c:\5lrllfx.exec:\5lrllfx.exe52⤵
- Executes dropped EXE
-
\??\c:\hnbttt.exec:\hnbttt.exe53⤵
- Executes dropped EXE
-
\??\c:\vdddv.exec:\vdddv.exe54⤵
- Executes dropped EXE
-
\??\c:\llrfxrl.exec:\llrfxrl.exe55⤵
- Executes dropped EXE
-
\??\c:\7ffxxxr.exec:\7ffxxxr.exe56⤵
- Executes dropped EXE
-
\??\c:\ntnhhh.exec:\ntnhhh.exe57⤵
- Executes dropped EXE
-
\??\c:\pdvjj.exec:\pdvjj.exe58⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe59⤵
- Executes dropped EXE
-
\??\c:\fffrfrf.exec:\fffrfrf.exe60⤵
- Executes dropped EXE
-
\??\c:\btthtn.exec:\btthtn.exe61⤵
- Executes dropped EXE
-
\??\c:\5jddv.exec:\5jddv.exe62⤵
- Executes dropped EXE
-
\??\c:\rlxlxxx.exec:\rlxlxxx.exe63⤵
- Executes dropped EXE
-
\??\c:\btntnn.exec:\btntnn.exe64⤵
- Executes dropped EXE
-
\??\c:\tttnhb.exec:\tttnhb.exe65⤵
- Executes dropped EXE
-
\??\c:\7jvvp.exec:\7jvvp.exe66⤵
-
\??\c:\3hhbtt.exec:\3hhbtt.exe67⤵
-
\??\c:\tbnnhn.exec:\tbnnhn.exe68⤵
-
\??\c:\frxlxll.exec:\frxlxll.exe69⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe70⤵
-
\??\c:\lfllxxf.exec:\lfllxxf.exe71⤵
-
\??\c:\bbhhhh.exec:\bbhhhh.exe72⤵
-
\??\c:\pvpjj.exec:\pvpjj.exe73⤵
-
\??\c:\flxrlxl.exec:\flxrlxl.exe74⤵
-
\??\c:\nntbbt.exec:\nntbbt.exe75⤵
-
\??\c:\dpdvp.exec:\dpdvp.exe76⤵
-
\??\c:\frrrlll.exec:\frrrlll.exe77⤵
-
\??\c:\flfxrrr.exec:\flfxrrr.exe78⤵
-
\??\c:\htnhhb.exec:\htnhhb.exe79⤵
-
\??\c:\vvpjd.exec:\vvpjd.exe80⤵
-
\??\c:\xxffrll.exec:\xxffrll.exe81⤵
-
\??\c:\hnbbnt.exec:\hnbbnt.exe82⤵
-
\??\c:\nhnhbb.exec:\nhnhbb.exe83⤵
-
\??\c:\dvdvd.exec:\dvdvd.exe84⤵
-
\??\c:\9rxxrxx.exec:\9rxxrxx.exe85⤵
-
\??\c:\htbbbb.exec:\htbbbb.exe86⤵
-
\??\c:\bhttnn.exec:\bhttnn.exe87⤵
-
\??\c:\frxrrll.exec:\frxrrll.exe88⤵
-
\??\c:\llffxxr.exec:\llffxxr.exe89⤵
-
\??\c:\ntnbnn.exec:\ntnbnn.exe90⤵
-
\??\c:\vpddp.exec:\vpddp.exe91⤵
-
\??\c:\thtnth.exec:\thtnth.exe92⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe93⤵
-
\??\c:\lfrfxrx.exec:\lfrfxrx.exe94⤵
-
\??\c:\7tbtbt.exec:\7tbtbt.exe95⤵
-
\??\c:\vddvp.exec:\vddvp.exe96⤵
-
\??\c:\rlfffff.exec:\rlfffff.exe97⤵
-
\??\c:\bnnnnt.exec:\bnnnnt.exe98⤵
-
\??\c:\dppjd.exec:\dppjd.exe99⤵
-
\??\c:\rxflxfx.exec:\rxflxfx.exe100⤵
-
\??\c:\frxffff.exec:\frxffff.exe101⤵
-
\??\c:\ttbttt.exec:\ttbttt.exe102⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe103⤵
-
\??\c:\fxlxrlr.exec:\fxlxrlr.exe104⤵
-
\??\c:\hbnhtt.exec:\hbnhtt.exe105⤵
-
\??\c:\thbnbh.exec:\thbnbh.exe106⤵
-
\??\c:\jjvdv.exec:\jjvdv.exe107⤵
-
\??\c:\fxxfxxr.exec:\fxxfxxr.exe108⤵
-
\??\c:\bbnbth.exec:\bbnbth.exe109⤵
-
\??\c:\jvddv.exec:\jvddv.exe110⤵
-
\??\c:\lffxrlf.exec:\lffxrlf.exe111⤵
-
\??\c:\bbnhhb.exec:\bbnhhb.exe112⤵
-
\??\c:\vjppp.exec:\vjppp.exe113⤵
-
\??\c:\hhnnbb.exec:\hhnnbb.exe114⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe115⤵
-
\??\c:\lflfxxl.exec:\lflfxxl.exe116⤵
-
\??\c:\frfxxfx.exec:\frfxxfx.exe117⤵
-
\??\c:\vpdjj.exec:\vpdjj.exe118⤵
-
\??\c:\rrxrlff.exec:\rrxrlff.exe119⤵
-
\??\c:\bhnnnn.exec:\bhnnnn.exe120⤵
-
\??\c:\ppjpd.exec:\ppjpd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-