Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
05-06-2024 03:39
General
-
Target
d0b51b97c1e967880e0e888f487ce66e79773812c46608f947253dd5a224c866.exe
-
Size
74KB
-
MD5
2284dd7ec980d2d6ed1f7c260c15e278
-
SHA1
fc5df705eaacf018149c10c6e23e8d436419873d
-
SHA256
d0b51b97c1e967880e0e888f487ce66e79773812c46608f947253dd5a224c866
-
SHA512
56def742d212e99d7640083cd44d33dbf1fbcb8d90975230a15cccb1ef375132f0f650f4a8c13c95d506c2cd92c2d2e0bbdb99e69498d6686f38ec708b9c45f6
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDWiekja1br3GGBxfot0ioq:ymb3NkkiQ3mdBjFWXkj7afoL
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
UPX dump on OEP (original entry point) 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0b51b97c1e967880e0e888f487ce66e79773812c46608f947253dd5a224c866.exe"C:\Users\Admin\AppData\Local\Temp\d0b51b97c1e967880e0e888f487ce66e79773812c46608f947253dd5a224c866.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\0862446.exec:\0862446.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbnht.exec:\hnbnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4822006.exec:\4822006.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2662280.exec:\2662280.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04622.exec:\04622.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8886468.exec:\8886468.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\620246.exec:\620246.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\88002.exec:\88002.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26068.exec:\26068.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dvdj.exec:\3dvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xrxfrf.exec:\9xrxfrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrllrr.exec:\lrrllrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvdd.exec:\vpvdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddjp.exec:\jddjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlflrlr.exec:\rlflrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\000220.exec:\000220.exe17⤵
- Executes dropped EXE
-
\??\c:\1xffffl.exec:\1xffffl.exe18⤵
- Executes dropped EXE
-
\??\c:\2608620.exec:\2608620.exe19⤵
- Executes dropped EXE
-
\??\c:\64428.exec:\64428.exe20⤵
- Executes dropped EXE
-
\??\c:\o488066.exec:\o488066.exe21⤵
- Executes dropped EXE
-
\??\c:\0406624.exec:\0406624.exe22⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe23⤵
- Executes dropped EXE
-
\??\c:\fxfrxlx.exec:\fxfrxlx.exe24⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe25⤵
- Executes dropped EXE
-
\??\c:\nnbhbn.exec:\nnbhbn.exe26⤵
- Executes dropped EXE
-
\??\c:\tnhnnb.exec:\tnhnnb.exe27⤵
- Executes dropped EXE
-
\??\c:\28428.exec:\28428.exe28⤵
- Executes dropped EXE
-
\??\c:\6804008.exec:\6804008.exe29⤵
- Executes dropped EXE
-
\??\c:\66468.exec:\66468.exe30⤵
- Executes dropped EXE
-
\??\c:\5ttthn.exec:\5ttthn.exe31⤵
- Executes dropped EXE
-
\??\c:\9hbnnn.exec:\9hbnnn.exe32⤵
- Executes dropped EXE
-
\??\c:\4686284.exec:\4686284.exe33⤵
- Executes dropped EXE
-
\??\c:\468004.exec:\468004.exe34⤵
- Executes dropped EXE
-
\??\c:\g4840.exec:\g4840.exe35⤵
- Executes dropped EXE
-
\??\c:\5frllrf.exec:\5frllrf.exe36⤵
- Executes dropped EXE
-
\??\c:\i800620.exec:\i800620.exe37⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe38⤵
- Executes dropped EXE
-
\??\c:\lfxfxrf.exec:\lfxfxrf.exe39⤵
- Executes dropped EXE
-
\??\c:\08628.exec:\08628.exe40⤵
- Executes dropped EXE
-
\??\c:\fxffrrf.exec:\fxffrrf.exe41⤵
- Executes dropped EXE
-
\??\c:\k26808.exec:\k26808.exe42⤵
- Executes dropped EXE
-
\??\c:\864828.exec:\864828.exe43⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe44⤵
- Executes dropped EXE
-
\??\c:\vjddj.exec:\vjddj.exe45⤵
- Executes dropped EXE
-
\??\c:\w48468.exec:\w48468.exe46⤵
- Executes dropped EXE
-
\??\c:\dvvjj.exec:\dvvjj.exe47⤵
- Executes dropped EXE
-
\??\c:\288282.exec:\288282.exe48⤵
- Executes dropped EXE
-
\??\c:\vvppp.exec:\vvppp.exe49⤵
- Executes dropped EXE
-
\??\c:\80262.exec:\80262.exe50⤵
- Executes dropped EXE
-
\??\c:\tnbtbh.exec:\tnbtbh.exe51⤵
- Executes dropped EXE
-
\??\c:\202884.exec:\202884.exe52⤵
- Executes dropped EXE
-
\??\c:\bnbbhh.exec:\bnbbhh.exe53⤵
- Executes dropped EXE
-
\??\c:\vvvpp.exec:\vvvpp.exe54⤵
- Executes dropped EXE
-
\??\c:\g6420.exec:\g6420.exe55⤵
- Executes dropped EXE
-
\??\c:\20484.exec:\20484.exe56⤵
- Executes dropped EXE
-
\??\c:\22624.exec:\22624.exe57⤵
- Executes dropped EXE
-
\??\c:\lxlrxrl.exec:\lxlrxrl.exe58⤵
- Executes dropped EXE
-
\??\c:\44424.exec:\44424.exe59⤵
- Executes dropped EXE
-
\??\c:\rxfxfxr.exec:\rxfxfxr.exe60⤵
- Executes dropped EXE
-
\??\c:\9hbbbt.exec:\9hbbbt.exe61⤵
- Executes dropped EXE
-
\??\c:\fxflxxf.exec:\fxflxxf.exe62⤵
- Executes dropped EXE
-
\??\c:\m6404.exec:\m6404.exe63⤵
- Executes dropped EXE
-
\??\c:\2022226.exec:\2022226.exe64⤵
- Executes dropped EXE
-
\??\c:\6668064.exec:\6668064.exe65⤵
- Executes dropped EXE
-
\??\c:\066004.exec:\066004.exe66⤵
-
\??\c:\464466.exec:\464466.exe67⤵
-
\??\c:\c462822.exec:\c462822.exe68⤵
-
\??\c:\hnntht.exec:\hnntht.exe69⤵
-
\??\c:\bbbhhn.exec:\bbbhhn.exe70⤵
-
\??\c:\9ddvd.exec:\9ddvd.exe71⤵
-
\??\c:\848628.exec:\848628.exe72⤵
-
\??\c:\06828.exec:\06828.exe73⤵
-
\??\c:\xrfxlfl.exec:\xrfxlfl.exe74⤵
-
\??\c:\6264842.exec:\6264842.exe75⤵
-
\??\c:\frfrxxf.exec:\frfrxxf.exe76⤵
-
\??\c:\fxrrlrx.exec:\fxrrlrx.exe77⤵
-
\??\c:\vpjjp.exec:\vpjjp.exe78⤵
-
\??\c:\lfxxxfr.exec:\lfxxxfr.exe79⤵
-
\??\c:\tnhnht.exec:\tnhnht.exe80⤵
-
\??\c:\6082480.exec:\6082480.exe81⤵
-
\??\c:\xlfrfff.exec:\xlfrfff.exe82⤵
-
\??\c:\6462406.exec:\6462406.exe83⤵
-
\??\c:\220082.exec:\220082.exe84⤵
-
\??\c:\2206224.exec:\2206224.exe85⤵
-
\??\c:\082868.exec:\082868.exe86⤵
-
\??\c:\5thbbn.exec:\5thbbn.exe87⤵
-
\??\c:\a8284.exec:\a8284.exe88⤵
-
\??\c:\20600.exec:\20600.exe89⤵
-
\??\c:\8684040.exec:\8684040.exe90⤵
-
\??\c:\u684680.exec:\u684680.exe91⤵
-
\??\c:\208880.exec:\208880.exe92⤵
-
\??\c:\ddddv.exec:\ddddv.exe93⤵
-
\??\c:\9vppd.exec:\9vppd.exe94⤵
-
\??\c:\9ppvv.exec:\9ppvv.exe95⤵
-
\??\c:\00240.exec:\00240.exe96⤵
-
\??\c:\268602.exec:\268602.exe97⤵
-
\??\c:\bbntnn.exec:\bbntnn.exe98⤵
-
\??\c:\20820.exec:\20820.exe99⤵
-
\??\c:\k64444.exec:\k64444.exe100⤵
-
\??\c:\86480.exec:\86480.exe101⤵
-
\??\c:\24466.exec:\24466.exe102⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe103⤵
-
\??\c:\82062.exec:\82062.exe104⤵
-
\??\c:\042662.exec:\042662.exe105⤵
-
\??\c:\fffrrlx.exec:\fffrrlx.exe106⤵
-
\??\c:\6642644.exec:\6642644.exe107⤵
-
\??\c:\fxxlllr.exec:\fxxlllr.exe108⤵
-
\??\c:\220602.exec:\220602.exe109⤵
-
\??\c:\dpvdp.exec:\dpvdp.exe110⤵
-
\??\c:\8882204.exec:\8882204.exe111⤵
-
\??\c:\vvvdp.exec:\vvvdp.exe112⤵
-
\??\c:\nnhtnt.exec:\nnhtnt.exe113⤵
-
\??\c:\8446400.exec:\8446400.exe114⤵
-
\??\c:\0424220.exec:\0424220.exe115⤵
-
\??\c:\bbtthh.exec:\bbtthh.exe116⤵
-
\??\c:\5rxffxf.exec:\5rxffxf.exe117⤵
-
\??\c:\c282266.exec:\c282266.exe118⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe119⤵
-
\??\c:\224044.exec:\224044.exe120⤵
-
\??\c:\hhtttb.exec:\hhtttb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-