Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
05-06-2024 21:23
General
-
Target
3bd260d941d668fb8f2b1bb6445caec8b3ad5054fe615c1751b1dbe8e66f85e4.exe
-
Size
88KB
-
MD5
34d98139b962358120d16021585c89ee
-
SHA1
b7a46376673134d2bc84cf60157801ca118f29ea
-
SHA256
3bd260d941d668fb8f2b1bb6445caec8b3ad5054fe615c1751b1dbe8e66f85e4
-
SHA512
bd4f086ac26efa597d39f125432947f6a9b7ca2c6ecedd5e7cf68b064a6b804aba11d24a339ba4b06efc75d99915a9870e3de92c5baa4a538c3992411385300c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2wV3jaCJ5jH3e79:ymb3NkkiQ3mdBjF+3TU2K3bJZXy
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bd260d941d668fb8f2b1bb6445caec8b3ad5054fe615c1751b1dbe8e66f85e4.exe"C:\Users\Admin\AppData\Local\Temp\3bd260d941d668fb8f2b1bb6445caec8b3ad5054fe615c1751b1dbe8e66f85e4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrxxxl.exec:\xrrxxxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhntnn.exec:\bhntnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjv.exec:\jdjjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvjv.exec:\vpvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlxlf.exec:\fxrlxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rlrxrx.exec:\7rlrxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lxfflr.exec:\3lxfflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bththt.exec:\bththt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbntn.exec:\nhbntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddjp.exec:\dddjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvvj.exec:\jdvvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rlrrrx.exec:\3rlrrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1fxrffr.exec:\1fxrffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrffr.exec:\fxlrffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bbbhh.exec:\1bbbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnthh.exec:\btnthh.exe17⤵
- Executes dropped EXE
-
\??\c:\9jvvd.exec:\9jvvd.exe18⤵
- Executes dropped EXE
-
\??\c:\pjvjv.exec:\pjvjv.exe19⤵
- Executes dropped EXE
-
\??\c:\7rffrxl.exec:\7rffrxl.exe20⤵
- Executes dropped EXE
-
\??\c:\1xrxflr.exec:\1xrxflr.exe21⤵
- Executes dropped EXE
-
\??\c:\3tnttb.exec:\3tnttb.exe22⤵
- Executes dropped EXE
-
\??\c:\bnbbhh.exec:\bnbbhh.exe23⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe24⤵
- Executes dropped EXE
-
\??\c:\dvddj.exec:\dvddj.exe25⤵
- Executes dropped EXE
-
\??\c:\3xlxllr.exec:\3xlxllr.exe26⤵
- Executes dropped EXE
-
\??\c:\5rlfffl.exec:\5rlfffl.exe27⤵
- Executes dropped EXE
-
\??\c:\nhnntt.exec:\nhnntt.exe28⤵
- Executes dropped EXE
-
\??\c:\ntnbtb.exec:\ntnbtb.exe29⤵
- Executes dropped EXE
-
\??\c:\5dddp.exec:\5dddp.exe30⤵
- Executes dropped EXE
-
\??\c:\jdjjv.exec:\jdjjv.exe31⤵
- Executes dropped EXE
-
\??\c:\ffrxllr.exec:\ffrxllr.exe32⤵
- Executes dropped EXE
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe33⤵
- Executes dropped EXE
-
\??\c:\xrllxfr.exec:\xrllxfr.exe34⤵
- Executes dropped EXE
-
\??\c:\bnnntt.exec:\bnnntt.exe35⤵
- Executes dropped EXE
-
\??\c:\nhtnbh.exec:\nhtnbh.exe36⤵
- Executes dropped EXE
-
\??\c:\3jvvv.exec:\3jvvv.exe37⤵
- Executes dropped EXE
-
\??\c:\pdjvv.exec:\pdjvv.exe38⤵
- Executes dropped EXE
-
\??\c:\vpvvd.exec:\vpvvd.exe39⤵
- Executes dropped EXE
-
\??\c:\lfrxffx.exec:\lfrxffx.exe40⤵
- Executes dropped EXE
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe41⤵
- Executes dropped EXE
-
\??\c:\lfrrffx.exec:\lfrrffx.exe42⤵
- Executes dropped EXE
-
\??\c:\thtbhh.exec:\thtbhh.exe43⤵
- Executes dropped EXE
-
\??\c:\bbnbht.exec:\bbnbht.exe44⤵
- Executes dropped EXE
-
\??\c:\1jvpv.exec:\1jvpv.exe45⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe46⤵
- Executes dropped EXE
-
\??\c:\flxlffl.exec:\flxlffl.exe47⤵
- Executes dropped EXE
-
\??\c:\7xlrlll.exec:\7xlrlll.exe48⤵
- Executes dropped EXE
-
\??\c:\hhtbhn.exec:\hhtbhn.exe49⤵
- Executes dropped EXE
-
\??\c:\thnntt.exec:\thnntt.exe50⤵
- Executes dropped EXE
-
\??\c:\7jjvj.exec:\7jjvj.exe51⤵
- Executes dropped EXE
-
\??\c:\7pjdj.exec:\7pjdj.exe52⤵
- Executes dropped EXE
-
\??\c:\jjddp.exec:\jjddp.exe53⤵
- Executes dropped EXE
-
\??\c:\fxrrfrf.exec:\fxrrfrf.exe54⤵
- Executes dropped EXE
-
\??\c:\rfrxlrf.exec:\rfrxlrf.exe55⤵
- Executes dropped EXE
-
\??\c:\xrffxfl.exec:\xrffxfl.exe56⤵
- Executes dropped EXE
-
\??\c:\hhtbbh.exec:\hhtbbh.exe57⤵
- Executes dropped EXE
-
\??\c:\ntbbbh.exec:\ntbbbh.exe58⤵
- Executes dropped EXE
-
\??\c:\3tnnbb.exec:\3tnnbb.exe59⤵
- Executes dropped EXE
-
\??\c:\pjjpp.exec:\pjjpp.exe60⤵
- Executes dropped EXE
-
\??\c:\vdvjv.exec:\vdvjv.exe61⤵
- Executes dropped EXE
-
\??\c:\1lxxflx.exec:\1lxxflx.exe62⤵
- Executes dropped EXE
-
\??\c:\lrrfflf.exec:\lrrfflf.exe63⤵
- Executes dropped EXE
-
\??\c:\rlfllrl.exec:\rlfllrl.exe64⤵
- Executes dropped EXE
-
\??\c:\9hnnhh.exec:\9hnnhh.exe65⤵
- Executes dropped EXE
-
\??\c:\nhbhnn.exec:\nhbhnn.exe66⤵
-
\??\c:\bhnnth.exec:\bhnnth.exe67⤵
-
\??\c:\djvpj.exec:\djvpj.exe68⤵
-
\??\c:\vvjvd.exec:\vvjvd.exe69⤵
-
\??\c:\rllxllx.exec:\rllxllx.exe70⤵
-
\??\c:\xrfxfxx.exec:\xrfxfxx.exe71⤵
-
\??\c:\7xllfxx.exec:\7xllfxx.exe72⤵
-
\??\c:\hbnntt.exec:\hbnntt.exe73⤵
-
\??\c:\hbbbtb.exec:\hbbbtb.exe74⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe75⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe76⤵
-
\??\c:\jdjpv.exec:\jdjpv.exe77⤵
-
\??\c:\rfllrxr.exec:\rfllrxr.exe78⤵
-
\??\c:\fxlxxrx.exec:\fxlxxrx.exe79⤵
-
\??\c:\rflrlrf.exec:\rflrlrf.exe80⤵
-
\??\c:\hbhtbt.exec:\hbhtbt.exe81⤵
-
\??\c:\1nnthh.exec:\1nnthh.exe82⤵
-
\??\c:\7nbtbt.exec:\7nbtbt.exe83⤵
-
\??\c:\dpvvd.exec:\dpvvd.exe84⤵
-
\??\c:\5vjpv.exec:\5vjpv.exe85⤵
-
\??\c:\jddvv.exec:\jddvv.exe86⤵
-
\??\c:\xrxxfrf.exec:\xrxxfrf.exe87⤵
-
\??\c:\rlxfllr.exec:\rlxfllr.exe88⤵
-
\??\c:\xrlrxll.exec:\xrlrxll.exe89⤵
-
\??\c:\9lrxffr.exec:\9lrxffr.exe90⤵
-
\??\c:\ttbhtb.exec:\ttbhtb.exe91⤵
-
\??\c:\1tbtbt.exec:\1tbtbt.exe92⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe93⤵
-
\??\c:\3djjj.exec:\3djjj.exe94⤵
-
\??\c:\jdvpd.exec:\jdvpd.exe95⤵
-
\??\c:\xrffxxl.exec:\xrffxxl.exe96⤵
-
\??\c:\rlrxffl.exec:\rlrxffl.exe97⤵
-
\??\c:\9lxxlfr.exec:\9lxxlfr.exe98⤵
-
\??\c:\nbnnnh.exec:\nbnnnh.exe99⤵
-
\??\c:\tnbhtt.exec:\tnbhtt.exe100⤵
-
\??\c:\dpvjj.exec:\dpvjj.exe101⤵
-
\??\c:\1rfffff.exec:\1rfffff.exe102⤵
-
\??\c:\rfflrrr.exec:\rfflrrr.exe103⤵
-
\??\c:\jdvdp.exec:\jdvdp.exe104⤵
-
\??\c:\5pdpv.exec:\5pdpv.exe105⤵
-
\??\c:\7frrrrr.exec:\7frrrrr.exe106⤵
-
\??\c:\nbhhth.exec:\nbhhth.exe107⤵
-
\??\c:\bnnnnn.exec:\bnnnnn.exe108⤵
-
\??\c:\9dpvv.exec:\9dpvv.exe109⤵
-
\??\c:\xxfllfx.exec:\xxfllfx.exe110⤵
-
\??\c:\5tbttn.exec:\5tbttn.exe111⤵
-
\??\c:\nbhbtt.exec:\nbhbtt.exe112⤵
-
\??\c:\pjppv.exec:\pjppv.exe113⤵
-
\??\c:\7fxffff.exec:\7fxffff.exe114⤵
-
\??\c:\hhbhbb.exec:\hhbhbb.exe115⤵
-
\??\c:\dvvvd.exec:\dvvvd.exe116⤵
-
\??\c:\fxlllfl.exec:\fxlllfl.exe117⤵
-
\??\c:\5bhhhn.exec:\5bhhhn.exe118⤵
-
\??\c:\tbnhnh.exec:\tbnhnh.exe119⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe120⤵
-
\??\c:\ffxllrf.exec:\ffxllrf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-