Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11/06/2024, 19:36
General
-
Target
22c7d6a1bdb7926b7f84db21df8b8386faa52eb8126ac9d7a00945fe5e61079e.exe
-
Size
63KB
-
MD5
a94a65d6fd20b4f3f43f3d3e2c34dd8c
-
SHA1
84eb73eef1f3dcf289adf8212e5c6db8e3fa6e3c
-
SHA256
22c7d6a1bdb7926b7f84db21df8b8386faa52eb8126ac9d7a00945fe5e61079e
-
SHA512
991f552a226be9c2bef9681104483c744f2036a52c4023eb061f3dbf2cfea044a410b637bfe2fc585366a6d2177022af9f619f5458d3aff32cee1851145be802
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDISoFGDw5:ymb3NkkiQ3mdBjFIkU
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\22c7d6a1bdb7926b7f84db21df8b8386faa52eb8126ac9d7a00945fe5e61079e.exe"C:\Users\Admin\AppData\Local\Temp\22c7d6a1bdb7926b7f84db21df8b8386faa52eb8126ac9d7a00945fe5e61079e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpd.exec:\pjvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ffrlfx.exec:\5ffrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntnbb.exec:\hntnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttnnn.exec:\bttnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppj.exec:\pdppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdvp.exec:\ppdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfxrrr.exec:\frfxrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5hthhh.exec:\5hthhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbttn.exec:\bhbttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjvj.exec:\ppjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpdv.exec:\pjpdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lrxlrl.exec:\7lrxlrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxrrx.exec:\xrfxrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbnhb.exec:\nbbnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjvj.exec:\pdjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jpjp.exec:\1jpjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxrffl.exec:\llxrffl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nnbth.exec:\9nnbth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pdpv.exec:\1pdpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvpp.exec:\jjvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrrll.exec:\lxxrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhbh.exec:\ttnhbh.exe23⤵
- Executes dropped EXE
-
\??\c:\hthbtn.exec:\hthbtn.exe24⤵
- Executes dropped EXE
-
\??\c:\9ppjv.exec:\9ppjv.exe25⤵
- Executes dropped EXE
-
\??\c:\vdvpd.exec:\vdvpd.exe26⤵
- Executes dropped EXE
-
\??\c:\rflxfxf.exec:\rflxfxf.exe27⤵
- Executes dropped EXE
-
\??\c:\thtbtt.exec:\thtbtt.exe28⤵
- Executes dropped EXE
-
\??\c:\dvvpj.exec:\dvvpj.exe29⤵
- Executes dropped EXE
-
\??\c:\jddvj.exec:\jddvj.exe30⤵
- Executes dropped EXE
-
\??\c:\frxrlff.exec:\frxrlff.exe31⤵
- Executes dropped EXE
-
\??\c:\thhbbt.exec:\thhbbt.exe32⤵
- Executes dropped EXE
-
\??\c:\hbhtbt.exec:\hbhtbt.exe33⤵
- Executes dropped EXE
-
\??\c:\vpdvj.exec:\vpdvj.exe34⤵
- Executes dropped EXE
-
\??\c:\1pjdp.exec:\1pjdp.exe35⤵
- Executes dropped EXE
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe36⤵
- Executes dropped EXE
-
\??\c:\9ffrlll.exec:\9ffrlll.exe37⤵
- Executes dropped EXE
-
\??\c:\7lffxrl.exec:\7lffxrl.exe38⤵
- Executes dropped EXE
-
\??\c:\7bbttn.exec:\7bbttn.exe39⤵
- Executes dropped EXE
-
\??\c:\nhtnbb.exec:\nhtnbb.exe40⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe41⤵
- Executes dropped EXE
-
\??\c:\dpvjp.exec:\dpvjp.exe42⤵
- Executes dropped EXE
-
\??\c:\1xlxfxx.exec:\1xlxfxx.exe43⤵
- Executes dropped EXE
-
\??\c:\rrllrrx.exec:\rrllrrx.exe44⤵
- Executes dropped EXE
-
\??\c:\bnnhbb.exec:\bnnhbb.exe45⤵
- Executes dropped EXE
-
\??\c:\5hhbbb.exec:\5hhbbb.exe46⤵
- Executes dropped EXE
-
\??\c:\dpdvp.exec:\dpdvp.exe47⤵
- Executes dropped EXE
-
\??\c:\jpvjp.exec:\jpvjp.exe48⤵
- Executes dropped EXE
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe49⤵
- Executes dropped EXE
-
\??\c:\9lrlrlr.exec:\9lrlrlr.exe50⤵
- Executes dropped EXE
-
\??\c:\3flxrrf.exec:\3flxrrf.exe51⤵
- Executes dropped EXE
-
\??\c:\thbbtn.exec:\thbbtn.exe52⤵
- Executes dropped EXE
-
\??\c:\btbhnn.exec:\btbhnn.exe53⤵
- Executes dropped EXE
-
\??\c:\vjvvj.exec:\vjvvj.exe54⤵
- Executes dropped EXE
-
\??\c:\jddvv.exec:\jddvv.exe55⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe56⤵
- Executes dropped EXE
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe57⤵
- Executes dropped EXE
-
\??\c:\1rxxxrf.exec:\1rxxxrf.exe58⤵
- Executes dropped EXE
-
\??\c:\hnhbtn.exec:\hnhbtn.exe59⤵
- Executes dropped EXE
-
\??\c:\hbbthh.exec:\hbbthh.exe60⤵
- Executes dropped EXE
-
\??\c:\jvdvj.exec:\jvdvj.exe61⤵
- Executes dropped EXE
-
\??\c:\jjdvj.exec:\jjdvj.exe62⤵
- Executes dropped EXE
-
\??\c:\xrlfxfx.exec:\xrlfxfx.exe63⤵
- Executes dropped EXE
-
\??\c:\9fxrffx.exec:\9fxrffx.exe64⤵
- Executes dropped EXE
-
\??\c:\5rxxrrf.exec:\5rxxrrf.exe65⤵
- Executes dropped EXE
-
\??\c:\nbtnbn.exec:\nbtnbn.exe66⤵
-
\??\c:\bbnhth.exec:\bbnhth.exe67⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe68⤵
-
\??\c:\djpjv.exec:\djpjv.exe69⤵
-
\??\c:\flfxrlf.exec:\flfxrlf.exe70⤵
-
\??\c:\3ttnhn.exec:\3ttnhn.exe71⤵
-
\??\c:\hhbbhh.exec:\hhbbhh.exe72⤵
-
\??\c:\vppvp.exec:\vppvp.exe73⤵
-
\??\c:\vvdjd.exec:\vvdjd.exe74⤵
-
\??\c:\llllfff.exec:\llllfff.exe75⤵
-
\??\c:\fxflfrr.exec:\fxflfrr.exe76⤵
-
\??\c:\lfxxxxr.exec:\lfxxxxr.exe77⤵
-
\??\c:\hnnbbt.exec:\hnnbbt.exe78⤵
-
\??\c:\djvpj.exec:\djvpj.exe79⤵
-
\??\c:\5jddp.exec:\5jddp.exe80⤵
-
\??\c:\rrllffx.exec:\rrllffx.exe81⤵
-
\??\c:\ntbtnn.exec:\ntbtnn.exe82⤵
-
\??\c:\nhttnn.exec:\nhttnn.exe83⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe84⤵
-
\??\c:\vjvpd.exec:\vjvpd.exe85⤵
-
\??\c:\jdddv.exec:\jdddv.exe86⤵
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe87⤵
-
\??\c:\7xffxxx.exec:\7xffxxx.exe88⤵
-
\??\c:\nbbbtn.exec:\nbbbtn.exe89⤵
-
\??\c:\hhhhhn.exec:\hhhhhn.exe90⤵
-
\??\c:\dpvjd.exec:\dpvjd.exe91⤵
-
\??\c:\fffxrll.exec:\fffxrll.exe92⤵
-
\??\c:\7llllll.exec:\7llllll.exe93⤵
-
\??\c:\nbhhbb.exec:\nbhhbb.exe94⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe95⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe96⤵
-
\??\c:\vdpjd.exec:\vdpjd.exe97⤵
-
\??\c:\ffffrrr.exec:\ffffrrr.exe98⤵
-
\??\c:\9xxxxxx.exec:\9xxxxxx.exe99⤵
-
\??\c:\fxxxxxf.exec:\fxxxxxf.exe100⤵
-
\??\c:\hhntbb.exec:\hhntbb.exe101⤵
-
\??\c:\3ttttt.exec:\3ttttt.exe102⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe103⤵
-
\??\c:\pjjjd.exec:\pjjjd.exe104⤵
-
\??\c:\rlxxllr.exec:\rlxxllr.exe105⤵
-
\??\c:\1xfrlxr.exec:\1xfrlxr.exe106⤵
-
\??\c:\btnnhh.exec:\btnnhh.exe107⤵
-
\??\c:\nnbbnn.exec:\nnbbnn.exe108⤵
-
\??\c:\1vdvj.exec:\1vdvj.exe109⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe110⤵
-
\??\c:\rfffxxr.exec:\rfffxxr.exe111⤵
-
\??\c:\3xfxrxr.exec:\3xfxrxr.exe112⤵
-
\??\c:\bttttt.exec:\bttttt.exe113⤵
-
\??\c:\tnnbtn.exec:\tnnbtn.exe114⤵
-
\??\c:\vjppj.exec:\vjppj.exe115⤵
-
\??\c:\dvdvd.exec:\dvdvd.exe116⤵
-
\??\c:\xfffxxx.exec:\xfffxxx.exe117⤵
-
\??\c:\xxrrlll.exec:\xxrrlll.exe118⤵
-
\??\c:\bttttt.exec:\bttttt.exe119⤵
-
\??\c:\9tnnhh.exec:\9tnnhh.exe120⤵
-
\??\c:\jddvp.exec:\jddvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-