Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
09-07-2024 07:39
General
-
Target
f685f662584f6fac10287c9f3b09c682878f3de6c1a6daa0c9fa1f175ff1ad9c.exe
-
Size
402KB
-
MD5
c1a1293a263eb2f969c195df613a3d19
-
SHA1
0528035e8ae10f6e30716f27d27659a27e1ff4f0
-
SHA256
f685f662584f6fac10287c9f3b09c682878f3de6c1a6daa0c9fa1f175ff1ad9c
-
SHA512
35d9e5c4cc02734c62bea0f44608a571ae367336c8dc58e5f4b7b85a3bc28235d4cf88cd21bd840663fd8ac1bab52aceb2da8ae7c4193ede9733af4e0be99425
-
SSDEEP
3072:ymb3NkkiQ3mdBjFIi/0RU6QeYQsm71vPmX5kr+uIBpkJITEEuR9XTVyXmmBv:n3C9BRIG0asYFm71mJkr+uIBe1T8X9
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f685f662584f6fac10287c9f3b09c682878f3de6c1a6daa0c9fa1f175ff1ad9c.exe"C:\Users\Admin\AppData\Local\Temp\f685f662584f6fac10287c9f3b09c682878f3de6c1a6daa0c9fa1f175ff1ad9c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\flffxrl.exec:\flffxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbnt.exec:\bhhbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrflxx.exec:\xlrflxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthnbh.exec:\tthnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxrfx.exec:\rlrxrfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdpp.exec:\jvdpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxlxf.exec:\rfxxlxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhhnn.exec:\nbhhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppd.exec:\vvppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjpj.exec:\jjjpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppdj.exec:\jppdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlxrxr.exec:\lxlxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfxrlf.exec:\rrfxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnthhn.exec:\bnthhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvvv.exec:\dpvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnnn.exec:\btnnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjv.exec:\dvdjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfrlff.exec:\lxfrlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdv.exec:\ddjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frllfxx.exec:\frllfxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thttbb.exec:\thttbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjj.exec:\ddjjj.exe23⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe24⤵
- Executes dropped EXE
-
\??\c:\rrlllll.exec:\rrlllll.exe25⤵
- Executes dropped EXE
-
\??\c:\bhhhbt.exec:\bhhhbt.exe26⤵
- Executes dropped EXE
-
\??\c:\hntthb.exec:\hntthb.exe27⤵
- Executes dropped EXE
-
\??\c:\vdvpp.exec:\vdvpp.exe28⤵
- Executes dropped EXE
-
\??\c:\ppddv.exec:\ppddv.exe29⤵
- Executes dropped EXE
-
\??\c:\pdvvv.exec:\pdvvv.exe30⤵
- Executes dropped EXE
-
\??\c:\hnnnnn.exec:\hnnnnn.exe31⤵
- Executes dropped EXE
-
\??\c:\xlxxrrl.exec:\xlxxrrl.exe32⤵
- Executes dropped EXE
-
\??\c:\pddvv.exec:\pddvv.exe33⤵
- Executes dropped EXE
-
\??\c:\flfffxx.exec:\flfffxx.exe34⤵
- Executes dropped EXE
-
\??\c:\ppppp.exec:\ppppp.exe35⤵
- Executes dropped EXE
-
\??\c:\rxlrllx.exec:\rxlrllx.exe36⤵
- Executes dropped EXE
-
\??\c:\dpjjd.exec:\dpjjd.exe37⤵
- Executes dropped EXE
-
\??\c:\5flfxxx.exec:\5flfxxx.exe38⤵
- Executes dropped EXE
-
\??\c:\rrxrxxl.exec:\rrxrxxl.exe39⤵
- Executes dropped EXE
-
\??\c:\hntnnn.exec:\hntnnn.exe40⤵
- Executes dropped EXE
-
\??\c:\dddpj.exec:\dddpj.exe41⤵
- Executes dropped EXE
-
\??\c:\rxlllrr.exec:\rxlllrr.exe42⤵
- Executes dropped EXE
-
\??\c:\hbthnn.exec:\hbthnn.exe43⤵
- Executes dropped EXE
-
\??\c:\pjpvp.exec:\pjpvp.exe44⤵
- Executes dropped EXE
-
\??\c:\lfllffl.exec:\lfllffl.exe45⤵
- Executes dropped EXE
-
\??\c:\vvpjd.exec:\vvpjd.exe46⤵
- Executes dropped EXE
-
\??\c:\jvddv.exec:\jvddv.exe47⤵
- Executes dropped EXE
-
\??\c:\lxlfllf.exec:\lxlfllf.exe48⤵
- Executes dropped EXE
-
\??\c:\bbhhbt.exec:\bbhhbt.exe49⤵
- Executes dropped EXE
-
\??\c:\1jvpd.exec:\1jvpd.exe50⤵
- Executes dropped EXE
-
\??\c:\5fllffx.exec:\5fllffx.exe51⤵
- Executes dropped EXE
-
\??\c:\7htnhn.exec:\7htnhn.exe52⤵
- Executes dropped EXE
-
\??\c:\hntbbt.exec:\hntbbt.exe53⤵
- Executes dropped EXE
-
\??\c:\vpdjp.exec:\vpdjp.exe54⤵
- Executes dropped EXE
-
\??\c:\xffxxxx.exec:\xffxxxx.exe55⤵
- Executes dropped EXE
-
\??\c:\nbtttt.exec:\nbtttt.exe56⤵
- Executes dropped EXE
-
\??\c:\3ppvv.exec:\3ppvv.exe57⤵
- Executes dropped EXE
-
\??\c:\llffxfx.exec:\llffxfx.exe58⤵
- Executes dropped EXE
-
\??\c:\hbhhnb.exec:\hbhhnb.exe59⤵
- Executes dropped EXE
-
\??\c:\jddvd.exec:\jddvd.exe60⤵
- Executes dropped EXE
-
\??\c:\xxrlfrl.exec:\xxrlfrl.exe61⤵
- Executes dropped EXE
-
\??\c:\3nbntn.exec:\3nbntn.exe62⤵
- Executes dropped EXE
-
\??\c:\dvvvv.exec:\dvvvv.exe63⤵
- Executes dropped EXE
-
\??\c:\bhnhbn.exec:\bhnhbn.exe64⤵
- Executes dropped EXE
-
\??\c:\tthbhn.exec:\tthbhn.exe65⤵
- Executes dropped EXE
-
\??\c:\rrrrfxr.exec:\rrrrfxr.exe66⤵
-
\??\c:\pvdpd.exec:\pvdpd.exe67⤵
-
\??\c:\dvvvd.exec:\dvvvd.exe68⤵
-
\??\c:\xxxrllf.exec:\xxxrllf.exe69⤵
-
\??\c:\bhttbb.exec:\bhttbb.exe70⤵
-
\??\c:\ffrlxrf.exec:\ffrlxrf.exe71⤵
-
\??\c:\hthbtb.exec:\hthbtb.exe72⤵
-
\??\c:\jdddd.exec:\jdddd.exe73⤵
-
\??\c:\xrlxrlf.exec:\xrlxrlf.exe74⤵
-
\??\c:\nnbthh.exec:\nnbthh.exe75⤵
-
\??\c:\jpvpp.exec:\jpvpp.exe76⤵
-
\??\c:\xxfxxxx.exec:\xxfxxxx.exe77⤵
-
\??\c:\hnnnhn.exec:\hnnnhn.exe78⤵
-
\??\c:\vjdvd.exec:\vjdvd.exe79⤵
-
\??\c:\xrrxffx.exec:\xrrxffx.exe80⤵
-
\??\c:\hbnttn.exec:\hbnttn.exe81⤵
-
\??\c:\3jjpj.exec:\3jjpj.exe82⤵
-
\??\c:\frxxxxf.exec:\frxxxxf.exe83⤵
-
\??\c:\bntnnh.exec:\bntnnh.exe84⤵
-
\??\c:\hnbtbh.exec:\hnbtbh.exe85⤵
-
\??\c:\vvddd.exec:\vvddd.exe86⤵
-
\??\c:\xlfxlff.exec:\xlfxlff.exe87⤵
-
\??\c:\tthttt.exec:\tthttt.exe88⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe89⤵
-
\??\c:\rxrxxxf.exec:\rxrxxxf.exe90⤵
-
\??\c:\bbhtnn.exec:\bbhtnn.exe91⤵
-
\??\c:\djvpv.exec:\djvpv.exe92⤵
-
\??\c:\xrrrllf.exec:\xrrrllf.exe93⤵
-
\??\c:\tttttt.exec:\tttttt.exe94⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe95⤵
-
\??\c:\xffflll.exec:\xffflll.exe96⤵
-
\??\c:\btbttn.exec:\btbttn.exe97⤵
-
\??\c:\dpppj.exec:\dpppj.exe98⤵
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe99⤵
-
\??\c:\thbhtb.exec:\thbhtb.exe100⤵
-
\??\c:\xlfxflr.exec:\xlfxflr.exe101⤵
-
\??\c:\llrfrxf.exec:\llrfrxf.exe102⤵
-
\??\c:\hhbtbn.exec:\hhbtbn.exe103⤵
-
\??\c:\9jdpp.exec:\9jdpp.exe104⤵
-
\??\c:\rxxrrxr.exec:\rxxrrxr.exe105⤵
-
\??\c:\hntttt.exec:\hntttt.exe106⤵
-
\??\c:\vpppp.exec:\vpppp.exe107⤵
-
\??\c:\rfrlxrf.exec:\rfrlxrf.exe108⤵
-
\??\c:\hhtntt.exec:\hhtntt.exe109⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe110⤵
-
\??\c:\bnhnhb.exec:\bnhnhb.exe111⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe112⤵
-
\??\c:\jvvjp.exec:\jvvjp.exe113⤵
-
\??\c:\rlfrxfr.exec:\rlfrxfr.exe114⤵
-
\??\c:\hhthtn.exec:\hhthtn.exe115⤵
-
\??\c:\jjjpd.exec:\jjjpd.exe116⤵
-
\??\c:\xlxffxr.exec:\xlxffxr.exe117⤵
-
\??\c:\hbtbhh.exec:\hbtbhh.exe118⤵
-
\??\c:\1pjvj.exec:\1pjvj.exe119⤵
-
\??\c:\xfrflrr.exec:\xfrflrr.exe120⤵
-
\??\c:\3bhtbn.exec:\3bhtbn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-