Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
21/07/2024, 16:59
General
-
Target
ef0e83b9f1a08caa96b86bb1533f7520N.exe
-
Size
89KB
-
MD5
ef0e83b9f1a08caa96b86bb1533f7520
-
SHA1
6ec87152e18a015335f72296751b9e682ee080e5
-
SHA256
97440b385a89b6fcc1ede473978fa40bf72cd0eb6c5b455ee4ea20a00e4a4eab
-
SHA512
4a2811fdf19e5b8f253ad7577523ca8a40fdd272c7f253c18f4f8687e5551a6f32f33c18a0c3655bfc5af907378ef5815f27d1f62b4eeba8f792f4c9dfa48638
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2wV3jaCJ5jH3ebSt:ymb3NkkiQ3mdBjF+3TU2K3bJZXjt
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0e83b9f1a08caa96b86bb1533f7520N.exe"C:\Users\Admin\AppData\Local\Temp\ef0e83b9f1a08caa96b86bb1533f7520N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxxfl.exec:\rfxxxfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbb.exec:\nhttbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvj.exec:\dvdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxrxr.exec:\xrfxrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hbtnh.exec:\1hbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppv.exec:\vjppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrfrxr.exec:\lfrfrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnth.exec:\thtnth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppd.exec:\jdppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hbbhn.exec:\3hbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dddj.exec:\9dddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjddv.exec:\jjddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrrrrr.exec:\ffrrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhnnt.exec:\nnhnnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnhhn.exec:\hnnhhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdjp.exec:\jpdjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrllrxl.exec:\lrllrxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpj.exec:\pdvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfllll.exec:\llfllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbbt.exec:\bbbbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pvdd.exec:\1pvdd.exe23⤵
- Executes dropped EXE
-
\??\c:\vdpjp.exec:\vdpjp.exe24⤵
- Executes dropped EXE
-
\??\c:\xffxrrl.exec:\xffxrrl.exe25⤵
- Executes dropped EXE
-
\??\c:\thtnhb.exec:\thtnhb.exe26⤵
- Executes dropped EXE
-
\??\c:\pvdjj.exec:\pvdjj.exe27⤵
- Executes dropped EXE
-
\??\c:\fxxxrrf.exec:\fxxxrrf.exe28⤵
- Executes dropped EXE
-
\??\c:\rlxxffr.exec:\rlxxffr.exe29⤵
- Executes dropped EXE
-
\??\c:\thnnnh.exec:\thnnnh.exe30⤵
- Executes dropped EXE
-
\??\c:\bbtttb.exec:\bbtttb.exe31⤵
- Executes dropped EXE
-
\??\c:\1vvdj.exec:\1vvdj.exe32⤵
- Executes dropped EXE
-
\??\c:\nttnhb.exec:\nttnhb.exe33⤵
- Executes dropped EXE
-
\??\c:\pjpjd.exec:\pjpjd.exe34⤵
- Executes dropped EXE
-
\??\c:\pjjpp.exec:\pjjpp.exe35⤵
- Executes dropped EXE
-
\??\c:\rflrllx.exec:\rflrllx.exe36⤵
- Executes dropped EXE
-
\??\c:\lrflxxr.exec:\lrflxxr.exe37⤵
- Executes dropped EXE
-
\??\c:\bbttnt.exec:\bbttnt.exe38⤵
- Executes dropped EXE
-
\??\c:\pvdpd.exec:\pvdpd.exe39⤵
- Executes dropped EXE
-
\??\c:\frrfxlf.exec:\frrfxlf.exe40⤵
- Executes dropped EXE
-
\??\c:\rxlllrf.exec:\rxlllrf.exe41⤵
- Executes dropped EXE
-
\??\c:\bnhbbb.exec:\bnhbbb.exe42⤵
- Executes dropped EXE
-
\??\c:\dpjdd.exec:\dpjdd.exe43⤵
- Executes dropped EXE
-
\??\c:\xfffxxl.exec:\xfffxxl.exe44⤵
- Executes dropped EXE
-
\??\c:\tbbtnn.exec:\tbbtnn.exe45⤵
- Executes dropped EXE
-
\??\c:\pvppv.exec:\pvppv.exe46⤵
- Executes dropped EXE
-
\??\c:\pjdvv.exec:\pjdvv.exe47⤵
- Executes dropped EXE
-
\??\c:\lllfxxx.exec:\lllfxxx.exe48⤵
- Executes dropped EXE
-
\??\c:\fxlffff.exec:\fxlffff.exe49⤵
- Executes dropped EXE
-
\??\c:\tntbbb.exec:\tntbbb.exe50⤵
- Executes dropped EXE
-
\??\c:\hnhhhh.exec:\hnhhhh.exe51⤵
- Executes dropped EXE
-
\??\c:\vdvvj.exec:\vdvvj.exe52⤵
- Executes dropped EXE
-
\??\c:\xxffffl.exec:\xxffffl.exe53⤵
- Executes dropped EXE
-
\??\c:\xrlrxll.exec:\xrlrxll.exe54⤵
- Executes dropped EXE
-
\??\c:\hhhhhn.exec:\hhhhhn.exe55⤵
- Executes dropped EXE
-
\??\c:\dvddj.exec:\dvddj.exe56⤵
- Executes dropped EXE
-
\??\c:\1xlxxff.exec:\1xlxxff.exe57⤵
- Executes dropped EXE
-
\??\c:\htbbbt.exec:\htbbbt.exe58⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe59⤵
- Executes dropped EXE
-
\??\c:\vjdvv.exec:\vjdvv.exe60⤵
- Executes dropped EXE
-
\??\c:\rxrrlrx.exec:\rxrrlrx.exe61⤵
- Executes dropped EXE
-
\??\c:\bntbbb.exec:\bntbbb.exe62⤵
- Executes dropped EXE
-
\??\c:\bhhbbb.exec:\bhhbbb.exe63⤵
- Executes dropped EXE
-
\??\c:\ppjjd.exec:\ppjjd.exe64⤵
- Executes dropped EXE
-
\??\c:\jjvpp.exec:\jjvpp.exe65⤵
- Executes dropped EXE
-
\??\c:\lxxflxf.exec:\lxxflxf.exe66⤵
-
\??\c:\fxlllrx.exec:\fxlllrx.exe67⤵
-
\??\c:\thhbbt.exec:\thhbbt.exe68⤵
-
\??\c:\jjdvv.exec:\jjdvv.exe69⤵
-
\??\c:\pdjjv.exec:\pdjjv.exe70⤵
-
\??\c:\ddppp.exec:\ddppp.exe71⤵
-
\??\c:\rxlffxx.exec:\rxlffxx.exe72⤵
-
\??\c:\nhbbbh.exec:\nhbbbh.exe73⤵
-
\??\c:\ddjjv.exec:\ddjjv.exe74⤵
-
\??\c:\lflllrf.exec:\lflllrf.exe75⤵
-
\??\c:\lrrrxff.exec:\lrrrxff.exe76⤵
-
\??\c:\thbhhh.exec:\thbhhh.exe77⤵
-
\??\c:\hbbbnn.exec:\hbbbnn.exe78⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe79⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe80⤵
-
\??\c:\rxrxxll.exec:\rxrxxll.exe81⤵
-
\??\c:\rlfflrr.exec:\rlfflrr.exe82⤵
-
\??\c:\hbbttt.exec:\hbbttt.exe83⤵
-
\??\c:\tbhnht.exec:\tbhnht.exe84⤵
-
\??\c:\vjppj.exec:\vjppj.exe85⤵
-
\??\c:\lrllrrf.exec:\lrllrrf.exe86⤵
-
\??\c:\rfrrxfl.exec:\rfrrxfl.exe87⤵
-
\??\c:\3tbbhn.exec:\3tbbhn.exe88⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe89⤵
-
\??\c:\jjdvv.exec:\jjdvv.exe90⤵
-
\??\c:\7pddv.exec:\7pddv.exe91⤵
-
\??\c:\lxrfxxr.exec:\lxrfxxr.exe92⤵
-
\??\c:\bhbbnt.exec:\bhbbnt.exe93⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe94⤵
-
\??\c:\pvvdp.exec:\pvvdp.exe95⤵
-
\??\c:\llrrrxx.exec:\llrrrxx.exe96⤵
-
\??\c:\tnbntb.exec:\tnbntb.exe97⤵
-
\??\c:\tbhhhn.exec:\tbhhhn.exe98⤵
-
\??\c:\vjpvj.exec:\vjpvj.exe99⤵
-
\??\c:\jvpvp.exec:\jvpvp.exe100⤵
-
\??\c:\9xfffll.exec:\9xfffll.exe101⤵
-
\??\c:\tbtttt.exec:\tbtttt.exe102⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe103⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe104⤵
-
\??\c:\fxlrrxl.exec:\fxlrrxl.exe105⤵
-
\??\c:\btbbbh.exec:\btbbbh.exe106⤵
-
\??\c:\htbhbb.exec:\htbhbb.exe107⤵
-
\??\c:\vvjjj.exec:\vvjjj.exe108⤵
-
\??\c:\xllxrlf.exec:\xllxrlf.exe109⤵
-
\??\c:\lflxrxr.exec:\lflxrxr.exe110⤵
-
\??\c:\ntbbbb.exec:\ntbbbb.exe111⤵
-
\??\c:\ntbhbh.exec:\ntbhbh.exe112⤵
-
\??\c:\djpjp.exec:\djpjp.exe113⤵
-
\??\c:\ddvvv.exec:\ddvvv.exe114⤵
-
\??\c:\llxfxff.exec:\llxfxff.exe115⤵
-
\??\c:\htnhbb.exec:\htnhbb.exe116⤵
-
\??\c:\ttbbbb.exec:\ttbbbb.exe117⤵
-
\??\c:\jddpp.exec:\jddpp.exe118⤵
-
\??\c:\rffxxxr.exec:\rffxxxr.exe119⤵
-
\??\c:\tbttnt.exec:\tbttnt.exe120⤵
-
\??\c:\hntbtb.exec:\hntbtb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-