Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22/07/2024, 22:55
General
-
Target
72e60c10220d3647422ce82d911913b4947894c017e4d4c10a66294fc41dda17.exe
-
Size
417KB
-
MD5
a5895bb9b19158aaa414fc12c7576f5c
-
SHA1
4bbf4aba14ea02c1bf4fe04ab97c0facefcd1924
-
SHA256
72e60c10220d3647422ce82d911913b4947894c017e4d4c10a66294fc41dda17
-
SHA512
61762519aa458bf8ecc8664491d0ed2fb76c356781c8e908a03cf2dcdf225d3201d18515add4aab3e3a385f9d802d6956ea6c391c615fee58e6f039320fab374
-
SSDEEP
12288:n3C9ytvngQj4DtvnV9wLn9UTfC8eieJNBNIsYPj:SgdnJUdnV9D
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2952451617\zmstage.exeC:\Users\Admin\AppData\Local\Temp\2952451617\zmstage.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\72e60c10220d3647422ce82d911913b4947894c017e4d4c10a66294fc41dda17.exe"C:\Users\Admin\AppData\Local\Temp\72e60c10220d3647422ce82d911913b4947894c017e4d4c10a66294fc41dda17.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1vpvj.exec:\1vpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbntnh.exec:\bbntnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpvd.exec:\vdpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnnnt.exec:\tbnnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pdjj.exec:\7pdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhnh.exec:\tnbhnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvd.exec:\dvpvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlxxrr.exec:\xrlxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bbbnn.exec:\1bbbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjv.exec:\jjvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlllrx.exec:\xrlllrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bthtt.exec:\1bthtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjp.exec:\dvjjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxrlxx.exec:\rxxrlxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnbbt.exec:\ntnbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdp.exec:\ddpdp.exe17⤵
- Executes dropped EXE
-
\??\c:\5frxrxx.exec:\5frxrxx.exe18⤵
- Executes dropped EXE
-
\??\c:\bbbttb.exec:\bbbttb.exe19⤵
- Executes dropped EXE
-
\??\c:\pvpjd.exec:\pvpjd.exe20⤵
- Executes dropped EXE
-
\??\c:\5fxrlxl.exec:\5fxrlxl.exe21⤵
- Executes dropped EXE
-
\??\c:\htbnhn.exec:\htbnhn.exe22⤵
- Executes dropped EXE
-
\??\c:\dpdpd.exec:\dpdpd.exe23⤵
- Executes dropped EXE
-
\??\c:\lrlfxll.exec:\lrlfxll.exe24⤵
- Executes dropped EXE
-
\??\c:\bhnhhh.exec:\bhnhhh.exe25⤵
- Executes dropped EXE
-
\??\c:\jdpjd.exec:\jdpjd.exe26⤵
- Executes dropped EXE
-
\??\c:\ddppd.exec:\ddppd.exe27⤵
- Executes dropped EXE
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe28⤵
- Executes dropped EXE
-
\??\c:\9vvjj.exec:\9vvjj.exe29⤵
- Executes dropped EXE
-
\??\c:\rrlxrfl.exec:\rrlxrfl.exe30⤵
- Executes dropped EXE
-
\??\c:\1tbhnh.exec:\1tbhnh.exe31⤵
- Executes dropped EXE
-
\??\c:\dvpdd.exec:\dvpdd.exe32⤵
- Executes dropped EXE
-
\??\c:\fxfflxf.exec:\fxfflxf.exe33⤵
-
\??\c:\nhthbb.exec:\nhthbb.exe34⤵
- Executes dropped EXE
-
\??\c:\xlrfllr.exec:\xlrfllr.exe35⤵
- Executes dropped EXE
-
\??\c:\ffxrflf.exec:\ffxrflf.exe36⤵
- Executes dropped EXE
-
\??\c:\hbthnt.exec:\hbthnt.exe37⤵
- Executes dropped EXE
-
\??\c:\jvvvv.exec:\jvvvv.exe38⤵
- Executes dropped EXE
-
\??\c:\lrffxxr.exec:\lrffxxr.exe39⤵
- Executes dropped EXE
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe40⤵
- Executes dropped EXE
-
\??\c:\1btbhh.exec:\1btbhh.exe41⤵
- Executes dropped EXE
-
\??\c:\5bnbbh.exec:\5bnbbh.exe42⤵
- Executes dropped EXE
-
\??\c:\5dvjv.exec:\5dvjv.exe43⤵
- Executes dropped EXE
-
\??\c:\lrflrlr.exec:\lrflrlr.exe44⤵
- Executes dropped EXE
-
\??\c:\xxlxxll.exec:\xxlxxll.exe45⤵
- Executes dropped EXE
-
\??\c:\nhbhbh.exec:\nhbhbh.exe46⤵
- Executes dropped EXE
-
\??\c:\btnhnt.exec:\btnhnt.exe47⤵
- Executes dropped EXE
-
\??\c:\3vpvd.exec:\3vpvd.exe48⤵
- Executes dropped EXE
-
\??\c:\dddjp.exec:\dddjp.exe49⤵
- Executes dropped EXE
-
\??\c:\fllxlxr.exec:\fllxlxr.exe50⤵
- Executes dropped EXE
-
\??\c:\bbbhth.exec:\bbbhth.exe51⤵
- Executes dropped EXE
-
\??\c:\ttnhbh.exec:\ttnhbh.exe52⤵
- Executes dropped EXE
-
\??\c:\vvpjp.exec:\vvpjp.exe53⤵
- Executes dropped EXE
-
\??\c:\5jjpd.exec:\5jjpd.exe54⤵
- Executes dropped EXE
-
\??\c:\llrxxlf.exec:\llrxxlf.exe55⤵
- Executes dropped EXE
-
\??\c:\1llrflf.exec:\1llrflf.exe56⤵
- Executes dropped EXE
-
\??\c:\nhhnbh.exec:\nhhnbh.exe57⤵
- Executes dropped EXE
-
\??\c:\jpjdj.exec:\jpjdj.exe58⤵
- Executes dropped EXE
-
\??\c:\pvjjv.exec:\pvjjv.exe59⤵
- Executes dropped EXE
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe60⤵
- Executes dropped EXE
-
\??\c:\xrrfrfr.exec:\xrrfrfr.exe61⤵
- Executes dropped EXE
-
\??\c:\bnhhhh.exec:\bnhhhh.exe62⤵
- Executes dropped EXE
-
\??\c:\9bbnbn.exec:\9bbnbn.exe63⤵
- Executes dropped EXE
-
\??\c:\dpdjd.exec:\dpdjd.exe64⤵
- Executes dropped EXE
-
\??\c:\5jjvd.exec:\5jjvd.exe65⤵
- Executes dropped EXE
-
\??\c:\fllrxfl.exec:\fllrxfl.exe66⤵
- Executes dropped EXE
-
\??\c:\rxfrxll.exec:\rxfrxll.exe67⤵
-
\??\c:\tnnbtn.exec:\tnnbtn.exe68⤵
-
\??\c:\djpvj.exec:\djpvj.exe69⤵
-
\??\c:\3ppdj.exec:\3ppdj.exe70⤵
-
\??\c:\rlxlrxr.exec:\rlxlrxr.exe71⤵
-
\??\c:\xxfxxxx.exec:\xxfxxxx.exe72⤵
-
\??\c:\7tntth.exec:\7tntth.exe73⤵
-
\??\c:\thhbht.exec:\thhbht.exe74⤵
-
\??\c:\pjpdp.exec:\pjpdp.exe75⤵
-
\??\c:\rflrlfr.exec:\rflrlfr.exe76⤵
-
\??\c:\tnthtb.exec:\tnthtb.exe77⤵
-
\??\c:\bttbtt.exec:\bttbtt.exe78⤵
-
\??\c:\jpddd.exec:\jpddd.exe79⤵
-
\??\c:\vdpvj.exec:\vdpvj.exe80⤵
-
\??\c:\lrlffrl.exec:\lrlffrl.exe81⤵
-
\??\c:\hthntb.exec:\hthntb.exe82⤵
-
\??\c:\nttbtb.exec:\nttbtb.exe83⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe84⤵
-
\??\c:\rrffllr.exec:\rrffllr.exe85⤵
-
\??\c:\xrfxxrr.exec:\xrfxxrr.exe86⤵
-
\??\c:\bhbtth.exec:\bhbtth.exe87⤵
-
\??\c:\ppddj.exec:\ppddj.exe88⤵
-
\??\c:\fflfxxl.exec:\fflfxxl.exe89⤵
-
\??\c:\lfrrfrf.exec:\lfrrfrf.exe90⤵
-
\??\c:\tnnntt.exec:\tnnntt.exe91⤵
-
\??\c:\vvddj.exec:\vvddj.exe92⤵
-
\??\c:\7lflxxl.exec:\7lflxxl.exe93⤵
-
\??\c:\5hbnnt.exec:\5hbnnt.exe94⤵
-
\??\c:\pvppd.exec:\pvppd.exe95⤵
-
\??\c:\3xxffrx.exec:\3xxffrx.exe96⤵
-
\??\c:\1nbtnn.exec:\1nbtnn.exe97⤵
-
\??\c:\vvjdj.exec:\vvjdj.exe98⤵
-
\??\c:\lxfxxrx.exec:\lxfxxrx.exe99⤵
-
\??\c:\tnhnbh.exec:\tnhnbh.exe100⤵
-
\??\c:\1vppp.exec:\1vppp.exe101⤵
-
\??\c:\jdppp.exec:\jdppp.exe102⤵
-
\??\c:\frllrrf.exec:\frllrrf.exe103⤵
-
\??\c:\thntbb.exec:\thntbb.exe104⤵
-
\??\c:\ddvpd.exec:\ddvpd.exe105⤵
-
\??\c:\lllfrfx.exec:\lllfrfx.exe106⤵
-
\??\c:\3xrflrf.exec:\3xrflrf.exe107⤵
-
\??\c:\tbbnbn.exec:\tbbnbn.exe108⤵
-
\??\c:\7pjdp.exec:\7pjdp.exe109⤵
-
\??\c:\9xrfrxl.exec:\9xrfrxl.exe110⤵
-
\??\c:\bnhhth.exec:\bnhhth.exe111⤵
-
\??\c:\ppjvd.exec:\ppjvd.exe112⤵
-
\??\c:\1pjdp.exec:\1pjdp.exe113⤵
-
\??\c:\rlxfflx.exec:\rlxfflx.exe114⤵
-
\??\c:\nhtthb.exec:\nhtthb.exe115⤵
-
\??\c:\djdvd.exec:\djdvd.exe116⤵
-
\??\c:\pvpdp.exec:\pvpdp.exe117⤵
-
\??\c:\xflfxxr.exec:\xflfxxr.exe118⤵
-
\??\c:\bhbhnt.exec:\bhbhnt.exe119⤵
-
\??\c:\rffxlrf.exec:\rffxlrf.exe120⤵
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-