Analysis
-
max time kernel
150s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 20:50
General
-
Target
406aa985efb3a630109d6274a4f64f957988ad874e2d816af0405e31a05c27af.exe
-
Size
158KB
-
MD5
fe4afb4103b3bcb481ada6ea0ce5bd08
-
SHA1
028e2d6929de4db61b7cf3b66eac283e23b76c94
-
SHA256
406aa985efb3a630109d6274a4f64f957988ad874e2d816af0405e31a05c27af
-
SHA512
492e98be0c46f52e0977c31e7fd191cf63ef05f201ef0abcc9f187f4ef977e9a66f1abcda333478c8826b9768a306f8fbd73ca014c021ceeeee147d6ce946056
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BWlPFH4oGPwJwJE21rn:kcm4FmowdHoSphraHcpOFltH4oGPjJEY
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\406aa985efb3a630109d6274a4f64f957988ad874e2d816af0405e31a05c27af.exe"C:\Users\Admin\AppData\Local\Temp\406aa985efb3a630109d6274a4f64f957988ad874e2d816af0405e31a05c27af.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xflrxxf.exec:\xflrxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntttb.exec:\3ntttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbhnn.exec:\htbhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjp.exec:\dvjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxfxfl.exec:\lrxfxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttbb.exec:\tnttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhhn.exec:\hbhhhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjp.exec:\ddjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrrff.exec:\llrrrff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnnn.exec:\tnnnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httbbb.exec:\httbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjj.exec:\ddjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvddj.exec:\vvddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxffrx.exec:\rrxffrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnttbt.exec:\hnttbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjjj.exec:\vvjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflfrll.exec:\fflfrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrrlll.exec:\rrrrlll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbnn.exec:\hbbbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnttt.exec:\bbnttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjj.exec:\ddjjj.exe23⤵
- Executes dropped EXE
-
\??\c:\jpddd.exec:\jpddd.exe24⤵
- Executes dropped EXE
-
\??\c:\xfrrrxx.exec:\xfrrrxx.exe25⤵
- Executes dropped EXE
-
\??\c:\nnnnnt.exec:\nnnnnt.exe26⤵
- Executes dropped EXE
-
\??\c:\hhhhhn.exec:\hhhhhn.exe27⤵
- Executes dropped EXE
-
\??\c:\pjjpp.exec:\pjjpp.exe28⤵
- Executes dropped EXE
-
\??\c:\ddjjj.exec:\ddjjj.exe29⤵
- Executes dropped EXE
-
\??\c:\vvvdd.exec:\vvvdd.exe30⤵
- Executes dropped EXE
-
\??\c:\lxxxfff.exec:\lxxxfff.exe31⤵
- Executes dropped EXE
-
\??\c:\bbntbh.exec:\bbntbh.exe32⤵
- Executes dropped EXE
-
\??\c:\ttttnn.exec:\ttttnn.exe33⤵
- Executes dropped EXE
-
\??\c:\dpjjj.exec:\dpjjj.exe34⤵
- Executes dropped EXE
-
\??\c:\ppdjj.exec:\ppdjj.exe35⤵
- Executes dropped EXE
-
\??\c:\lxrrrrr.exec:\lxrrrrr.exe36⤵
- Executes dropped EXE
-
\??\c:\nhnnnt.exec:\nhnnnt.exe37⤵
- Executes dropped EXE
-
\??\c:\ttbbhn.exec:\ttbbhn.exe38⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe39⤵
- Executes dropped EXE
-
\??\c:\vjppp.exec:\vjppp.exe40⤵
- Executes dropped EXE
-
\??\c:\lrxlrxf.exec:\lrxlrxf.exe41⤵
- Executes dropped EXE
-
\??\c:\9lrrlxr.exec:\9lrrlxr.exe42⤵
- Executes dropped EXE
-
\??\c:\nbbhhb.exec:\nbbhhb.exe43⤵
- Executes dropped EXE
-
\??\c:\bthhbh.exec:\bthhbh.exe44⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe45⤵
- Executes dropped EXE
-
\??\c:\5pvvv.exec:\5pvvv.exe46⤵
- Executes dropped EXE
-
\??\c:\xxfffll.exec:\xxfffll.exe47⤵
- Executes dropped EXE
-
\??\c:\frrrrrl.exec:\frrrrrl.exe48⤵
- Executes dropped EXE
-
\??\c:\3bbhhn.exec:\3bbhhn.exe49⤵
- Executes dropped EXE
-
\??\c:\btttnt.exec:\btttnt.exe50⤵
- Executes dropped EXE
-
\??\c:\3tbbtt.exec:\3tbbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\5dppv.exec:\5dppv.exe52⤵
- Executes dropped EXE
-
\??\c:\1pvvv.exec:\1pvvv.exe53⤵
- Executes dropped EXE
-
\??\c:\lllffll.exec:\lllffll.exe54⤵
- Executes dropped EXE
-
\??\c:\lllfllx.exec:\lllfllx.exe55⤵
- Executes dropped EXE
-
\??\c:\3nntbb.exec:\3nntbb.exe56⤵
- Executes dropped EXE
-
\??\c:\nhttnn.exec:\nhttnn.exe57⤵
- Executes dropped EXE
-
\??\c:\dpvvv.exec:\dpvvv.exe58⤵
- Executes dropped EXE
-
\??\c:\vpjpp.exec:\vpjpp.exe59⤵
- Executes dropped EXE
-
\??\c:\xfxxxxr.exec:\xfxxxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\3rxfflf.exec:\3rxfflf.exe61⤵
- Executes dropped EXE
-
\??\c:\btbnnh.exec:\btbnnh.exe62⤵
- Executes dropped EXE
-
\??\c:\bnthbt.exec:\bnthbt.exe63⤵
- Executes dropped EXE
-
\??\c:\5pdvv.exec:\5pdvv.exe64⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe65⤵
- Executes dropped EXE
-
\??\c:\rrllrxr.exec:\rrllrxr.exe66⤵
-
\??\c:\rlxfxxr.exec:\rlxfxxr.exe67⤵
-
\??\c:\llfllll.exec:\llfllll.exe68⤵
-
\??\c:\hhnttt.exec:\hhnttt.exe69⤵
-
\??\c:\9jvvp.exec:\9jvvp.exe70⤵
-
\??\c:\ddjpv.exec:\ddjpv.exe71⤵
-
\??\c:\vpdjj.exec:\vpdjj.exe72⤵
-
\??\c:\rxxflrr.exec:\rxxflrr.exe73⤵
-
\??\c:\lxfllrr.exec:\lxfllrr.exe74⤵
-
\??\c:\tttttb.exec:\tttttb.exe75⤵
-
\??\c:\hbnnnt.exec:\hbnnnt.exe76⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe77⤵
-
\??\c:\pvvjp.exec:\pvvjp.exe78⤵
-
\??\c:\frrrlrr.exec:\frrrlrr.exe79⤵
-
\??\c:\lfrrfff.exec:\lfrrfff.exe80⤵
-
\??\c:\5rrllll.exec:\5rrllll.exe81⤵
-
\??\c:\bbbtbt.exec:\bbbtbt.exe82⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe83⤵
-
\??\c:\pdjpj.exec:\pdjpj.exe84⤵
-
\??\c:\lllrrrr.exec:\lllrrrr.exe85⤵
-
\??\c:\rrffffl.exec:\rrffffl.exe86⤵
-
\??\c:\5hbbnt.exec:\5hbbnt.exe87⤵
-
\??\c:\nthhbb.exec:\nthhbb.exe88⤵
-
\??\c:\ddppv.exec:\ddppv.exe89⤵
-
\??\c:\ppppj.exec:\ppppj.exe90⤵
-
\??\c:\xrffllx.exec:\xrffllx.exe91⤵
-
\??\c:\lxlfffx.exec:\lxlfffx.exe92⤵
-
\??\c:\xrflrxf.exec:\xrflrxf.exe93⤵
-
\??\c:\hhnbtb.exec:\hhnbtb.exe94⤵
-
\??\c:\nthhth.exec:\nthhth.exe95⤵
-
\??\c:\9jppp.exec:\9jppp.exe96⤵
-
\??\c:\ppddd.exec:\ppddd.exe97⤵
-
\??\c:\flxxrxl.exec:\flxxrxl.exe98⤵
-
\??\c:\xrffrxf.exec:\xrffrxf.exe99⤵
-
\??\c:\bbttnn.exec:\bbttnn.exe100⤵
-
\??\c:\bbbbbb.exec:\bbbbbb.exe101⤵
-
\??\c:\vdpjj.exec:\vdpjj.exe102⤵
-
\??\c:\vvddd.exec:\vvddd.exe103⤵
-
\??\c:\ffrflrf.exec:\ffrflrf.exe104⤵
-
\??\c:\3lxfflr.exec:\3lxfflr.exe105⤵
-
\??\c:\bhnttb.exec:\bhnttb.exe106⤵
-
\??\c:\hhnhhn.exec:\hhnhhn.exe107⤵
-
\??\c:\jjppj.exec:\jjppj.exe108⤵
-
\??\c:\jpvdv.exec:\jpvdv.exe109⤵
-
\??\c:\3vvdd.exec:\3vvdd.exe110⤵
-
\??\c:\xxrllrx.exec:\xxrllrx.exe111⤵
-
\??\c:\fxrxxxl.exec:\fxrxxxl.exe112⤵
-
\??\c:\nhbbbb.exec:\nhbbbb.exe113⤵
-
\??\c:\nnnnnb.exec:\nnnnnb.exe114⤵
-
\??\c:\vvjpj.exec:\vvjpj.exe115⤵
-
\??\c:\1dpjj.exec:\1dpjj.exe116⤵
-
\??\c:\dvddd.exec:\dvddd.exe117⤵
-
\??\c:\xxrllxl.exec:\xxrllxl.exe118⤵
-
\??\c:\lfrrxfx.exec:\lfrrxfx.exe119⤵
-
\??\c:\hhbhtb.exec:\hhbhtb.exe120⤵
-
\??\c:\5bbbtb.exec:\5bbbtb.exe121⤵
-
\??\c:\vvdvp.exec:\vvdvp.exe122⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe123⤵
-
\??\c:\jpvvp.exec:\jpvvp.exe124⤵
-
\??\c:\tthbhn.exec:\tthbhn.exe125⤵
-
\??\c:\dpdjp.exec:\dpdjp.exe126⤵
-
\??\c:\ddjvp.exec:\ddjvp.exe127⤵
-
\??\c:\llrrrxx.exec:\llrrrxx.exe128⤵
-
\??\c:\xxxlxlx.exec:\xxxlxlx.exe129⤵
-
\??\c:\ttnthn.exec:\ttnthn.exe130⤵
-
\??\c:\hbbbbh.exec:\hbbbbh.exe131⤵
-
\??\c:\djvjv.exec:\djvjv.exe132⤵
-
\??\c:\vdjjp.exec:\vdjjp.exe133⤵
-
\??\c:\jdvdd.exec:\jdvdd.exe134⤵
-
\??\c:\5lfflrf.exec:\5lfflrf.exe135⤵
-
\??\c:\3lfrxfl.exec:\3lfrxfl.exe136⤵
-
\??\c:\bnbbth.exec:\bnbbth.exe137⤵
-
\??\c:\tnnhbb.exec:\tnnhbb.exe138⤵
-
\??\c:\djpvj.exec:\djpvj.exe139⤵
-
\??\c:\pjppd.exec:\pjppd.exe140⤵
-
\??\c:\lxlxxlf.exec:\lxlxxlf.exe141⤵
-
\??\c:\5xxxxll.exec:\5xxxxll.exe142⤵
-
\??\c:\rlxrrrr.exec:\rlxrrrr.exe143⤵
-
\??\c:\bhhhhh.exec:\bhhhhh.exe144⤵
-
\??\c:\hbnhht.exec:\hbnhht.exe145⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe146⤵
-
\??\c:\dvdvv.exec:\dvdvv.exe147⤵
-
\??\c:\dvjdj.exec:\dvjdj.exe148⤵
-
\??\c:\rxrllll.exec:\rxrllll.exe149⤵
-
\??\c:\frxrrrr.exec:\frxrrrr.exe150⤵
-
\??\c:\btbbbb.exec:\btbbbb.exe151⤵
-
\??\c:\nnnnhn.exec:\nnnnhn.exe152⤵
-
\??\c:\vvppp.exec:\vvppp.exe153⤵
-
\??\c:\vjvdv.exec:\vjvdv.exe154⤵
-
\??\c:\ppddv.exec:\ppddv.exe155⤵
-
\??\c:\9xxlxrf.exec:\9xxlxrf.exe156⤵
-
\??\c:\rrlxlff.exec:\rrlxlff.exe157⤵
-
\??\c:\bbhhtt.exec:\bbhhtt.exe158⤵
-
\??\c:\tnbtth.exec:\tnbtth.exe159⤵
-
\??\c:\pvjdd.exec:\pvjdd.exe160⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe161⤵
-
\??\c:\ffxllff.exec:\ffxllff.exe162⤵
-
\??\c:\5tbttn.exec:\5tbttn.exe163⤵
-
\??\c:\vvjjv.exec:\vvjjv.exe164⤵
-
\??\c:\pjjdd.exec:\pjjdd.exe165⤵
-
\??\c:\llfffll.exec:\llfffll.exe166⤵
-
\??\c:\frxrxlr.exec:\frxrxlr.exe167⤵
-
\??\c:\tbnnnt.exec:\tbnnnt.exe168⤵
-
\??\c:\bntbtn.exec:\bntbtn.exe169⤵
-
\??\c:\ddjjd.exec:\ddjjd.exe170⤵
-
\??\c:\pvddv.exec:\pvddv.exe171⤵
-
\??\c:\lfxxrxx.exec:\lfxxrxx.exe172⤵
-
\??\c:\lflfxxf.exec:\lflfxxf.exe173⤵
-
\??\c:\bhhhtt.exec:\bhhhtt.exe174⤵
-
\??\c:\nhnntn.exec:\nhnntn.exe175⤵
-
\??\c:\dvdjj.exec:\dvdjj.exe176⤵
-
\??\c:\rxxxxxx.exec:\rxxxxxx.exe177⤵
-
\??\c:\nhtnnn.exec:\nhtnnn.exe178⤵
-
\??\c:\5pvpd.exec:\5pvpd.exe179⤵
-
\??\c:\vjppj.exec:\vjppj.exe180⤵
-
\??\c:\frfxfff.exec:\frfxfff.exe181⤵
-
\??\c:\xlffxxr.exec:\xlffxxr.exe182⤵
-
\??\c:\htbnbt.exec:\htbnbt.exe183⤵
-
\??\c:\jppdd.exec:\jppdd.exe184⤵
-
\??\c:\5vppp.exec:\5vppp.exe185⤵
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe186⤵
-
\??\c:\llrxrfx.exec:\llrxrfx.exe187⤵
-
\??\c:\jdjdp.exec:\jdjdp.exe188⤵
-
\??\c:\5jddj.exec:\5jddj.exe189⤵
-
\??\c:\lrrxrfx.exec:\lrrxrfx.exe190⤵
-
\??\c:\tthnnh.exec:\tthnnh.exe191⤵
-
\??\c:\dvdjd.exec:\dvdjd.exe192⤵
-
\??\c:\rfxlfxf.exec:\rfxlfxf.exe193⤵
-
\??\c:\bnhbnn.exec:\bnhbnn.exe194⤵
-
\??\c:\dvjvp.exec:\dvjvp.exe195⤵
-
\??\c:\vvdvj.exec:\vvdvj.exe196⤵
-
\??\c:\fxxllfx.exec:\fxxllfx.exe197⤵
-
\??\c:\bbnbtn.exec:\bbnbtn.exe198⤵
-
\??\c:\vvjdd.exec:\vvjdd.exe199⤵
-
\??\c:\lrlrrrr.exec:\lrlrrrr.exe200⤵
-
\??\c:\dpjdd.exec:\dpjdd.exe201⤵
-
\??\c:\djjvp.exec:\djjvp.exe202⤵
-
\??\c:\llfxxlf.exec:\llfxxlf.exe203⤵
-
\??\c:\hbhnnn.exec:\hbhnnn.exe204⤵
-
\??\c:\ppvpd.exec:\ppvpd.exe205⤵
-
\??\c:\flxxlrx.exec:\flxxlrx.exe206⤵
-
\??\c:\btbbbb.exec:\btbbbb.exe207⤵
-
\??\c:\vdpjj.exec:\vdpjj.exe208⤵
-
\??\c:\xrrfrrx.exec:\xrrfrrx.exe209⤵
-
\??\c:\nnbnbh.exec:\nnbnbh.exe210⤵
-
\??\c:\hhtttt.exec:\hhtttt.exe211⤵
-
\??\c:\jpppd.exec:\jpppd.exe212⤵
-
\??\c:\pdvvp.exec:\pdvvp.exe213⤵
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe214⤵
-
\??\c:\5nbnhb.exec:\5nbnhb.exe215⤵
-
\??\c:\vjpjp.exec:\vjpjp.exe216⤵
-
\??\c:\1lxxxxr.exec:\1lxxxxr.exe217⤵
-
\??\c:\hbbtnn.exec:\hbbtnn.exe218⤵
-
\??\c:\vddpd.exec:\vddpd.exe219⤵
-
\??\c:\fxrlflf.exec:\fxrlflf.exe220⤵
-
\??\c:\bhbntt.exec:\bhbntt.exe221⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe222⤵
-
\??\c:\xffllxr.exec:\xffllxr.exe223⤵
-
\??\c:\rrrxffl.exec:\rrrxffl.exe224⤵
-
\??\c:\1ttnbh.exec:\1ttnbh.exe225⤵
-
\??\c:\djdvp.exec:\djdvp.exe226⤵
-
\??\c:\hhbbtt.exec:\hhbbtt.exe227⤵
-
\??\c:\ddpvd.exec:\ddpvd.exe228⤵
-
\??\c:\lrrrrlr.exec:\lrrrrlr.exe229⤵
-
\??\c:\bnnnhn.exec:\bnnnhn.exe230⤵
-
\??\c:\hbtnbb.exec:\hbtnbb.exe231⤵
-
\??\c:\9jpjj.exec:\9jpjj.exe232⤵
-
\??\c:\5xfffrx.exec:\5xfffrx.exe233⤵
-
\??\c:\nntntn.exec:\nntntn.exe234⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe235⤵
-
\??\c:\rlllfxr.exec:\rlllfxr.exe236⤵
-
\??\c:\bhtbbh.exec:\bhtbbh.exe237⤵
-
\??\c:\ddjjj.exec:\ddjjj.exe238⤵
-
\??\c:\ffllffx.exec:\ffllffx.exe239⤵
-
\??\c:\tthhnt.exec:\tthhnt.exe240⤵