Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
16-10-2023 18:24
General
-
Target
NEAS.7199eb67a8ffeafd0b78ed0abf558420.exe
-
Size
93KB
-
MD5
7199eb67a8ffeafd0b78ed0abf558420
-
SHA1
2cbd63e5d6e381de2a40c16c9eb982ef7004ac74
-
SHA256
2a31b2e275f9a24d01ee98e55e711bafa0c9b65c7bfaa2beaec1d86915df88aa
-
SHA512
bd4903aa1808f9196c0538a5f572ad7689cb629749155351e05bbe5d2114914c18393c95c934f3aadea76e65fef97b5c12944ac878737ad143b633c3e9fb9bb7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpiZBf7xAQWHdgY:ymb3NkkiQ3mdBjFIjZbsdgY
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 34 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7199eb67a8ffeafd0b78ed0abf558420.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7199eb67a8ffeafd0b78ed0abf558420.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rptdvdx.exec:\rptdvdx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nxhttlh.exec:\nxhttlh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnxn.exec:\thnxn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vrjhltv.exec:\vrjhltv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nrdtt.exec:\nrdtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrrx.exec:\rfrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bdxrl.exec:\bdxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rddrhj.exec:\rddrhj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hrnjx.exec:\hrnjx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxdnnpr.exec:\xxdnnpr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lppppl.exec:\lppppl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrnrpp.exec:\xlrnrpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\brrlnh.exec:\brrlnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bpxnh.exec:\bpxnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrpvhl.exec:\xrpvhl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\prlrrv.exec:\prlrrv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dfvblr.exec:\dfvblr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lvdxp.exec:\lvdxp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbvhjh.exec:\nbvhjh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fhtvh.exec:\fhtvh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvlhvt.exec:\vvlhvt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvfnrt.exec:\vvfnrt.exe23⤵
- Executes dropped EXE
-
\??\c:\rtxjhhh.exec:\rtxjhhh.exe24⤵
- Executes dropped EXE
-
\??\c:\dpvxjv.exec:\dpvxjv.exe25⤵
- Executes dropped EXE
-
\??\c:\ltdrx.exec:\ltdrx.exe26⤵
- Executes dropped EXE
-
\??\c:\jnvtfvf.exec:\jnvtfvf.exe27⤵
- Executes dropped EXE
-
\??\c:\hrtrhf.exec:\hrtrhf.exe28⤵
- Executes dropped EXE
-
\??\c:\tfffnf.exec:\tfffnf.exe29⤵
- Executes dropped EXE
-
\??\c:\fpfxh.exec:\fpfxh.exe30⤵
- Executes dropped EXE
-
\??\c:\rvdpxxx.exec:\rvdpxxx.exe31⤵
- Executes dropped EXE
-
\??\c:\jxbvj.exec:\jxbvj.exe32⤵
- Executes dropped EXE
-
\??\c:\vxllthl.exec:\vxllthl.exe33⤵
- Executes dropped EXE
-
\??\c:\lnjxvvl.exec:\lnjxvvl.exe34⤵
- Executes dropped EXE
-
\??\c:\pvfvtr.exec:\pvfvtr.exe35⤵
- Executes dropped EXE
-
\??\c:\nnfxxht.exec:\nnfxxht.exe36⤵
- Executes dropped EXE
-
\??\c:\prpxlhj.exec:\prpxlhj.exe37⤵
- Executes dropped EXE
-
\??\c:\vbljxx.exec:\vbljxx.exe38⤵
- Executes dropped EXE
-
\??\c:\rdjftl.exec:\rdjftl.exe39⤵
- Executes dropped EXE
-
\??\c:\npfjrbr.exec:\npfjrbr.exe40⤵
- Executes dropped EXE
-
\??\c:\bpvtlvv.exec:\bpvtlvv.exe41⤵
- Executes dropped EXE
-
\??\c:\lfvdn.exec:\lfvdn.exe42⤵
- Executes dropped EXE
-
\??\c:\rflrr.exec:\rflrr.exe43⤵
- Executes dropped EXE
-
\??\c:\tddxt.exec:\tddxt.exe44⤵
- Executes dropped EXE
-
\??\c:\rpjrjpf.exec:\rpjrjpf.exe45⤵
- Executes dropped EXE
-
\??\c:\rrnbnlj.exec:\rrnbnlj.exe46⤵
- Executes dropped EXE
-
\??\c:\nltblp.exec:\nltblp.exe47⤵
- Executes dropped EXE
-
\??\c:\tlhntl.exec:\tlhntl.exe48⤵
- Executes dropped EXE
-
\??\c:\lvfjrd.exec:\lvfjrd.exe49⤵
-
\??\c:\lrbbrj.exec:\lrbbrj.exe50⤵
- Executes dropped EXE
-
\??\c:\prpdfx.exec:\prpdfx.exe51⤵
-
\??\c:\trjdphj.exec:\trjdphj.exe52⤵
- Executes dropped EXE
-
\??\c:\jrjxxx.exec:\jrjxxx.exe53⤵
- Executes dropped EXE
-
\??\c:\jnfdfbv.exec:\jnfdfbv.exe54⤵
- Executes dropped EXE
-
\??\c:\nnpdnp.exec:\nnpdnp.exe55⤵
- Executes dropped EXE
-
\??\c:\nfvrb.exec:\nfvrb.exe56⤵
- Executes dropped EXE
-
\??\c:\brnfnj.exec:\brnfnj.exe57⤵
- Executes dropped EXE
-
\??\c:\npddtn.exec:\npddtn.exe58⤵
- Executes dropped EXE
-
\??\c:\trrprbl.exec:\trrprbl.exe59⤵
-
\??\c:\pnjndth.exec:\pnjndth.exe60⤵
- Executes dropped EXE
-
\??\c:\pnbbln.exec:\pnbbln.exe61⤵
- Executes dropped EXE
-
\??\c:\ffpvntr.exec:\ffpvntr.exe62⤵
- Executes dropped EXE
-
\??\c:\dlvphx.exec:\dlvphx.exe63⤵
- Executes dropped EXE
-
\??\c:\bvptln.exec:\bvptln.exe64⤵
-
\??\c:\vnvtb.exec:\vnvtb.exe65⤵
- Executes dropped EXE
-
\??\c:\fprxvj.exec:\fprxvj.exe66⤵
-
\??\c:\btvtbv.exec:\btvtbv.exe67⤵
-
\??\c:\jjjdjrb.exec:\jjjdjrb.exe68⤵
-
\??\c:\xhrjrt.exec:\xhrjrt.exe69⤵
-
\??\c:\bdlxprb.exec:\bdlxprb.exe70⤵
-
\??\c:\hprfhf.exec:\hprfhf.exe71⤵
-
\??\c:\fvhft.exec:\fvhft.exe72⤵
-
\??\c:\lvjbddv.exec:\lvjbddv.exe73⤵
-
\??\c:\rvxjxv.exec:\rvxjxv.exe74⤵
-
\??\c:\nnthfbj.exec:\nnthfbj.exe75⤵
-
\??\c:\xdtjbt.exec:\xdtjbt.exe76⤵
-
\??\c:\frxlrlf.exec:\frxlrlf.exe77⤵
-
\??\c:\xfdltrn.exec:\xfdltrn.exe78⤵
-
\??\c:\dfjjn.exec:\dfjjn.exe79⤵
-
\??\c:\vdlnv.exec:\vdlnv.exe80⤵
-
\??\c:\xpxpb.exec:\xpxpb.exe81⤵
-
\??\c:\xlfvdb.exec:\xlfvdb.exe82⤵
-
\??\c:\frhtjlr.exec:\frhtjlr.exe83⤵
-
\??\c:\xlpxbb.exec:\xlpxbb.exe84⤵
-
\??\c:\rpjbx.exec:\rpjbx.exe85⤵
-
\??\c:\nrdhjdt.exec:\nrdhjdt.exe86⤵
-
\??\c:\htjhbd.exec:\htjhbd.exe87⤵
-
\??\c:\lldxbfv.exec:\lldxbfv.exe88⤵
-
\??\c:\bdhxbrf.exec:\bdhxbrf.exe89⤵
-
\??\c:\thfjdr.exec:\thfjdr.exe90⤵
-
\??\c:\pvnll.exec:\pvnll.exe91⤵
- Executes dropped EXE
-
\??\c:\dbdrt.exec:\dbdrt.exe92⤵
-
\??\c:\hvjdpf.exec:\hvjdpf.exe93⤵
- Executes dropped EXE
-
\??\c:\dxnjf.exec:\dxnjf.exe94⤵
-
\??\c:\npfntp.exec:\npfntp.exe95⤵
-
\??\c:\jtjvvd.exec:\jtjvvd.exe96⤵
-
\??\c:\dpfdxpt.exec:\dpfdxpt.exe97⤵
-
\??\c:\xrhhtr.exec:\xrhhtr.exe98⤵
-
\??\c:\phjrp.exec:\phjrp.exe99⤵
-
\??\c:\rbjnlrh.exec:\rbjnlrh.exe100⤵
-
\??\c:\dbbfn.exec:\dbbfn.exe101⤵
- Executes dropped EXE
-
\??\c:\pvtrrrh.exec:\pvtrrrh.exe102⤵
-
\??\c:\rjdlxd.exec:\rjdlxd.exe103⤵
-
\??\c:\vtvdjdh.exec:\vtvdjdh.exe104⤵
-
\??\c:\nxnxtp.exec:\nxnxtp.exe105⤵
-
\??\c:\rnlbhtp.exec:\rnlbhtp.exe106⤵
- Executes dropped EXE
-
\??\c:\vvdxftl.exec:\vvdxftl.exe107⤵
-
\??\c:\bhptdj.exec:\bhptdj.exe108⤵
-
\??\c:\pjpjl.exec:\pjpjl.exe109⤵
-
\??\c:\pnblfnj.exec:\pnblfnj.exe110⤵
-
\??\c:\jnfpdf.exec:\jnfpdf.exe111⤵
-
\??\c:\xphvthp.exec:\xphvthp.exe112⤵
-
\??\c:\pllbtv.exec:\pllbtv.exe113⤵
-
\??\c:\vdbjvhx.exec:\vdbjvhx.exe114⤵
-
\??\c:\bjppvnd.exec:\bjppvnd.exe115⤵
-
\??\c:\vxnvn.exec:\vxnvn.exe116⤵
-
\??\c:\hfrlvn.exec:\hfrlvn.exe117⤵
-
\??\c:\jvpvdh.exec:\jvpvdh.exe118⤵
-
\??\c:\jbjrj.exec:\jbjrj.exe119⤵
-
\??\c:\jbhhf.exec:\jbhhf.exe120⤵
-
\??\c:\nvjjdbt.exec:\nvjjdbt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-