Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
16/10/2023, 18:37
General
-
Target
NEAS.c5ea32ae497af4390cfe2a8ef7337430.exe
-
Size
91KB
-
MD5
c5ea32ae497af4390cfe2a8ef7337430
-
SHA1
7b4e601378cf8c9b864c1c7f0438dd1af88c52f8
-
SHA256
1c99bb5dda234a869e9df9ca9c7e29399a388a4c88329658af43ccc1d1aca4e4
-
SHA512
92efdaf8e7ba111844eb3e7a240746777f2c766781354174567c8a8f1ec38fd3533b18a0023ad1244a28ecd5234ee22ca7c9b31a640aa9356dcfcdb57631d7be
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73XH/YP1HFrJximAAxE6vr/mA4:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+b5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 34 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 60 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c5ea32ae497af4390cfe2a8ef7337430.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c5ea32ae497af4390cfe2a8ef7337430.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lpnrlhj.exec:\lpnrlhj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xbxjj.exec:\xbxjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rbxbf.exec:\rbxbf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ndtxj.exec:\ndtxj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnjhfdl.exec:\hnjhfdl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bxtjbn.exec:\bxtjbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nrvdvn.exec:\nrvdvn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jfphhdx.exec:\jfphhdx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlndrl.exec:\xxlndrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpfjn.exec:\vpfjn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\phxdl.exec:\phxdl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ltpjr.exec:\ltpjr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dnhxdt.exec:\dnhxdt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vrpnx.exec:\vrpnx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\blhnbvd.exec:\blhnbvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fnbvjb.exec:\fnbvjb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vrtjpv.exec:\vrtjpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvnxpp.exec:\pvnxpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llnbj.exec:\llnbj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtjb.exec:\bbtjb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvnpx.exec:\vvnpx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hrnbxl.exec:\hrnbxl.exe23⤵
- Executes dropped EXE
-
\??\c:\hfnxdrd.exec:\hfnxdrd.exe24⤵
- Executes dropped EXE
-
\??\c:\pdjnp.exec:\pdjnp.exe25⤵
- Executes dropped EXE
-
\??\c:\frhvxrd.exec:\frhvxrd.exe26⤵
- Executes dropped EXE
-
\??\c:\ffvthpj.exec:\ffvthpj.exe27⤵
- Executes dropped EXE
-
\??\c:\jrpbjbd.exec:\jrpbjbd.exe28⤵
- Executes dropped EXE
-
\??\c:\jjftnth.exec:\jjftnth.exe29⤵
- Executes dropped EXE
-
\??\c:\frfjvlj.exec:\frfjvlj.exe30⤵
- Executes dropped EXE
-
\??\c:\ffjpfpj.exec:\ffjpfpj.exe31⤵
- Executes dropped EXE
-
\??\c:\tjlrf.exec:\tjlrf.exe32⤵
- Executes dropped EXE
-
\??\c:\vxrffdf.exec:\vxrffdf.exe33⤵
- Executes dropped EXE
-
\??\c:\btlrv.exec:\btlrv.exe34⤵
- Executes dropped EXE
-
\??\c:\httpd.exec:\httpd.exe35⤵
- Executes dropped EXE
-
\??\c:\fljftph.exec:\fljftph.exe36⤵
- Executes dropped EXE
-
\??\c:\vbxjvnv.exec:\vbxjvnv.exe37⤵
- Executes dropped EXE
-
\??\c:\nlxvnh.exec:\nlxvnh.exe38⤵
- Executes dropped EXE
-
\??\c:\rbjbx.exec:\rbjbx.exe39⤵
- Executes dropped EXE
-
\??\c:\jjndl.exec:\jjndl.exe40⤵
- Executes dropped EXE
-
\??\c:\pjnpx.exec:\pjnpx.exe41⤵
- Executes dropped EXE
-
\??\c:\xtdprj.exec:\xtdprj.exe42⤵
- Executes dropped EXE
-
\??\c:\vpvnd.exec:\vpvnd.exe43⤵
- Executes dropped EXE
-
\??\c:\nhpbnt.exec:\nhpbnt.exe44⤵
- Executes dropped EXE
-
\??\c:\dhvfrv.exec:\dhvfrv.exe45⤵
- Executes dropped EXE
-
\??\c:\dxnnhp.exec:\dxnnhp.exe46⤵
- Executes dropped EXE
-
\??\c:\jhdhr.exec:\jhdhr.exe47⤵
- Executes dropped EXE
-
\??\c:\ffnjx.exec:\ffnjx.exe48⤵
- Executes dropped EXE
-
\??\c:\dnjlt.exec:\dnjlt.exe49⤵
- Executes dropped EXE
-
\??\c:\bptjrr.exec:\bptjrr.exe50⤵
- Executes dropped EXE
-
\??\c:\jdhfnp.exec:\jdhfnp.exe51⤵
- Executes dropped EXE
-
\??\c:\xbbxb.exec:\xbbxb.exe52⤵
- Executes dropped EXE
-
\??\c:\lpdbrx.exec:\lpdbrx.exe53⤵
- Executes dropped EXE
-
\??\c:\vvfvjfj.exec:\vvfvjfj.exe54⤵
- Executes dropped EXE
-
\??\c:\rvlbbtl.exec:\rvlbbtl.exe55⤵
- Executes dropped EXE
-
\??\c:\fbnvp.exec:\fbnvp.exe56⤵
- Executes dropped EXE
-
\??\c:\ljddd.exec:\ljddd.exe57⤵
- Executes dropped EXE
-
\??\c:\pnldpx.exec:\pnldpx.exe58⤵
- Executes dropped EXE
-
\??\c:\hljlfbh.exec:\hljlfbh.exe59⤵
- Executes dropped EXE
-
\??\c:\xpftb.exec:\xpftb.exe60⤵
- Executes dropped EXE
-
\??\c:\jfpvlvh.exec:\jfpvlvh.exe61⤵
- Executes dropped EXE
-
\??\c:\fvlxnlv.exec:\fvlxnlv.exe62⤵
- Executes dropped EXE
-
\??\c:\plfjtjj.exec:\plfjtjj.exe63⤵
- Executes dropped EXE
-
\??\c:\nxlpdp.exec:\nxlpdp.exe64⤵
- Executes dropped EXE
-
\??\c:\rlvtnpn.exec:\rlvtnpn.exe65⤵
- Executes dropped EXE
-
\??\c:\hfvdfp.exec:\hfvdfp.exe66⤵
-
\??\c:\bjdjnl.exec:\bjdjnl.exe67⤵
-
\??\c:\fnlbd.exec:\fnlbd.exe68⤵
-
\??\c:\dppvrvt.exec:\dppvrvt.exe69⤵
-
\??\c:\vfnvx.exec:\vfnvx.exe70⤵
-
\??\c:\bvlhrhr.exec:\bvlhrhr.exe71⤵
-
\??\c:\bltnj.exec:\bltnj.exe72⤵
-
\??\c:\pjptp.exec:\pjptp.exe73⤵
-
\??\c:\lhlljvp.exec:\lhlljvp.exe74⤵
-
\??\c:\fvjnhn.exec:\fvjnhn.exe75⤵
-
\??\c:\bvptp.exec:\bvptp.exe76⤵
-
\??\c:\vppvh.exec:\vppvh.exe77⤵
-
\??\c:\flbndrr.exec:\flbndrr.exe78⤵
-
\??\c:\rtthf.exec:\rtthf.exe79⤵
-
\??\c:\pxlllx.exec:\pxlllx.exe80⤵
-
\??\c:\dbrltp.exec:\dbrltp.exe81⤵
-
\??\c:\xbrrjjt.exec:\xbrrjjt.exe82⤵
-
\??\c:\nbrpxjh.exec:\nbrpxjh.exe83⤵
-
\??\c:\flntjnd.exec:\flntjnd.exe84⤵
-
\??\c:\fxxjbf.exec:\fxxjbf.exe85⤵
-
\??\c:\lpvjlh.exec:\lpvjlh.exe86⤵
-
\??\c:\pdpnrhb.exec:\pdpnrhb.exe87⤵
-
\??\c:\hntjxfh.exec:\hntjxfh.exe88⤵
-
\??\c:\pxbnfbd.exec:\pxbnfbd.exe89⤵
-
\??\c:\rltdhbr.exec:\rltdhbr.exe90⤵
-
\??\c:\tvxphn.exec:\tvxphn.exe91⤵
-
\??\c:\nbplrvb.exec:\nbplrvb.exe92⤵
-
\??\c:\bnvlbpt.exec:\bnvlbpt.exe93⤵
-
\??\c:\jbjlxx.exec:\jbjlxx.exe94⤵
-
\??\c:\jnbxfnv.exec:\jnbxfnv.exe95⤵
-
\??\c:\htjdd.exec:\htjdd.exe96⤵
-
\??\c:\pppnpv.exec:\pppnpv.exe97⤵
-
\??\c:\prvjp.exec:\prvjp.exe98⤵
-
\??\c:\tfjbtnp.exec:\tfjbtnp.exe99⤵
-
\??\c:\nbrnp.exec:\nbrnp.exe100⤵
-
\??\c:\pjnxp.exec:\pjnxp.exe101⤵
-
\??\c:\lxvrnfb.exec:\lxvrnfb.exe102⤵
-
\??\c:\xlxppn.exec:\xlxppn.exe103⤵
-
\??\c:\vddftdd.exec:\vddftdd.exe104⤵
-
\??\c:\hjplxlb.exec:\hjplxlb.exe105⤵
-
\??\c:\nxnjbnp.exec:\nxnjbnp.exe106⤵
-
\??\c:\vnvhpnl.exec:\vnvhpnl.exe107⤵
-
\??\c:\ftxvpt.exec:\ftxvpt.exe108⤵
-
\??\c:\jlxvl.exec:\jlxvl.exe109⤵
-
\??\c:\jffrprl.exec:\jffrprl.exe110⤵
-
\??\c:\tbjlbv.exec:\tbjlbv.exe111⤵
-
\??\c:\rvbvpjr.exec:\rvbvpjr.exe112⤵
-
\??\c:\xjnfhnx.exec:\xjnfhnx.exe113⤵
-
\??\c:\hvrvrbn.exec:\hvrvrbn.exe114⤵
-
\??\c:\rpffrtl.exec:\rpffrtl.exe115⤵
-
\??\c:\hxtvv.exec:\hxtvv.exe116⤵
-
\??\c:\fdjdpr.exec:\fdjdpr.exe117⤵
-
\??\c:\njfvjb.exec:\njfvjb.exe118⤵
-
\??\c:\xnnlj.exec:\xnnlj.exe119⤵
-
\??\c:\rrvvf.exec:\rrvvf.exe120⤵
-
\??\c:\dbvjh.exec:\dbvjh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-