Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
22/10/2023, 17:22
General
-
Target
NEAS.7e96f5af46880348d918e5199d558f50.exe
-
Size
80KB
-
MD5
7e96f5af46880348d918e5199d558f50
-
SHA1
c4412c78dd61e0308006db0dc9d222cd4a9325a8
-
SHA256
fd29c92220db70115615d495c26c7f40835ac77f1a45e120bc5a57ac8cd883c9
-
SHA512
215a3f2c564dd302f5ad26d5b8392e82df03137df64cb7573770ecd716abeebe1c2e8ce40a8aa770429d474f59b92600cc733e83be1ad0234abf2b9672c705bd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73WBdfFdptQ/WVkaD9Fj9:ymb3NkkiQ3mdBjFo73W/FztQ/WD9n
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 61 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7e96f5af46880348d918e5199d558f50.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7e96f5af46880348d918e5199d558f50.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jnbpvrb.exec:\jnbpvrb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dhrvpj.exec:\dhrvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfltdlj.exec:\rfltdlj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bxjjpp.exec:\bxjjpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrvpxn.exec:\lrvpxn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jlpbjl.exec:\jlpbjl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\plxlv.exec:\plxlv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ndtrv.exec:\ndtrv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jhrhdhl.exec:\jhrhdhl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\trntrf.exec:\trntrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jnnfp.exec:\jnnfp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjtjxn.exec:\jjtjxn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjpfrx.exec:\vjjpfrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tvpplv.exec:\tvpplv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fnbntv.exec:\fnbntv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\txvjnxh.exec:\txvjnxh.exe17⤵
- Executes dropped EXE
-
\??\c:\vddhl.exec:\vddhl.exe18⤵
- Executes dropped EXE
-
\??\c:\tjnnlbj.exec:\tjnnlbj.exe19⤵
- Executes dropped EXE
-
\??\c:\txnbdlr.exec:\txnbdlr.exe20⤵
- Executes dropped EXE
-
\??\c:\bftpn.exec:\bftpn.exe21⤵
- Executes dropped EXE
-
\??\c:\xdldxr.exec:\xdldxr.exe22⤵
- Executes dropped EXE
-
\??\c:\hlvxb.exec:\hlvxb.exe23⤵
- Executes dropped EXE
-
\??\c:\jnbvjtr.exec:\jnbvjtr.exe24⤵
- Executes dropped EXE
-
\??\c:\dnbph.exec:\dnbph.exe25⤵
- Executes dropped EXE
-
\??\c:\tvdhf.exec:\tvdhf.exe26⤵
- Executes dropped EXE
-
\??\c:\brjjj.exec:\brjjj.exe27⤵
- Executes dropped EXE
-
\??\c:\ptfjhj.exec:\ptfjhj.exe28⤵
- Executes dropped EXE
-
\??\c:\pbvdt.exec:\pbvdt.exe29⤵
- Executes dropped EXE
-
\??\c:\rplhhvv.exec:\rplhhvv.exe30⤵
- Executes dropped EXE
-
\??\c:\vrrvv.exec:\vrrvv.exe31⤵
- Executes dropped EXE
-
\??\c:\bbbrhb.exec:\bbbrhb.exe32⤵
- Executes dropped EXE
-
\??\c:\bdrxvln.exec:\bdrxvln.exe33⤵
- Executes dropped EXE
-
\??\c:\xrrpph.exec:\xrrpph.exe34⤵
- Executes dropped EXE
-
\??\c:\fpbhtl.exec:\fpbhtl.exe35⤵
- Executes dropped EXE
-
\??\c:\fnhblfd.exec:\fnhblfd.exe36⤵
- Executes dropped EXE
-
\??\c:\plvbblp.exec:\plvbblp.exe37⤵
- Executes dropped EXE
-
\??\c:\bbxxv.exec:\bbxxv.exe38⤵
- Executes dropped EXE
-
\??\c:\xxnrx.exec:\xxnrx.exe39⤵
- Executes dropped EXE
-
\??\c:\rvbnxtp.exec:\rvbnxtp.exe40⤵
- Executes dropped EXE
-
\??\c:\rnjdh.exec:\rnjdh.exe41⤵
- Executes dropped EXE
-
\??\c:\jjbbvr.exec:\jjbbvr.exe42⤵
- Executes dropped EXE
-
\??\c:\jlljnp.exec:\jlljnp.exe43⤵
- Executes dropped EXE
-
\??\c:\xnppf.exec:\xnppf.exe44⤵
- Executes dropped EXE
-
\??\c:\dvjblp.exec:\dvjblp.exe45⤵
- Executes dropped EXE
-
\??\c:\jjptr.exec:\jjptr.exe46⤵
- Executes dropped EXE
-
\??\c:\hpdbphh.exec:\hpdbphh.exe47⤵
- Executes dropped EXE
-
\??\c:\ppbjjt.exec:\ppbjjt.exe48⤵
- Executes dropped EXE
-
\??\c:\nxbbn.exec:\nxbbn.exe49⤵
- Executes dropped EXE
-
\??\c:\rjrdn.exec:\rjrdn.exe50⤵
- Executes dropped EXE
-
\??\c:\rhjtpp.exec:\rhjtpp.exe51⤵
- Executes dropped EXE
-
\??\c:\plpnb.exec:\plpnb.exe52⤵
- Executes dropped EXE
-
\??\c:\lpbhb.exec:\lpbhb.exe53⤵
- Executes dropped EXE
-
\??\c:\drvfbnd.exec:\drvfbnd.exe54⤵
- Executes dropped EXE
-
\??\c:\bhvrh.exec:\bhvrh.exe55⤵
- Executes dropped EXE
-
\??\c:\njnrpft.exec:\njnrpft.exe56⤵
- Executes dropped EXE
-
\??\c:\jthjnnb.exec:\jthjnnb.exe57⤵
- Executes dropped EXE
-
\??\c:\xxhxlbl.exec:\xxhxlbl.exe58⤵
- Executes dropped EXE
-
\??\c:\vjjppjt.exec:\vjjppjt.exe59⤵
- Executes dropped EXE
-
\??\c:\lrjfl.exec:\lrjfl.exe60⤵
- Executes dropped EXE
-
\??\c:\bvhvf.exec:\bvhvf.exe61⤵
- Executes dropped EXE
-
\??\c:\rxtvfrj.exec:\rxtvfrj.exe62⤵
- Executes dropped EXE
-
\??\c:\xdnllh.exec:\xdnllh.exe63⤵
- Executes dropped EXE
-
\??\c:\ndvbjnb.exec:\ndvbjnb.exe64⤵
- Executes dropped EXE
-
\??\c:\bnxvn.exec:\bnxvn.exe65⤵
- Executes dropped EXE
-
\??\c:\pprlbtj.exec:\pprlbtj.exe66⤵
-
\??\c:\nnjttjj.exec:\nnjttjj.exe67⤵
-
\??\c:\bfjftn.exec:\bfjftn.exe68⤵
-
\??\c:\hpvnlb.exec:\hpvnlb.exe69⤵
-
\??\c:\pptnbbr.exec:\pptnbbr.exe70⤵
-
\??\c:\fxlhr.exec:\fxlhr.exe71⤵
-
\??\c:\ppnbxdt.exec:\ppnbxdt.exe72⤵
-
\??\c:\plprt.exec:\plprt.exe73⤵
-
\??\c:\fnlrr.exec:\fnlrr.exe74⤵
-
\??\c:\nfjvt.exec:\nfjvt.exe75⤵
-
\??\c:\vxxnbjx.exec:\vxxnbjx.exe76⤵
-
\??\c:\vrvnlfn.exec:\vrvnlfn.exe77⤵
-
\??\c:\pvjtjpn.exec:\pvjtjpn.exe78⤵
-
\??\c:\djpndv.exec:\djpndv.exe79⤵
-
\??\c:\pjxjbr.exec:\pjxjbr.exe80⤵
-
\??\c:\phjjj.exec:\phjjj.exe81⤵
-
\??\c:\jhbrh.exec:\jhbrh.exe82⤵
-
\??\c:\phbvhj.exec:\phbvhj.exe83⤵
-
\??\c:\brxrtdx.exec:\brxrtdx.exe84⤵
-
\??\c:\rptrh.exec:\rptrh.exe85⤵
-
\??\c:\vvfbf.exec:\vvfbf.exe86⤵
-
\??\c:\jvntl.exec:\jvntl.exe87⤵
-
\??\c:\rdvhn.exec:\rdvhn.exe88⤵
-
\??\c:\bfjpfff.exec:\bfjpfff.exe89⤵
-
\??\c:\lfhnxpb.exec:\lfhnxpb.exe90⤵
-
\??\c:\tvnxjrr.exec:\tvnxjrr.exe91⤵
-
\??\c:\vhrnvbr.exec:\vhrnvbr.exe92⤵
-
\??\c:\rnplpj.exec:\rnplpj.exe93⤵
-
\??\c:\vbhrx.exec:\vbhrx.exe94⤵
-
\??\c:\jvlddpt.exec:\jvlddpt.exe95⤵
-
\??\c:\vnrftpf.exec:\vnrftpf.exe96⤵
-
\??\c:\lxtxhfx.exec:\lxtxhfx.exe97⤵
-
\??\c:\xvjbn.exec:\xvjbn.exe98⤵
-
\??\c:\tnbfnh.exec:\tnbfnh.exe99⤵
-
\??\c:\xpjpdf.exec:\xpjpdf.exe100⤵
-
\??\c:\lvpbn.exec:\lvpbn.exe101⤵
-
\??\c:\bpthnf.exec:\bpthnf.exe102⤵
-
\??\c:\ffbjx.exec:\ffbjx.exe103⤵
-
\??\c:\lhjxh.exec:\lhjxh.exe104⤵
-
\??\c:\dhxjff.exec:\dhxjff.exe105⤵
-
\??\c:\lfjtnb.exec:\lfjtnb.exe106⤵
-
\??\c:\xdpnht.exec:\xdpnht.exe107⤵
-
\??\c:\rfdxb.exec:\rfdxb.exe108⤵
-
\??\c:\tvjvnfl.exec:\tvjvnfl.exe109⤵
-
\??\c:\jnppx.exec:\jnppx.exe110⤵
-
\??\c:\tnvnf.exec:\tnvnf.exe111⤵
-
\??\c:\hlftdhn.exec:\hlftdhn.exe112⤵
-
\??\c:\bvtvldn.exec:\bvtvldn.exe113⤵
-
\??\c:\fnvjdp.exec:\fnvjdp.exe114⤵
-
\??\c:\plbhrhh.exec:\plbhrhh.exe115⤵
-
\??\c:\lhjlb.exec:\lhjlb.exe116⤵
-
\??\c:\vdtbnb.exec:\vdtbnb.exe117⤵
-
\??\c:\hljvjf.exec:\hljvjf.exe118⤵
-
\??\c:\dltvfp.exec:\dltvfp.exe119⤵
-
\??\c:\hrpljv.exec:\hrpljv.exe120⤵
-
\??\c:\fdnttn.exec:\fdnttn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-