Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
01/11/2023, 14:21
General
-
Target
NEAS.d8169d980cf31d0bdf1f7c5153a0b4e0.exe
-
Size
482KB
-
MD5
d8169d980cf31d0bdf1f7c5153a0b4e0
-
SHA1
faf07003724490a5c2c3c19ad209f3aacb3e974d
-
SHA256
0bde0d0d4d2824680688657e957ddf08b83ef0f835e85457437f4b03005307d5
-
SHA512
03dcde1a646963c2e3372572f5fd6d77d4c8cb5b0c5b9fe2bd90b733e781c6b12731907943b4bc2a488b2b4b31080eff9aaac040c0391c65cb9f011ace06584e
-
SSDEEP
6144:n3C9BRo7tvnJ9oH0IRgZvjkUo7tvnJ9oH0IiVByq9CPobNVP7:n3C9ytvngQjgtvngSV3CPobNVP7
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 33 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 64 IoCs
-
UPX packed file 61 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d8169d980cf31d0bdf1f7c5153a0b4e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d8169d980cf31d0bdf1f7c5153a0b4e0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dhbhxxd.exec:\dhbhxxd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vnrdrbh.exec:\vnrdrbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bdftr.exec:\bdftr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxvhxtp.exec:\lxvhxtp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xpdhtv.exec:\xpdhtv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfhvt.exec:\rfhvt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddhtnlt.exec:\ddhtnlt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dprpjj.exec:\dprpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vfnrhbp.exec:\vfnrhbp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\drvth.exec:\drvth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrbnx.exec:\rrbnx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfbrtvj.exec:\rfbrtvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vxffp.exec:\vxffp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\brnlb.exec:\brnlb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddlnnd.exec:\ddlnnd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bpdjx.exec:\bpdjx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btjpv.exec:\btjpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rblfbpp.exec:\rblfbpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbdphtn.exec:\bbdphtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffnjpxd.exec:\ffnjpxd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lvjdxlv.exec:\lvjdxlv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxddxjr.exec:\xxddxjr.exe23⤵
- Executes dropped EXE
-
\??\c:\prrtf.exec:\prrtf.exe24⤵
- Executes dropped EXE
-
\??\c:\nlhhlp.exec:\nlhhlp.exe25⤵
- Executes dropped EXE
-
\??\c:\tdnpv.exec:\tdnpv.exe26⤵
- Executes dropped EXE
-
\??\c:\jnflfjn.exec:\jnflfjn.exe27⤵
- Executes dropped EXE
-
\??\c:\lhplrb.exec:\lhplrb.exe28⤵
- Executes dropped EXE
-
\??\c:\xvjpl.exec:\xvjpl.exe29⤵
- Executes dropped EXE
-
\??\c:\hjdhjf.exec:\hjdhjf.exe30⤵
- Executes dropped EXE
-
\??\c:\pndfvh.exec:\pndfvh.exe31⤵
- Executes dropped EXE
-
\??\c:\tppnbdl.exec:\tppnbdl.exe32⤵
- Executes dropped EXE
-
\??\c:\npbvxlr.exec:\npbvxlr.exe33⤵
- Executes dropped EXE
-
\??\c:\bhpdvt.exec:\bhpdvt.exe34⤵
- Executes dropped EXE
-
\??\c:\xddljv.exec:\xddljv.exe35⤵
- Executes dropped EXE
-
\??\c:\xrnld.exec:\xrnld.exe36⤵
- Executes dropped EXE
-
\??\c:\hhtrtrt.exec:\hhtrtrt.exe37⤵
- Executes dropped EXE
-
\??\c:\vtpfl.exec:\vtpfl.exe38⤵
- Executes dropped EXE
-
\??\c:\vtbvvvt.exec:\vtbvvvt.exe39⤵
- Executes dropped EXE
-
\??\c:\jxdfv.exec:\jxdfv.exe40⤵
- Executes dropped EXE
-
\??\c:\nfrfp.exec:\nfrfp.exe41⤵
- Executes dropped EXE
-
\??\c:\fhpdf.exec:\fhpdf.exe42⤵
- Executes dropped EXE
-
\??\c:\xxtxpj.exec:\xxtxpj.exe43⤵
- Executes dropped EXE
-
\??\c:\xbbrbhn.exec:\xbbrbhn.exe44⤵
- Executes dropped EXE
-
\??\c:\hvxhj.exec:\hvxhj.exe45⤵
- Executes dropped EXE
-
\??\c:\rnnnt.exec:\rnnnt.exe46⤵
- Executes dropped EXE
-
\??\c:\drrffnl.exec:\drrffnl.exe47⤵
- Executes dropped EXE
-
\??\c:\dvhhx.exec:\dvhhx.exe48⤵
- Executes dropped EXE
-
\??\c:\vpvnpd.exec:\vpvnpd.exe49⤵
- Executes dropped EXE
-
\??\c:\xvjpjp.exec:\xvjpjp.exe50⤵
- Executes dropped EXE
-
\??\c:\nfpbh.exec:\nfpbh.exe51⤵
- Executes dropped EXE
-
\??\c:\jhdrbdp.exec:\jhdrbdp.exe52⤵
- Executes dropped EXE
-
\??\c:\nhbhx.exec:\nhbhx.exe53⤵
- Executes dropped EXE
-
\??\c:\jprbh.exec:\jprbh.exe54⤵
- Executes dropped EXE
-
\??\c:\vfrpjrd.exec:\vfrpjrd.exe55⤵
- Executes dropped EXE
-
\??\c:\vptjjhd.exec:\vptjjhd.exe56⤵
- Executes dropped EXE
-
\??\c:\dnhvp.exec:\dnhvp.exe57⤵
- Executes dropped EXE
-
\??\c:\vhllh.exec:\vhllh.exe58⤵
- Executes dropped EXE
-
\??\c:\fhhbvr.exec:\fhhbvr.exe59⤵
- Executes dropped EXE
-
\??\c:\lhvpr.exec:\lhvpr.exe60⤵
- Executes dropped EXE
-
\??\c:\bxtdrpr.exec:\bxtdrpr.exe61⤵
- Executes dropped EXE
-
\??\c:\ppbfp.exec:\ppbfp.exe62⤵
- Executes dropped EXE
-
\??\c:\hpdbvh.exec:\hpdbvh.exe63⤵
- Executes dropped EXE
-
\??\c:\lfdflv.exec:\lfdflv.exe64⤵
- Executes dropped EXE
-
\??\c:\nxtljrv.exec:\nxtljrv.exe65⤵
- Executes dropped EXE
-
\??\c:\lnltfxj.exec:\lnltfxj.exe66⤵
-
\??\c:\ltbxbf.exec:\ltbxbf.exe67⤵
-
\??\c:\hxhpftr.exec:\hxhpftr.exe68⤵
-
\??\c:\dlnxtrd.exec:\dlnxtrd.exe69⤵
-
\??\c:\xrpnhl.exec:\xrpnhl.exe70⤵
-
\??\c:\rpbrx.exec:\rpbrx.exe71⤵
-
\??\c:\dtbtj.exec:\dtbtj.exe72⤵
-
\??\c:\vnthh.exec:\vnthh.exe73⤵
-
\??\c:\hlxvvhj.exec:\hlxvvhj.exe74⤵
-
\??\c:\jvjdftx.exec:\jvjdftx.exe75⤵
-
\??\c:\ffdrjrn.exec:\ffdrjrn.exe76⤵
-
\??\c:\tvflbjn.exec:\tvflbjn.exe77⤵
-
\??\c:\tvtbbxd.exec:\tvtbbxd.exe78⤵
-
\??\c:\ltxdtj.exec:\ltxdtj.exe79⤵
-
\??\c:\nxbbjnt.exec:\nxbbjnt.exe80⤵
-
\??\c:\hnrxp.exec:\hnrxp.exe81⤵
-
\??\c:\nxvxtf.exec:\nxvxtf.exe82⤵
-
\??\c:\vxdrfv.exec:\vxdrfv.exe83⤵
-
\??\c:\lhrbx.exec:\lhrbx.exe84⤵
-
\??\c:\dpfnf.exec:\dpfnf.exe85⤵
-
\??\c:\xnplxf.exec:\xnplxf.exe86⤵
-
\??\c:\nxtvjrb.exec:\nxtvjrb.exe87⤵
-
\??\c:\jbjhnf.exec:\jbjhnf.exe88⤵
-
\??\c:\xdhhnl.exec:\xdhhnl.exe89⤵
-
\??\c:\hxtnjpd.exec:\hxtnjpd.exe90⤵
-
\??\c:\vtvnjnb.exec:\vtvnjnb.exe91⤵
-
\??\c:\hbxlrtt.exec:\hbxlrtt.exe92⤵
-
\??\c:\fdjldvx.exec:\fdjldvx.exe93⤵
-
\??\c:\lbdjjr.exec:\lbdjjr.exe94⤵
-
\??\c:\llxnr.exec:\llxnr.exe95⤵
-
\??\c:\tdllnpr.exec:\tdllnpr.exe96⤵
-
\??\c:\nhjvx.exec:\nhjvx.exe97⤵
-
\??\c:\htlvvh.exec:\htlvvh.exe98⤵
-
\??\c:\jpthvfp.exec:\jpthvfp.exe99⤵
-
\??\c:\njhvjht.exec:\njhvjht.exe100⤵
-
\??\c:\plnpjj.exec:\plnpjj.exe101⤵
-
\??\c:\nrjlf.exec:\nrjlf.exe102⤵
-
\??\c:\flrxxt.exec:\flrxxt.exe103⤵
-
\??\c:\jbjdp.exec:\jbjdp.exe104⤵
-
\??\c:\rvhth.exec:\rvhth.exe105⤵
-
\??\c:\lxdfh.exec:\lxdfh.exe106⤵
-
\??\c:\nvnrdv.exec:\nvnrdv.exe107⤵
-
\??\c:\djljvnl.exec:\djljvnl.exe108⤵
-
\??\c:\pbpvb.exec:\pbpvb.exe109⤵
-
\??\c:\njdnr.exec:\njdnr.exe110⤵
-
\??\c:\bfpxrl.exec:\bfpxrl.exe111⤵
-
\??\c:\rjprv.exec:\rjprv.exe112⤵
-
\??\c:\nlhdpv.exec:\nlhdpv.exe113⤵
-
\??\c:\fjrxj.exec:\fjrxj.exe114⤵
-
\??\c:\dhhrhjn.exec:\dhhrhjn.exe115⤵
-
\??\c:\tvfhhlr.exec:\tvfhhlr.exe116⤵
-
\??\c:\lhfbtx.exec:\lhfbtx.exe117⤵
-
\??\c:\llrtp.exec:\llrtp.exe118⤵
-
\??\c:\tbdhvf.exec:\tbdhvf.exe119⤵
-
\??\c:\ppbjrbn.exec:\ppbjrbn.exe120⤵
-
\??\c:\dnlpjxx.exec:\dnlpjxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-