Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
03/11/2023, 08:06
General
-
Target
NEAS.2fb556d013e4604cb7a3d975bd112630.exe
-
Size
68KB
-
MD5
2fb556d013e4604cb7a3d975bd112630
-
SHA1
7af5e5f9406fabff8a165c0ec746892d9b3cee79
-
SHA256
8874edbbcabb53e54ffab30d09f2597ef031b7ca9653da31abbcad89a0656eb9
-
SHA512
fb80e5de922cfdc2888de2a21abf5ea572843c6c95522578f6b1820f6bc09e6901a80d5d92d48445deb98107d2f23ec237938a065bd74778ca881101f2ae8637
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIS7/bQhu9K:ymb3NkkiQ3mdBjFIi/07
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 41 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2fb556d013e4604cb7a3d975bd112630.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2fb556d013e4604cb7a3d975bd112630.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9h61l1t.exec:\9h61l1t.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\sgeom.exec:\sgeom.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6ouah.exec:\6ouah.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\f3v5e7.exec:\f3v5e7.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pn6cu.exec:\9pn6cu.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\363s78.exec:\363s78.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\979m33.exec:\979m33.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdg51m0.exec:\jdg51m0.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\x7g1m6j.exec:\x7g1m6j.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3g27t.exec:\3g27t.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0357jng.exec:\0357jng.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pce5f8.exec:\pce5f8.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\wu76o9e.exec:\wu76o9e.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\mma53v.exec:\mma53v.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\x3k39i.exec:\x3k39i.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\gq90qi8.exec:\gq90qi8.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9a3x51p.exec:\9a3x51p.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7j723.exec:\7j723.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q8j37jb.exec:\q8j37jb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6t42475.exec:\6t42475.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2xgp50.exec:\2xgp50.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c31p19.exec:\c31p19.exe23⤵
- Executes dropped EXE
-
\??\c:\6lr04.exec:\6lr04.exe24⤵
- Executes dropped EXE
-
\??\c:\l7dgj1q.exec:\l7dgj1q.exe25⤵
- Executes dropped EXE
-
\??\c:\0kho8pe.exec:\0kho8pe.exe26⤵
- Executes dropped EXE
-
\??\c:\6a85q.exec:\6a85q.exe27⤵
- Executes dropped EXE
-
\??\c:\011w7w.exec:\011w7w.exe28⤵
- Executes dropped EXE
-
\??\c:\7e7398.exec:\7e7398.exe29⤵
- Executes dropped EXE
-
\??\c:\10seu4u.exec:\10seu4u.exe30⤵
- Executes dropped EXE
-
\??\c:\mpa2c8.exec:\mpa2c8.exe31⤵
- Executes dropped EXE
-
\??\c:\x82mpqi.exec:\x82mpqi.exe32⤵
- Executes dropped EXE
-
\??\c:\890vw.exec:\890vw.exe33⤵
- Executes dropped EXE
-
\??\c:\14754.exec:\14754.exe34⤵
- Executes dropped EXE
-
\??\c:\ef5a5.exec:\ef5a5.exe35⤵
- Executes dropped EXE
-
\??\c:\2ppj9bx.exec:\2ppj9bx.exe36⤵
- Executes dropped EXE
-
\??\c:\0tu591.exec:\0tu591.exe37⤵
- Executes dropped EXE
-
\??\c:\jh1mwk1.exec:\jh1mwk1.exe38⤵
- Executes dropped EXE
-
\??\c:\3fv50.exec:\3fv50.exe39⤵
- Executes dropped EXE
-
\??\c:\5ou116.exec:\5ou116.exe40⤵
- Executes dropped EXE
-
\??\c:\sp40o2.exec:\sp40o2.exe41⤵
- Executes dropped EXE
-
\??\c:\16f63.exec:\16f63.exe42⤵
- Executes dropped EXE
-
\??\c:\pn5w513.exec:\pn5w513.exe43⤵
- Executes dropped EXE
-
\??\c:\kr2fr2.exec:\kr2fr2.exe44⤵
- Executes dropped EXE
-
\??\c:\d6r91.exec:\d6r91.exe45⤵
- Executes dropped EXE
-
\??\c:\3wxlq6.exec:\3wxlq6.exe46⤵
- Executes dropped EXE
-
\??\c:\6wij7.exec:\6wij7.exe47⤵
- Executes dropped EXE
-
\??\c:\43735.exec:\43735.exe48⤵
- Executes dropped EXE
-
\??\c:\33g3r.exec:\33g3r.exe49⤵
- Executes dropped EXE
-
\??\c:\8ougkfm.exec:\8ougkfm.exe50⤵
- Executes dropped EXE
-
\??\c:\65w9t.exec:\65w9t.exe51⤵
- Executes dropped EXE
-
\??\c:\0nbht.exec:\0nbht.exe52⤵
- Executes dropped EXE
-
\??\c:\o36sd.exec:\o36sd.exe53⤵
- Executes dropped EXE
-
\??\c:\0plpto.exec:\0plpto.exe54⤵
- Executes dropped EXE
-
\??\c:\84vmp4x.exec:\84vmp4x.exe55⤵
- Executes dropped EXE
-
\??\c:\71dj4s.exec:\71dj4s.exe56⤵
- Executes dropped EXE
-
\??\c:\q0nirm.exec:\q0nirm.exe57⤵
- Executes dropped EXE
-
\??\c:\447536p.exec:\447536p.exe58⤵
- Executes dropped EXE
-
\??\c:\vs9q75.exec:\vs9q75.exe59⤵
- Executes dropped EXE
-
\??\c:\407692.exec:\407692.exe60⤵
- Executes dropped EXE
-
\??\c:\r7fj9.exec:\r7fj9.exe61⤵
- Executes dropped EXE
-
\??\c:\p9h545.exec:\p9h545.exe62⤵
- Executes dropped EXE
-
\??\c:\8rat30.exec:\8rat30.exe63⤵
- Executes dropped EXE
-
\??\c:\5c1sm63.exec:\5c1sm63.exe64⤵
- Executes dropped EXE
-
\??\c:\2jpe45.exec:\2jpe45.exe65⤵
- Executes dropped EXE
-
\??\c:\j77tq.exec:\j77tq.exe66⤵
-
\??\c:\83l7s.exec:\83l7s.exe67⤵
-
\??\c:\u39gd.exec:\u39gd.exe68⤵
-
\??\c:\8fh5jj.exec:\8fh5jj.exe69⤵
-
\??\c:\65294p.exec:\65294p.exe70⤵
-
\??\c:\6c90d.exec:\6c90d.exe71⤵
-
\??\c:\nn8w3a.exec:\nn8w3a.exe72⤵
-
\??\c:\743c3sj.exec:\743c3sj.exe73⤵
-
\??\c:\ne8x37.exec:\ne8x37.exe74⤵
-
\??\c:\w8577vm.exec:\w8577vm.exe75⤵
-
\??\c:\5cehf.exec:\5cehf.exe76⤵
-
\??\c:\195dg7.exec:\195dg7.exe77⤵
-
\??\c:\5gkip.exec:\5gkip.exe78⤵
-
\??\c:\ep2eb.exec:\ep2eb.exe79⤵
-
\??\c:\2w41h.exec:\2w41h.exe80⤵
-
\??\c:\6gm63.exec:\6gm63.exe81⤵
-
\??\c:\44329.exec:\44329.exe82⤵
-
\??\c:\72f7va9.exec:\72f7va9.exe83⤵
-
\??\c:\28e41h.exec:\28e41h.exe84⤵
-
\??\c:\70r79bu.exec:\70r79bu.exe85⤵
-
\??\c:\k43c90.exec:\k43c90.exe86⤵
-
\??\c:\9b1v71.exec:\9b1v71.exe87⤵
-
\??\c:\20xcl.exec:\20xcl.exe88⤵
-
\??\c:\u3xpti7.exec:\u3xpti7.exe89⤵
-
\??\c:\4s64h.exec:\4s64h.exe90⤵
-
\??\c:\w3ma67o.exec:\w3ma67o.exe91⤵
-
\??\c:\6l6lpa7.exec:\6l6lpa7.exe92⤵
-
\??\c:\fxx53fj.exec:\fxx53fj.exe93⤵
-
\??\c:\jq7x99.exec:\jq7x99.exe94⤵
-
\??\c:\4r19ag.exec:\4r19ag.exe95⤵
-
\??\c:\ugj914b.exec:\ugj914b.exe96⤵
-
\??\c:\401s1ur.exec:\401s1ur.exe97⤵
-
\??\c:\42rc7o5.exec:\42rc7o5.exe98⤵
-
\??\c:\2558x.exec:\2558x.exe99⤵
-
\??\c:\pq2fprs.exec:\pq2fprs.exe100⤵
-
\??\c:\ta7713o.exec:\ta7713o.exe101⤵
-
\??\c:\56of5g.exec:\56of5g.exe102⤵
-
\??\c:\rjmkr.exec:\rjmkr.exe103⤵
-
\??\c:\5we877.exec:\5we877.exe104⤵
-
\??\c:\iss5wk.exec:\iss5wk.exe105⤵
-
\??\c:\49o6e7.exec:\49o6e7.exe106⤵
-
\??\c:\2p365f3.exec:\2p365f3.exe107⤵
-
\??\c:\9bfh9a2.exec:\9bfh9a2.exe108⤵
-
\??\c:\ti5s9.exec:\ti5s9.exe109⤵
-
\??\c:\sh1rr.exec:\sh1rr.exe110⤵
-
\??\c:\601vde.exec:\601vde.exe111⤵
-
\??\c:\1sthum.exec:\1sthum.exe112⤵
-
\??\c:\1qi2v.exec:\1qi2v.exe113⤵
-
\??\c:\r34j1.exec:\r34j1.exe114⤵
-
\??\c:\v2kxj1.exec:\v2kxj1.exe115⤵
-
\??\c:\1g5mgg.exec:\1g5mgg.exe116⤵
-
\??\c:\fxf5gaw.exec:\fxf5gaw.exe117⤵
-
\??\c:\75s9i.exec:\75s9i.exe118⤵
-
\??\c:\a9f96.exec:\a9f96.exe119⤵
-
\??\c:\l7et7.exec:\l7et7.exe120⤵
-
\??\c:\u6ic8.exec:\u6ic8.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-