Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
15/11/2023, 01:36
General
-
Target
NEAS.2ccbdd852c95da0aab8ffeb900c48110.exe
-
Size
118KB
-
MD5
2ccbdd852c95da0aab8ffeb900c48110
-
SHA1
66c2be690b80429afe73e6b18d51640447fe91db
-
SHA256
244a451ad7f86cc1a531f2acb6488e3906eca3da92e586ee61acec040ba61328
-
SHA512
086e9a99d1e71725740517f87252e28281c103b79f5f42b08cb3d065a97e12dc898bccaf860bd2496bca0d4e90b9b404ea711a29e203dc4b9144986ebc87e3af
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX2CDr:n3C9BRW0j/uVEZF2CDr
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 30 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 60 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2ccbdd852c95da0aab8ffeb900c48110.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2ccbdd852c95da0aab8ffeb900c48110.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dnxvr.exec:\dnxvr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ndlddxn.exec:\ndlddxn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ptrdtt.exec:\ptrdtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vbvjn.exec:\vbvjn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vllvp.exec:\vllvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xbjjr.exec:\xbjjr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlhxd.exec:\lxlhxd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fnprnn.exec:\fnprnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vhfnj.exec:\vhfnj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnrhb.exec:\ttnrhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lftpf.exec:\lftpf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\txlhh.exec:\txlhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbxtn.exec:\hhbbxtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vrpfpxx.exec:\vrpfpxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbdvr.exec:\nbdvr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ldxblhl.exec:\ldxblhl.exe17⤵
- Executes dropped EXE
-
\??\c:\jbnnb.exec:\jbnnb.exe18⤵
- Executes dropped EXE
-
\??\c:\vbfdpn.exec:\vbfdpn.exe19⤵
- Executes dropped EXE
-
\??\c:\fplvjht.exec:\fplvjht.exe20⤵
- Executes dropped EXE
-
\??\c:\tfttf.exec:\tfttf.exe21⤵
- Executes dropped EXE
-
\??\c:\rntvf.exec:\rntvf.exe22⤵
- Executes dropped EXE
-
\??\c:\vffpx.exec:\vffpx.exe23⤵
- Executes dropped EXE
-
\??\c:\phnrdd.exec:\phnrdd.exe24⤵
- Executes dropped EXE
-
\??\c:\bjdhv.exec:\bjdhv.exe25⤵
- Executes dropped EXE
-
\??\c:\bbrvhf.exec:\bbrvhf.exe26⤵
- Executes dropped EXE
-
\??\c:\tltrd.exec:\tltrd.exe27⤵
- Executes dropped EXE
-
\??\c:\rtxlbff.exec:\rtxlbff.exe28⤵
- Executes dropped EXE
-
\??\c:\bjrnnl.exec:\bjrnnl.exe29⤵
- Executes dropped EXE
-
\??\c:\fdbxtdd.exec:\fdbxtdd.exe30⤵
- Executes dropped EXE
-
\??\c:\jfdjb.exec:\jfdjb.exe31⤵
- Executes dropped EXE
-
\??\c:\rhfbhbb.exec:\rhfbhbb.exe32⤵
- Executes dropped EXE
-
\??\c:\dxnbrdj.exec:\dxnbrdj.exe33⤵
- Executes dropped EXE
-
\??\c:\ltlfpxl.exec:\ltlfpxl.exe34⤵
- Executes dropped EXE
-
\??\c:\vnplp.exec:\vnplp.exe35⤵
- Executes dropped EXE
-
\??\c:\ppnhxh.exec:\ppnhxh.exe36⤵
- Executes dropped EXE
-
\??\c:\lrfpxvh.exec:\lrfpxvh.exe37⤵
- Executes dropped EXE
-
\??\c:\jrtbxn.exec:\jrtbxn.exe38⤵
- Executes dropped EXE
-
\??\c:\prhhpf.exec:\prhhpf.exe39⤵
- Executes dropped EXE
-
\??\c:\tvlnx.exec:\tvlnx.exe40⤵
- Executes dropped EXE
-
\??\c:\xvltrrn.exec:\xvltrrn.exe41⤵
- Executes dropped EXE
-
\??\c:\nnnhhfh.exec:\nnnhhfh.exe42⤵
- Executes dropped EXE
-
\??\c:\pfdbxf.exec:\pfdbxf.exe43⤵
- Executes dropped EXE
-
\??\c:\hrjbb.exec:\hrjbb.exe44⤵
- Executes dropped EXE
-
\??\c:\lxbvxrl.exec:\lxbvxrl.exe45⤵
- Executes dropped EXE
-
\??\c:\bntxt.exec:\bntxt.exe46⤵
- Executes dropped EXE
-
\??\c:\vntvfdt.exec:\vntvfdt.exe47⤵
- Executes dropped EXE
-
\??\c:\flljx.exec:\flljx.exe48⤵
- Executes dropped EXE
-
\??\c:\plhfxt.exec:\plhfxt.exe49⤵
- Executes dropped EXE
-
\??\c:\lxhdh.exec:\lxhdh.exe50⤵
- Executes dropped EXE
-
\??\c:\tfdvptv.exec:\tfdvptv.exe51⤵
- Executes dropped EXE
-
\??\c:\tbbvjxh.exec:\tbbvjxh.exe52⤵
- Executes dropped EXE
-
\??\c:\bjjdvdn.exec:\bjjdvdn.exe53⤵
- Executes dropped EXE
-
\??\c:\pvbjvbh.exec:\pvbjvbh.exe54⤵
- Executes dropped EXE
-
\??\c:\dntlx.exec:\dntlx.exe55⤵
- Executes dropped EXE
-
\??\c:\txhjl.exec:\txhjl.exe56⤵
- Executes dropped EXE
-
\??\c:\ltrfx.exec:\ltrfx.exe57⤵
- Executes dropped EXE
-
\??\c:\fdjnb.exec:\fdjnb.exe58⤵
- Executes dropped EXE
-
\??\c:\pvbnd.exec:\pvbnd.exe59⤵
- Executes dropped EXE
-
\??\c:\htjpnp.exec:\htjpnp.exe60⤵
- Executes dropped EXE
-
\??\c:\fpjnl.exec:\fpjnl.exe61⤵
- Executes dropped EXE
-
\??\c:\lvhphl.exec:\lvhphl.exe62⤵
- Executes dropped EXE
-
\??\c:\nvvrl.exec:\nvvrl.exe63⤵
- Executes dropped EXE
-
\??\c:\nphrd.exec:\nphrd.exe64⤵
- Executes dropped EXE
-
\??\c:\nntdbxn.exec:\nntdbxn.exe65⤵
- Executes dropped EXE
-
\??\c:\lrfpb.exec:\lrfpb.exe66⤵
-
\??\c:\xxhnfh.exec:\xxhnfh.exe67⤵
-
\??\c:\rhlvlh.exec:\rhlvlh.exe68⤵
-
\??\c:\nrfrv.exec:\nrfrv.exe69⤵
-
\??\c:\jhtdfp.exec:\jhtdfp.exe70⤵
-
\??\c:\rvfpn.exec:\rvfpn.exe71⤵
-
\??\c:\lfvnfnn.exec:\lfvnfnn.exe72⤵
-
\??\c:\ndbbh.exec:\ndbbh.exe73⤵
-
\??\c:\nhfxpf.exec:\nhfxpf.exe74⤵
-
\??\c:\hlnlj.exec:\hlnlj.exe75⤵
-
\??\c:\jxndp.exec:\jxndp.exe76⤵
-
\??\c:\lvrft.exec:\lvrft.exe77⤵
-
\??\c:\lxvjrhj.exec:\lxvjrhj.exe78⤵
-
\??\c:\jrddp.exec:\jrddp.exe79⤵
-
\??\c:\ddfbjd.exec:\ddfbjd.exe80⤵
-
\??\c:\rvfnxlr.exec:\rvfnxlr.exe81⤵
-
\??\c:\xnldt.exec:\xnldt.exe82⤵
-
\??\c:\lrnxp.exec:\lrnxp.exe83⤵
-
\??\c:\lrvlbb.exec:\lrvlbb.exe84⤵
-
\??\c:\lvnnr.exec:\lvnnr.exe85⤵
-
\??\c:\blbtj.exec:\blbtj.exe86⤵
-
\??\c:\xhhtvh.exec:\xhhtvh.exe87⤵
-
\??\c:\ndtrf.exec:\ndtrf.exe88⤵
-
\??\c:\nnbbjj.exec:\nnbbjj.exe89⤵
-
\??\c:\bhrtdpv.exec:\bhrtdpv.exe90⤵
-
\??\c:\fhrbn.exec:\fhrbn.exe91⤵
-
\??\c:\nbxtnlb.exec:\nbxtnlb.exe92⤵
-
\??\c:\lxtxtfn.exec:\lxtxtfn.exe93⤵
-
\??\c:\rlplddf.exec:\rlplddf.exe94⤵
-
\??\c:\tfhbtrr.exec:\tfhbtrr.exe95⤵
-
\??\c:\bdljfp.exec:\bdljfp.exe96⤵
-
\??\c:\tvjll.exec:\tvjll.exe97⤵
-
\??\c:\vxjtblr.exec:\vxjtblr.exe98⤵
-
\??\c:\xbnrpvp.exec:\xbnrpvp.exe99⤵
-
\??\c:\rfpfp.exec:\rfpfp.exe100⤵
-
\??\c:\pjjrrrp.exec:\pjjrrrp.exe101⤵
-
\??\c:\dvvxdd.exec:\dvvxdd.exe102⤵
-
\??\c:\dnhtbbl.exec:\dnhtbbl.exe103⤵
-
\??\c:\nhfndtp.exec:\nhfndtp.exe104⤵
-
\??\c:\jtvbfr.exec:\jtvbfr.exe105⤵
-
\??\c:\vnjhbj.exec:\vnjhbj.exe106⤵
-
\??\c:\lnjrh.exec:\lnjrh.exe107⤵
-
\??\c:\jxrjdd.exec:\jxrjdd.exe108⤵
-
\??\c:\ttflbf.exec:\ttflbf.exe109⤵
-
\??\c:\rtrhd.exec:\rtrhd.exe110⤵
-
\??\c:\tdblnh.exec:\tdblnh.exe111⤵
-
\??\c:\bjlld.exec:\bjlld.exe112⤵
-
\??\c:\pdhbv.exec:\pdhbv.exe113⤵
-
\??\c:\djvpxp.exec:\djvpxp.exe114⤵
-
\??\c:\bfhvdl.exec:\bfhvdl.exe115⤵
-
\??\c:\tnphfx.exec:\tnphfx.exe116⤵
-
\??\c:\rnpnhnp.exec:\rnpnhnp.exe117⤵
-
\??\c:\tnljr.exec:\tnljr.exe118⤵
-
\??\c:\fnhbfhl.exec:\fnhbfhl.exe119⤵
-
\??\c:\rdnbl.exec:\rdnbl.exe120⤵
-
\??\c:\vpnrpjr.exec:\vpnrpjr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-