Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
07/05/2024, 03:01
General
-
Target
56296b04cf8c07fdb58053bbc0fc73f0_NEAS.exe
-
Size
193KB
-
MD5
56296b04cf8c07fdb58053bbc0fc73f0
-
SHA1
99b04a5c697aed80594c0a9bcf03078f1a27f9ca
-
SHA256
96bb8fdf903fb894e8a92900b17c60b60ac3bc7837fc3544f595b670d44dc2da
-
SHA512
37eb21f9be49d7e6f73fd7cb617112e379c3bc9148b161beed672072f2a650e591c569b7a7b03f0291c74696d5788c42f4d3984a65aa1499f608a37d99c96c0a
-
SSDEEP
1536:VvQBeOGtrYSSsrc93UBIfdC67m6AJiqHlHdmAW2:VhOm2sI93UufdC67ciVAW2
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 45 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\56296b04cf8c07fdb58053bbc0fc73f0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\56296b04cf8c07fdb58053bbc0fc73f0_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1pvjd.exec:\1pvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlllrx.exec:\rxlllrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lxrffr.exec:\1lxrffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjdjd.exec:\jjdjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvpj.exec:\jdvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxfllx.exec:\rfxfllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlxxfr.exec:\xrlxxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pjpd.exec:\9pjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddj.exec:\jdddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrffrx.exec:\lfrffrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtnhn.exec:\tbtnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pjpj.exec:\7pjpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxllxxf.exec:\lxllxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbthh.exec:\5bbthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbtth.exec:\bbbtth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rxrrxx.exec:\3rxrrxx.exe17⤵
- Executes dropped EXE
-
\??\c:\lrlrffr.exec:\lrlrffr.exe18⤵
- Executes dropped EXE
-
\??\c:\hbhhtt.exec:\hbhhtt.exe19⤵
- Executes dropped EXE
-
\??\c:\pjddv.exec:\pjddv.exe20⤵
- Executes dropped EXE
-
\??\c:\ppjjd.exec:\ppjjd.exe21⤵
- Executes dropped EXE
-
\??\c:\5lflxfr.exec:\5lflxfr.exe22⤵
- Executes dropped EXE
-
\??\c:\dvvpd.exec:\dvvpd.exe23⤵
- Executes dropped EXE
-
\??\c:\7vvvv.exec:\7vvvv.exe24⤵
- Executes dropped EXE
-
\??\c:\lxrflrx.exec:\lxrflrx.exe25⤵
- Executes dropped EXE
-
\??\c:\hbtttb.exec:\hbtttb.exe26⤵
- Executes dropped EXE
-
\??\c:\ppdvp.exec:\ppdvp.exe27⤵
- Executes dropped EXE
-
\??\c:\fxrxfrf.exec:\fxrxfrf.exe28⤵
- Executes dropped EXE
-
\??\c:\lxfrlxx.exec:\lxfrlxx.exe29⤵
- Executes dropped EXE
-
\??\c:\1tntht.exec:\1tntht.exe30⤵
- Executes dropped EXE
-
\??\c:\3dvvd.exec:\3dvvd.exe31⤵
- Executes dropped EXE
-
\??\c:\xlfrlxl.exec:\xlfrlxl.exe32⤵
- Executes dropped EXE
-
\??\c:\5xrrlrf.exec:\5xrrlrf.exe33⤵
- Executes dropped EXE
-
\??\c:\hhthbh.exec:\hhthbh.exe34⤵
- Executes dropped EXE
-
\??\c:\9pjdp.exec:\9pjdp.exe35⤵
- Executes dropped EXE
-
\??\c:\5pppv.exec:\5pppv.exe36⤵
- Executes dropped EXE
-
\??\c:\rlxxflf.exec:\rlxxflf.exe37⤵
- Executes dropped EXE
-
\??\c:\rfllrrx.exec:\rfllrrx.exe38⤵
- Executes dropped EXE
-
\??\c:\1tthnt.exec:\1tthnt.exe39⤵
- Executes dropped EXE
-
\??\c:\5bbbtt.exec:\5bbbtt.exe40⤵
- Executes dropped EXE
-
\??\c:\jdppp.exec:\jdppp.exe41⤵
- Executes dropped EXE
-
\??\c:\ppjpd.exec:\ppjpd.exe42⤵
- Executes dropped EXE
-
\??\c:\frlrxfx.exec:\frlrxfx.exe43⤵
- Executes dropped EXE
-
\??\c:\lxrxxfl.exec:\lxrxxfl.exe44⤵
- Executes dropped EXE
-
\??\c:\bttbnt.exec:\bttbnt.exe45⤵
- Executes dropped EXE
-
\??\c:\bthnbn.exec:\bthnbn.exe46⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe47⤵
- Executes dropped EXE
-
\??\c:\jdjjv.exec:\jdjjv.exe48⤵
- Executes dropped EXE
-
\??\c:\fxxxfrr.exec:\fxxxfrr.exe49⤵
- Executes dropped EXE
-
\??\c:\lxrrxfl.exec:\lxrrxfl.exe50⤵
- Executes dropped EXE
-
\??\c:\btntnt.exec:\btntnt.exe51⤵
- Executes dropped EXE
-
\??\c:\tthntt.exec:\tthntt.exe52⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe53⤵
- Executes dropped EXE
-
\??\c:\ddpvj.exec:\ddpvj.exe54⤵
- Executes dropped EXE
-
\??\c:\rlxxxxr.exec:\rlxxxxr.exe55⤵
- Executes dropped EXE
-
\??\c:\xxrxlxf.exec:\xxrxlxf.exe56⤵
- Executes dropped EXE
-
\??\c:\htbthh.exec:\htbthh.exe57⤵
- Executes dropped EXE
-
\??\c:\bthntb.exec:\bthntb.exe58⤵
- Executes dropped EXE
-
\??\c:\jjvjp.exec:\jjvjp.exe59⤵
- Executes dropped EXE
-
\??\c:\xfrlrxr.exec:\xfrlrxr.exe60⤵
- Executes dropped EXE
-
\??\c:\rfxxrrf.exec:\rfxxrrf.exe61⤵
- Executes dropped EXE
-
\??\c:\5bbhnt.exec:\5bbhnt.exe62⤵
- Executes dropped EXE
-
\??\c:\bthnbh.exec:\bthnbh.exe63⤵
- Executes dropped EXE
-
\??\c:\jjdpv.exec:\jjdpv.exe64⤵
- Executes dropped EXE
-
\??\c:\jvjpv.exec:\jvjpv.exe65⤵
- Executes dropped EXE
-
\??\c:\rlrlrrf.exec:\rlrlrrf.exe66⤵
-
\??\c:\rlfffrx.exec:\rlfffrx.exe67⤵
-
\??\c:\bbtthn.exec:\bbtthn.exe68⤵
-
\??\c:\5ttbnb.exec:\5ttbnb.exe69⤵
-
\??\c:\jpdjp.exec:\jpdjp.exe70⤵
-
\??\c:\rfrxlrx.exec:\rfrxlrx.exe71⤵
-
\??\c:\lfxxlfl.exec:\lfxxlfl.exe72⤵
-
\??\c:\ttnhtn.exec:\ttnhtn.exe73⤵
-
\??\c:\nbhntn.exec:\nbhntn.exe74⤵
-
\??\c:\9pjdj.exec:\9pjdj.exe75⤵
-
\??\c:\1pvpd.exec:\1pvpd.exe76⤵
-
\??\c:\rlllxxl.exec:\rlllxxl.exe77⤵
-
\??\c:\xrlfrfr.exec:\xrlfrfr.exe78⤵
-
\??\c:\hhhhtb.exec:\hhhhtb.exe79⤵
-
\??\c:\5ttntt.exec:\5ttntt.exe80⤵
-
\??\c:\vpddj.exec:\vpddj.exe81⤵
-
\??\c:\pjpdj.exec:\pjpdj.exe82⤵
-
\??\c:\rlffflx.exec:\rlffflx.exe83⤵
-
\??\c:\ffxxllr.exec:\ffxxllr.exe84⤵
-
\??\c:\thhtth.exec:\thhtth.exe85⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe86⤵
-
\??\c:\vpddd.exec:\vpddd.exe87⤵
-
\??\c:\xxrlflx.exec:\xxrlflx.exe88⤵
-
\??\c:\rrlrxxf.exec:\rrlrxxf.exe89⤵
-
\??\c:\hbnttt.exec:\hbnttt.exe90⤵
-
\??\c:\hnbnbt.exec:\hnbnbt.exe91⤵
-
\??\c:\5pddd.exec:\5pddd.exe92⤵
-
\??\c:\jdpdv.exec:\jdpdv.exe93⤵
-
\??\c:\7lffrrf.exec:\7lffrrf.exe94⤵
-
\??\c:\frflxxx.exec:\frflxxx.exe95⤵
-
\??\c:\7tnnbh.exec:\7tnnbh.exe96⤵
-
\??\c:\btnntt.exec:\btnntt.exe97⤵
-
\??\c:\vpddv.exec:\vpddv.exe98⤵
-
\??\c:\dddjd.exec:\dddjd.exe99⤵
-
\??\c:\ffrrflx.exec:\ffrrflx.exe100⤵
-
\??\c:\ffflxxl.exec:\ffflxxl.exe101⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe102⤵
-
\??\c:\nnhtbb.exec:\nnhtbb.exe103⤵
-
\??\c:\5ppvj.exec:\5ppvj.exe104⤵
-
\??\c:\dvvvj.exec:\dvvvj.exe105⤵
-
\??\c:\5rllrrf.exec:\5rllrrf.exe106⤵
-
\??\c:\xrlrxfl.exec:\xrlrxfl.exe107⤵
-
\??\c:\bbttbh.exec:\bbttbh.exe108⤵
-
\??\c:\nnhhnn.exec:\nnhhnn.exe109⤵
-
\??\c:\3pjjp.exec:\3pjjp.exe110⤵
-
\??\c:\9jvdv.exec:\9jvdv.exe111⤵
-
\??\c:\1vvvp.exec:\1vvvp.exe112⤵
-
\??\c:\1rrfxxl.exec:\1rrfxxl.exe113⤵
-
\??\c:\1flxlxx.exec:\1flxlxx.exe114⤵
-
\??\c:\5thhhh.exec:\5thhhh.exe115⤵
-
\??\c:\9dvdj.exec:\9dvdj.exe116⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe117⤵
-
\??\c:\vpdpv.exec:\vpdpv.exe118⤵
-
\??\c:\5xllxfl.exec:\5xllxfl.exe119⤵
-
\??\c:\1xfflll.exec:\1xfflll.exe120⤵
-
\??\c:\7htbht.exec:\7htbht.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-