Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
07/05/2024, 10:14
General
-
Target
3a5de6255ae960ed29c14c0924ca87f0_NEAS.exe
-
Size
94KB
-
MD5
3a5de6255ae960ed29c14c0924ca87f0
-
SHA1
9392d956da003dc060ac29d8012c52720098f348
-
SHA256
b51227b96f5473e837eed4127e5a90a5c396d8866d876db50a89761928e6fe27
-
SHA512
c947785c7f4a8d9f0064acf896b4c9752349fc0578ed8442d5300fdaf45e01062a2e8401a60d797d4c8e2f4e3d09bc86782ad2aee3cf94443e400c73fdad5434
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JxJAg8dtc:ymb3NkkiQ3mdBjFIWeFGyAsJAg2c
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a5de6255ae960ed29c14c0924ca87f0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\3a5de6255ae960ed29c14c0924ca87f0_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrrll.exec:\flrrrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhth.exec:\bbhhth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dvvv.exec:\1dvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrrrf.exec:\xlxrrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxxlr.exec:\rrlxxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbnht.exec:\nhbnht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjpv.exec:\1pjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvdj.exec:\pjvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppv.exec:\jdppv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrfll.exec:\xrrrfll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttttb.exec:\bttttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtbbh.exec:\thtbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pdjj.exec:\3pdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jvjp.exec:\1jvjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrflllx.exec:\xrflllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xxfrrr.exec:\7xxfrrr.exe17⤵
- Executes dropped EXE
-
\??\c:\bnbtbt.exec:\bnbtbt.exe18⤵
- Executes dropped EXE
-
\??\c:\3jpvv.exec:\3jpvv.exe19⤵
- Executes dropped EXE
-
\??\c:\vvdjp.exec:\vvdjp.exe20⤵
- Executes dropped EXE
-
\??\c:\xlrxrrx.exec:\xlrxrrx.exe21⤵
- Executes dropped EXE
-
\??\c:\1xxfffl.exec:\1xxfffl.exe22⤵
- Executes dropped EXE
-
\??\c:\1hthtn.exec:\1hthtn.exe23⤵
- Executes dropped EXE
-
\??\c:\vpdjp.exec:\vpdjp.exe24⤵
- Executes dropped EXE
-
\??\c:\1dpdd.exec:\1dpdd.exe25⤵
- Executes dropped EXE
-
\??\c:\xrlfflf.exec:\xrlfflf.exe26⤵
- Executes dropped EXE
-
\??\c:\5lrlxxl.exec:\5lrlxxl.exe27⤵
- Executes dropped EXE
-
\??\c:\httnbt.exec:\httnbt.exe28⤵
- Executes dropped EXE
-
\??\c:\1bttbh.exec:\1bttbh.exe29⤵
- Executes dropped EXE
-
\??\c:\dpvdj.exec:\dpvdj.exe30⤵
- Executes dropped EXE
-
\??\c:\5lxxffl.exec:\5lxxffl.exe31⤵
- Executes dropped EXE
-
\??\c:\1rxrxfl.exec:\1rxrxfl.exe32⤵
- Executes dropped EXE
-
\??\c:\bnbthb.exec:\bnbthb.exe33⤵
- Executes dropped EXE
-
\??\c:\jjvjp.exec:\jjvjp.exe34⤵
- Executes dropped EXE
-
\??\c:\3jdpv.exec:\3jdpv.exe35⤵
- Executes dropped EXE
-
\??\c:\lfrxxfl.exec:\lfrxxfl.exe36⤵
- Executes dropped EXE
-
\??\c:\nnbthh.exec:\nnbthh.exe37⤵
- Executes dropped EXE
-
\??\c:\tntbhh.exec:\tntbhh.exe38⤵
- Executes dropped EXE
-
\??\c:\jvddj.exec:\jvddj.exe39⤵
- Executes dropped EXE
-
\??\c:\ppjjp.exec:\ppjjp.exe40⤵
- Executes dropped EXE
-
\??\c:\xrfxflx.exec:\xrfxflx.exe41⤵
- Executes dropped EXE
-
\??\c:\rlxxfxf.exec:\rlxxfxf.exe42⤵
- Executes dropped EXE
-
\??\c:\tnntbb.exec:\tnntbb.exe43⤵
- Executes dropped EXE
-
\??\c:\9hhnnh.exec:\9hhnnh.exe44⤵
- Executes dropped EXE
-
\??\c:\jppdd.exec:\jppdd.exe45⤵
- Executes dropped EXE
-
\??\c:\vpjjj.exec:\vpjjj.exe46⤵
- Executes dropped EXE
-
\??\c:\xlflllx.exec:\xlflllx.exe47⤵
- Executes dropped EXE
-
\??\c:\nbnhhn.exec:\nbnhhn.exe48⤵
- Executes dropped EXE
-
\??\c:\btbhhb.exec:\btbhhb.exe49⤵
- Executes dropped EXE
-
\??\c:\vjpjp.exec:\vjpjp.exe50⤵
- Executes dropped EXE
-
\??\c:\9pvjp.exec:\9pvjp.exe51⤵
- Executes dropped EXE
-
\??\c:\rrxxrrr.exec:\rrxxrrr.exe52⤵
- Executes dropped EXE
-
\??\c:\lxxflll.exec:\lxxflll.exe53⤵
- Executes dropped EXE
-
\??\c:\tbhbbn.exec:\tbhbbn.exe54⤵
- Executes dropped EXE
-
\??\c:\nbbhnt.exec:\nbbhnt.exe55⤵
- Executes dropped EXE
-
\??\c:\9vdpv.exec:\9vdpv.exe56⤵
- Executes dropped EXE
-
\??\c:\5pddd.exec:\5pddd.exe57⤵
- Executes dropped EXE
-
\??\c:\frlrrll.exec:\frlrrll.exe58⤵
- Executes dropped EXE
-
\??\c:\rfxxxxf.exec:\rfxxxxf.exe59⤵
- Executes dropped EXE
-
\??\c:\thbhbt.exec:\thbhbt.exe60⤵
- Executes dropped EXE
-
\??\c:\1hbntt.exec:\1hbntt.exe61⤵
- Executes dropped EXE
-
\??\c:\jjjdd.exec:\jjjdd.exe62⤵
- Executes dropped EXE
-
\??\c:\jpvjd.exec:\jpvjd.exe63⤵
- Executes dropped EXE
-
\??\c:\frxrllx.exec:\frxrllx.exe64⤵
- Executes dropped EXE
-
\??\c:\xlrxlfl.exec:\xlrxlfl.exe65⤵
- Executes dropped EXE
-
\??\c:\5bhbnh.exec:\5bhbnh.exe66⤵
-
\??\c:\bnhthh.exec:\bnhthh.exe67⤵
-
\??\c:\7pvdd.exec:\7pvdd.exe68⤵
-
\??\c:\vddvp.exec:\vddvp.exe69⤵
-
\??\c:\rxrllfl.exec:\rxrllfl.exe70⤵
-
\??\c:\lrxffff.exec:\lrxffff.exe71⤵
-
\??\c:\xflxfll.exec:\xflxfll.exe72⤵
-
\??\c:\htttnh.exec:\htttnh.exe73⤵
-
\??\c:\nbbtbt.exec:\nbbtbt.exe74⤵
-
\??\c:\htbtnb.exec:\htbtnb.exe75⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe76⤵
-
\??\c:\djjdd.exec:\djjdd.exe77⤵
-
\??\c:\rflffxf.exec:\rflffxf.exe78⤵
-
\??\c:\xlrlrff.exec:\xlrlrff.exe79⤵
-
\??\c:\5lxxxrr.exec:\5lxxxrr.exe80⤵
-
\??\c:\nbthtn.exec:\nbthtn.exe81⤵
-
\??\c:\7tbttn.exec:\7tbttn.exe82⤵
-
\??\c:\1pvpd.exec:\1pvpd.exe83⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe84⤵
-
\??\c:\lffxxxr.exec:\lffxxxr.exe85⤵
-
\??\c:\xfxrxxx.exec:\xfxrxxx.exe86⤵
-
\??\c:\3thbbt.exec:\3thbbt.exe87⤵
-
\??\c:\nhhtbh.exec:\nhhtbh.exe88⤵
-
\??\c:\dpppv.exec:\dpppv.exe89⤵
-
\??\c:\ppjjv.exec:\ppjjv.exe90⤵
-
\??\c:\7jvjp.exec:\7jvjp.exe91⤵
-
\??\c:\frfxrll.exec:\frfxrll.exe92⤵
-
\??\c:\5xlxlxx.exec:\5xlxlxx.exe93⤵
-
\??\c:\7nbttn.exec:\7nbttn.exe94⤵
-
\??\c:\thnhtt.exec:\thnhtt.exe95⤵
-
\??\c:\pvjjj.exec:\pvjjj.exe96⤵
-
\??\c:\pvvpp.exec:\pvvpp.exe97⤵
-
\??\c:\dpddd.exec:\dpddd.exe98⤵
-
\??\c:\lrrllff.exec:\lrrllff.exe99⤵
-
\??\c:\1fxfrlx.exec:\1fxfrlx.exe100⤵
-
\??\c:\bnbtbt.exec:\bnbtbt.exe101⤵
-
\??\c:\5tnntn.exec:\5tnntn.exe102⤵
-
\??\c:\vpdvp.exec:\vpdvp.exe103⤵
-
\??\c:\9jpjv.exec:\9jpjv.exe104⤵
-
\??\c:\9djpp.exec:\9djpp.exe105⤵
-
\??\c:\lxxxfxf.exec:\lxxxfxf.exe106⤵
-
\??\c:\frxxfrr.exec:\frxxfrr.exe107⤵
-
\??\c:\ttbbbn.exec:\ttbbbn.exe108⤵
-
\??\c:\9bbbbh.exec:\9bbbbh.exe109⤵
-
\??\c:\pdppv.exec:\pdppv.exe110⤵
-
\??\c:\pdjdp.exec:\pdjdp.exe111⤵
-
\??\c:\rfflrll.exec:\rfflrll.exe112⤵
-
\??\c:\3xrrrrx.exec:\3xrrrrx.exe113⤵
-
\??\c:\rfxfxff.exec:\rfxfxff.exe114⤵
-
\??\c:\nbhbbn.exec:\nbhbbn.exe115⤵
-
\??\c:\1bhhbt.exec:\1bhhbt.exe116⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe117⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe118⤵
-
\??\c:\fxlrlll.exec:\fxlrlll.exe119⤵
-
\??\c:\xllxllr.exec:\xllxllr.exe120⤵
-
\??\c:\thhbhb.exec:\thhbhb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-