Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07/05/2024, 10:14
General
-
Target
3a5de6255ae960ed29c14c0924ca87f0_NEAS.exe
-
Size
94KB
-
MD5
3a5de6255ae960ed29c14c0924ca87f0
-
SHA1
9392d956da003dc060ac29d8012c52720098f348
-
SHA256
b51227b96f5473e837eed4127e5a90a5c396d8866d876db50a89761928e6fe27
-
SHA512
c947785c7f4a8d9f0064acf896b4c9752349fc0578ed8442d5300fdaf45e01062a2e8401a60d797d4c8e2f4e3d09bc86782ad2aee3cf94443e400c73fdad5434
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JxJAg8dtc:ymb3NkkiQ3mdBjFIWeFGyAsJAg2c
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a5de6255ae960ed29c14c0924ca87f0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\3a5de6255ae960ed29c14c0924ca87f0_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxxlf.exec:\rffxxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhhht.exec:\bhhhht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtttn.exec:\bhtttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppd.exec:\ddppd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjv.exec:\vjpjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrrrxx.exec:\flrrrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dppv.exec:\3dppv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rxrxlf.exec:\3rxrxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhnn.exec:\ttnhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xffxff.exec:\7xffxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbhb.exec:\tnhbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhbtt.exec:\bnhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjj.exec:\ddjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrlfxx.exec:\lfrlfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ttthh.exec:\3ttthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjpp.exec:\vvjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxlxl.exec:\xlrxlxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlllffx.exec:\xlllffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnhb.exec:\hbtnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdvp.exec:\7vdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe23⤵
- Executes dropped EXE
-
\??\c:\1bbbtn.exec:\1bbbtn.exe24⤵
- Executes dropped EXE
-
\??\c:\1nhhtb.exec:\1nhhtb.exe25⤵
- Executes dropped EXE
-
\??\c:\jdpjd.exec:\jdpjd.exe26⤵
- Executes dropped EXE
-
\??\c:\1jddv.exec:\1jddv.exe27⤵
- Executes dropped EXE
-
\??\c:\fflfrrl.exec:\fflfrrl.exe28⤵
- Executes dropped EXE
-
\??\c:\hbnhnh.exec:\hbnhnh.exe29⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe30⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe31⤵
- Executes dropped EXE
-
\??\c:\3flrlfx.exec:\3flrlfx.exe32⤵
- Executes dropped EXE
-
\??\c:\nhhbnn.exec:\nhhbnn.exe33⤵
- Executes dropped EXE
-
\??\c:\1vdvd.exec:\1vdvd.exe34⤵
- Executes dropped EXE
-
\??\c:\frxrllf.exec:\frxrllf.exe35⤵
- Executes dropped EXE
-
\??\c:\rxxrrll.exec:\rxxrrll.exe36⤵
- Executes dropped EXE
-
\??\c:\nntnnh.exec:\nntnnh.exe37⤵
- Executes dropped EXE
-
\??\c:\dvdvj.exec:\dvdvj.exe38⤵
- Executes dropped EXE
-
\??\c:\djjdv.exec:\djjdv.exe39⤵
- Executes dropped EXE
-
\??\c:\rfxlrfl.exec:\rfxlrfl.exe40⤵
- Executes dropped EXE
-
\??\c:\7hhtbt.exec:\7hhtbt.exe41⤵
- Executes dropped EXE
-
\??\c:\hthbtb.exec:\hthbtb.exe42⤵
- Executes dropped EXE
-
\??\c:\vdjjj.exec:\vdjjj.exe43⤵
- Executes dropped EXE
-
\??\c:\pvdpv.exec:\pvdpv.exe44⤵
- Executes dropped EXE
-
\??\c:\lfxlfxx.exec:\lfxlfxx.exe45⤵
- Executes dropped EXE
-
\??\c:\nhnhbt.exec:\nhnhbt.exe46⤵
- Executes dropped EXE
-
\??\c:\9jjjv.exec:\9jjjv.exe47⤵
- Executes dropped EXE
-
\??\c:\5dpdp.exec:\5dpdp.exe48⤵
- Executes dropped EXE
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe49⤵
- Executes dropped EXE
-
\??\c:\lrrrllf.exec:\lrrrllf.exe50⤵
- Executes dropped EXE
-
\??\c:\1nhbtn.exec:\1nhbtn.exe51⤵
- Executes dropped EXE
-
\??\c:\djppj.exec:\djppj.exe52⤵
- Executes dropped EXE
-
\??\c:\vjjdv.exec:\vjjdv.exe53⤵
- Executes dropped EXE
-
\??\c:\9llfxxr.exec:\9llfxxr.exe54⤵
- Executes dropped EXE
-
\??\c:\llrrffx.exec:\llrrffx.exe55⤵
- Executes dropped EXE
-
\??\c:\tbhhbb.exec:\tbhhbb.exe56⤵
- Executes dropped EXE
-
\??\c:\ntnnbb.exec:\ntnnbb.exe57⤵
- Executes dropped EXE
-
\??\c:\dppdd.exec:\dppdd.exe58⤵
- Executes dropped EXE
-
\??\c:\vvvpj.exec:\vvvpj.exe59⤵
- Executes dropped EXE
-
\??\c:\rlffxxl.exec:\rlffxxl.exe60⤵
- Executes dropped EXE
-
\??\c:\nbbtnh.exec:\nbbtnh.exe61⤵
- Executes dropped EXE
-
\??\c:\hnhnht.exec:\hnhnht.exe62⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe63⤵
- Executes dropped EXE
-
\??\c:\ffxxlrl.exec:\ffxxlrl.exe64⤵
- Executes dropped EXE
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe65⤵
- Executes dropped EXE
-
\??\c:\hhnhbt.exec:\hhnhbt.exe66⤵
-
\??\c:\bbtnbb.exec:\bbtnbb.exe67⤵
-
\??\c:\vvddv.exec:\vvddv.exe68⤵
-
\??\c:\lfxrrll.exec:\lfxrrll.exe69⤵
-
\??\c:\rfxfxxr.exec:\rfxfxxr.exe70⤵
-
\??\c:\bhhbhh.exec:\bhhbhh.exe71⤵
-
\??\c:\bbnhtt.exec:\bbnhtt.exe72⤵
-
\??\c:\pjpvj.exec:\pjpvj.exe73⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe74⤵
-
\??\c:\lfrrllf.exec:\lfrrllf.exe75⤵
-
\??\c:\rrrrfxl.exec:\rrrrfxl.exe76⤵
-
\??\c:\hhhbtn.exec:\hhhbtn.exe77⤵
-
\??\c:\bhtnbb.exec:\bhtnbb.exe78⤵
-
\??\c:\vddpj.exec:\vddpj.exe79⤵
-
\??\c:\rflxrlf.exec:\rflxrlf.exe80⤵
-
\??\c:\tntntn.exec:\tntntn.exe81⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe82⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe83⤵
-
\??\c:\rrlfxff.exec:\rrlfxff.exe84⤵
-
\??\c:\9lrlffx.exec:\9lrlffx.exe85⤵
-
\??\c:\bhnhtt.exec:\bhnhtt.exe86⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe87⤵
-
\??\c:\xxxrffx.exec:\xxxrffx.exe88⤵
-
\??\c:\5rlxxxr.exec:\5rlxxxr.exe89⤵
-
\??\c:\btnnhh.exec:\btnnhh.exe90⤵
-
\??\c:\9vvvp.exec:\9vvvp.exe91⤵
-
\??\c:\xflfxxr.exec:\xflfxxr.exe92⤵
-
\??\c:\lrxlllf.exec:\lrxlllf.exe93⤵
-
\??\c:\htbhhb.exec:\htbhhb.exe94⤵
-
\??\c:\3vpjv.exec:\3vpjv.exe95⤵
-
\??\c:\jvvpd.exec:\jvvpd.exe96⤵
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe97⤵
-
\??\c:\rfflxxx.exec:\rfflxxx.exe98⤵
-
\??\c:\bhhtnh.exec:\bhhtnh.exe99⤵
-
\??\c:\jpdvp.exec:\jpdvp.exe100⤵
-
\??\c:\9vjdd.exec:\9vjdd.exe101⤵
-
\??\c:\dpdvd.exec:\dpdvd.exe102⤵
-
\??\c:\fffxxxx.exec:\fffxxxx.exe103⤵
-
\??\c:\llfxfxl.exec:\llfxfxl.exe104⤵
-
\??\c:\bhnhhh.exec:\bhnhhh.exe105⤵
-
\??\c:\bbbtnn.exec:\bbbtnn.exe106⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe107⤵
-
\??\c:\jjdvj.exec:\jjdvj.exe108⤵
-
\??\c:\lrxxlll.exec:\lrxxlll.exe109⤵
-
\??\c:\7rrlxxl.exec:\7rrlxxl.exe110⤵
-
\??\c:\tnbbbb.exec:\tnbbbb.exe111⤵
-
\??\c:\nbhhnt.exec:\nbhhnt.exe112⤵
-
\??\c:\vjppv.exec:\vjppv.exe113⤵
-
\??\c:\vjjdp.exec:\vjjdp.exe114⤵
-
\??\c:\rxxrrll.exec:\rxxrrll.exe115⤵
-
\??\c:\lllllxl.exec:\lllllxl.exe116⤵
-
\??\c:\htbttt.exec:\htbttt.exe117⤵
-
\??\c:\bhhbtb.exec:\bhhbtb.exe118⤵
-
\??\c:\pjppd.exec:\pjppd.exe119⤵
-
\??\c:\pdvdp.exec:\pdvdp.exe120⤵
-
\??\c:\rfrlxrr.exec:\rfrlxrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-