Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
07/05/2024, 14:06
General
-
Target
b32243da2822ead3b36bd8bafc7072d0_NEAS.exe
-
Size
82KB
-
MD5
b32243da2822ead3b36bd8bafc7072d0
-
SHA1
1a098c8765ea939579f10bb7138b75924adf319f
-
SHA256
9ee28a5943547a5740f75427b869e4a3bf2888df89b71bbadbbf06d9969ec28b
-
SHA512
9bca1009d3ba289957c1cfc04f3ec1501cc20f1ad99296c6deb8b1b0694c46492bb89269d8a0c2204fba6dedf907bae93ef6725cc2909b7a3904792e12be02d5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JkZPsvg:ymb3NkkiQ3mdBjFIWeFGyA9PJ
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32243da2822ead3b36bd8bafc7072d0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\b32243da2822ead3b36bd8bafc7072d0_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3pdpp.exec:\3pdpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllxfr.exec:\rxllxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbhn.exec:\hhbbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjp.exec:\vjpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fxrffx.exec:\9fxrffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxllx.exec:\rlrxllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbhb.exec:\nhtbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjvj.exec:\ppjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frxfxf.exec:\3frxfxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxlxfr.exec:\frxlxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthhnt.exec:\hthhnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbhnn.exec:\tnbhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjv.exec:\vpjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvvv.exec:\jdvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxfrxf.exec:\rlxfrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxlrr.exec:\rfrxlrr.exe17⤵
- Executes dropped EXE
-
\??\c:\bnbhhh.exec:\bnbhhh.exe18⤵
- Executes dropped EXE
-
\??\c:\vppvp.exec:\vppvp.exe19⤵
- Executes dropped EXE
-
\??\c:\dpvvd.exec:\dpvvd.exe20⤵
- Executes dropped EXE
-
\??\c:\5xfflfl.exec:\5xfflfl.exe21⤵
- Executes dropped EXE
-
\??\c:\xrllxff.exec:\xrllxff.exe22⤵
- Executes dropped EXE
-
\??\c:\bthnnt.exec:\bthnnt.exe23⤵
- Executes dropped EXE
-
\??\c:\3djdj.exec:\3djdj.exe24⤵
- Executes dropped EXE
-
\??\c:\vvpdp.exec:\vvpdp.exe25⤵
- Executes dropped EXE
-
\??\c:\rxflxxf.exec:\rxflxxf.exe26⤵
- Executes dropped EXE
-
\??\c:\fxlllrx.exec:\fxlllrx.exe27⤵
- Executes dropped EXE
-
\??\c:\7nbbbn.exec:\7nbbbn.exe28⤵
- Executes dropped EXE
-
\??\c:\vpddj.exec:\vpddj.exe29⤵
- Executes dropped EXE
-
\??\c:\jjvvp.exec:\jjvvp.exe30⤵
- Executes dropped EXE
-
\??\c:\rrlllrx.exec:\rrlllrx.exe31⤵
- Executes dropped EXE
-
\??\c:\5thnth.exec:\5thnth.exe32⤵
- Executes dropped EXE
-
\??\c:\thnbhn.exec:\thnbhn.exe33⤵
- Executes dropped EXE
-
\??\c:\ddpvv.exec:\ddpvv.exe34⤵
- Executes dropped EXE
-
\??\c:\1vdjj.exec:\1vdjj.exe35⤵
- Executes dropped EXE
-
\??\c:\frxrrrx.exec:\frxrrrx.exe36⤵
- Executes dropped EXE
-
\??\c:\5nbntb.exec:\5nbntb.exe37⤵
- Executes dropped EXE
-
\??\c:\1thhbb.exec:\1thhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe39⤵
- Executes dropped EXE
-
\??\c:\vjdjj.exec:\vjdjj.exe40⤵
- Executes dropped EXE
-
\??\c:\3jppp.exec:\3jppp.exe41⤵
- Executes dropped EXE
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe42⤵
- Executes dropped EXE
-
\??\c:\rfrrlll.exec:\rfrrlll.exe43⤵
- Executes dropped EXE
-
\??\c:\tntbtb.exec:\tntbtb.exe44⤵
- Executes dropped EXE
-
\??\c:\tbntbt.exec:\tbntbt.exe45⤵
- Executes dropped EXE
-
\??\c:\5dvpp.exec:\5dvpp.exe46⤵
- Executes dropped EXE
-
\??\c:\vjvdp.exec:\vjvdp.exe47⤵
- Executes dropped EXE
-
\??\c:\lxfllrx.exec:\lxfllrx.exe48⤵
- Executes dropped EXE
-
\??\c:\fxrfxfx.exec:\fxrfxfx.exe49⤵
- Executes dropped EXE
-
\??\c:\3nnnbb.exec:\3nnnbb.exe50⤵
- Executes dropped EXE
-
\??\c:\1nhnnn.exec:\1nhnnn.exe51⤵
- Executes dropped EXE
-
\??\c:\5vppp.exec:\5vppp.exe52⤵
- Executes dropped EXE
-
\??\c:\xrflfxx.exec:\xrflfxx.exe53⤵
- Executes dropped EXE
-
\??\c:\lflxlxr.exec:\lflxlxr.exe54⤵
- Executes dropped EXE
-
\??\c:\1bthtb.exec:\1bthtb.exe55⤵
- Executes dropped EXE
-
\??\c:\nbnbht.exec:\nbnbht.exe56⤵
- Executes dropped EXE
-
\??\c:\3djjd.exec:\3djjd.exe57⤵
- Executes dropped EXE
-
\??\c:\7dppp.exec:\7dppp.exe58⤵
- Executes dropped EXE
-
\??\c:\9rlrxxl.exec:\9rlrxxl.exe59⤵
- Executes dropped EXE
-
\??\c:\rlxxrlr.exec:\rlxxrlr.exe60⤵
- Executes dropped EXE
-
\??\c:\7hhthn.exec:\7hhthn.exe61⤵
- Executes dropped EXE
-
\??\c:\thhtbt.exec:\thhtbt.exe62⤵
- Executes dropped EXE
-
\??\c:\vpppv.exec:\vpppv.exe63⤵
- Executes dropped EXE
-
\??\c:\vjddp.exec:\vjddp.exe64⤵
- Executes dropped EXE
-
\??\c:\7lxxrxf.exec:\7lxxrxf.exe65⤵
- Executes dropped EXE
-
\??\c:\lfrxlfr.exec:\lfrxlfr.exe66⤵
-
\??\c:\hbhnnt.exec:\hbhnnt.exe67⤵
-
\??\c:\5nbttn.exec:\5nbttn.exe68⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe69⤵
-
\??\c:\jvddj.exec:\jvddj.exe70⤵
-
\??\c:\thttbb.exec:\thttbb.exe71⤵
-
\??\c:\nthnnn.exec:\nthnnn.exe72⤵
-
\??\c:\1dddd.exec:\1dddd.exe73⤵
-
\??\c:\dpjpj.exec:\dpjpj.exe74⤵
-
\??\c:\3ddpd.exec:\3ddpd.exe75⤵
-
\??\c:\xllrlrr.exec:\xllrlrr.exe76⤵
-
\??\c:\9btnbn.exec:\9btnbn.exe77⤵
-
\??\c:\tnbhbh.exec:\tnbhbh.exe78⤵
-
\??\c:\1jvpp.exec:\1jvpp.exe79⤵
-
\??\c:\1pvvd.exec:\1pvvd.exe80⤵
-
\??\c:\fffllxr.exec:\fffllxr.exe81⤵
-
\??\c:\lrrlfrf.exec:\lrrlfrf.exe82⤵
-
\??\c:\tnthbh.exec:\tnthbh.exe83⤵
-
\??\c:\3hnnhn.exec:\3hnnhn.exe84⤵
-
\??\c:\9tbbnt.exec:\9tbbnt.exe85⤵
-
\??\c:\9pvdj.exec:\9pvdj.exe86⤵
-
\??\c:\ppjdd.exec:\ppjdd.exe87⤵
-
\??\c:\3xlrxxr.exec:\3xlrxxr.exe88⤵
-
\??\c:\ffxlrrr.exec:\ffxlrrr.exe89⤵
-
\??\c:\hbthnb.exec:\hbthnb.exe90⤵
-
\??\c:\nhhtbb.exec:\nhhtbb.exe91⤵
-
\??\c:\jjdjv.exec:\jjdjv.exe92⤵
-
\??\c:\vvdjp.exec:\vvdjp.exe93⤵
-
\??\c:\1vjpp.exec:\1vjpp.exe94⤵
-
\??\c:\7llxlfx.exec:\7llxlfx.exe95⤵
-
\??\c:\1rlrfll.exec:\1rlrfll.exe96⤵
-
\??\c:\lrlrfxx.exec:\lrlrfxx.exe97⤵
-
\??\c:\7bhbtn.exec:\7bhbtn.exe98⤵
-
\??\c:\bbnnbh.exec:\bbnnbh.exe99⤵
-
\??\c:\vjddd.exec:\vjddd.exe100⤵
-
\??\c:\dpvdd.exec:\dpvdd.exe101⤵
-
\??\c:\xrxflrx.exec:\xrxflrx.exe102⤵
-
\??\c:\7llffxf.exec:\7llffxf.exe103⤵
-
\??\c:\frflfrf.exec:\frflfrf.exe104⤵
-
\??\c:\httnbb.exec:\httnbb.exe105⤵
-
\??\c:\nhhnnn.exec:\nhhnnn.exe106⤵
-
\??\c:\dpvdd.exec:\dpvdd.exe107⤵
-
\??\c:\1pppv.exec:\1pppv.exe108⤵
-
\??\c:\5xllfff.exec:\5xllfff.exe109⤵
-
\??\c:\fxrfflf.exec:\fxrfflf.exe110⤵
-
\??\c:\nhbhnt.exec:\nhbhnt.exe111⤵
-
\??\c:\ttntbb.exec:\ttntbb.exe112⤵
-
\??\c:\vpjjj.exec:\vpjjj.exe113⤵
-
\??\c:\pvjjd.exec:\pvjjd.exe114⤵
-
\??\c:\fxrlrfr.exec:\fxrlrfr.exe115⤵
-
\??\c:\3rfrxxl.exec:\3rfrxxl.exe116⤵
-
\??\c:\5nhntt.exec:\5nhntt.exe117⤵
-
\??\c:\9nhnbb.exec:\9nhnbb.exe118⤵
-
\??\c:\dpdpv.exec:\dpdpv.exe119⤵
-
\??\c:\pdjjv.exec:\pdjjv.exe120⤵
-
\??\c:\dddpj.exec:\dddpj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-