Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
07-05-2024 19:08
General
-
Target
097c152c6cd4b8b5afabe3bb3fd7c1b0_NEAS.exe
-
Size
334KB
-
MD5
097c152c6cd4b8b5afabe3bb3fd7c1b0
-
SHA1
d2c4b0d7c6ec58e8c67d5cb3a7b2687916a9309d
-
SHA256
f624e1b231ed994cc85337ee6f550e98c8316cfbd97228a8a1b123036117d093
-
SHA512
33738db857653e7dc0d69add084603efee7a2a2ca16a88db9f20dc9c471aa03a14db3f99763c9d6c7393080f6a1a4bf205a7767a812c9391a3462099900459ee
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo7LCgnilBxBqwZK2q6sYTsmZDSFdBE0rXE4efi:n3C9BRo/CEilXBG2qZSlSFdBXExi
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\097c152c6cd4b8b5afabe3bb3fd7c1b0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\097c152c6cd4b8b5afabe3bb3fd7c1b0_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9frflff.exec:\9frflff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntnbh.exec:\tntnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvjd.exec:\dpvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9frrlff.exec:\9frrlff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tbtbt.exec:\5tbtbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hnntb.exec:\1hnntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpv.exec:\dvjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxffr.exec:\lllxffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnbb.exec:\bthnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvvp.exec:\jjvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdd.exec:\pvjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnhbh.exec:\nnnhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppvj.exec:\vppvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9btttt.exec:\9btttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjpv.exec:\vjjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xffrll.exec:\9xffrll.exe17⤵
- Executes dropped EXE
-
\??\c:\bnbbhb.exec:\bnbbhb.exe18⤵
- Executes dropped EXE
-
\??\c:\1vddv.exec:\1vddv.exe19⤵
- Executes dropped EXE
-
\??\c:\5rfffrx.exec:\5rfffrx.exe20⤵
- Executes dropped EXE
-
\??\c:\3bbnnh.exec:\3bbnnh.exe21⤵
- Executes dropped EXE
-
\??\c:\htbbbt.exec:\htbbbt.exe22⤵
- Executes dropped EXE
-
\??\c:\1vdjp.exec:\1vdjp.exe23⤵
- Executes dropped EXE
-
\??\c:\3flfxll.exec:\3flfxll.exe24⤵
- Executes dropped EXE
-
\??\c:\nhbtht.exec:\nhbtht.exe25⤵
- Executes dropped EXE
-
\??\c:\jpvjd.exec:\jpvjd.exe26⤵
- Executes dropped EXE
-
\??\c:\3flxxxf.exec:\3flxxxf.exe27⤵
- Executes dropped EXE
-
\??\c:\tnttnh.exec:\tnttnh.exe28⤵
- Executes dropped EXE
-
\??\c:\1dvjp.exec:\1dvjp.exe29⤵
- Executes dropped EXE
-
\??\c:\xxrrffr.exec:\xxrrffr.exe30⤵
- Executes dropped EXE
-
\??\c:\fxllxxf.exec:\fxllxxf.exe31⤵
- Executes dropped EXE
-
\??\c:\bbthtt.exec:\bbthtt.exe32⤵
- Executes dropped EXE
-
\??\c:\fxllxfr.exec:\fxllxfr.exe33⤵
- Executes dropped EXE
-
\??\c:\ffxfxlx.exec:\ffxfxlx.exe34⤵
- Executes dropped EXE
-
\??\c:\5bntbb.exec:\5bntbb.exe35⤵
- Executes dropped EXE
-
\??\c:\vjvpj.exec:\vjvpj.exe36⤵
- Executes dropped EXE
-
\??\c:\jvddj.exec:\jvddj.exe37⤵
- Executes dropped EXE
-
\??\c:\lxxlfxx.exec:\lxxlfxx.exe38⤵
- Executes dropped EXE
-
\??\c:\bnthnh.exec:\bnthnh.exe39⤵
- Executes dropped EXE
-
\??\c:\hbhttn.exec:\hbhttn.exe40⤵
- Executes dropped EXE
-
\??\c:\7vdpp.exec:\7vdpp.exe41⤵
- Executes dropped EXE
-
\??\c:\5fllfrr.exec:\5fllfrr.exe42⤵
- Executes dropped EXE
-
\??\c:\lxfrrll.exec:\lxfrrll.exe43⤵
- Executes dropped EXE
-
\??\c:\nhnbhn.exec:\nhnbhn.exe44⤵
- Executes dropped EXE
-
\??\c:\ththnb.exec:\ththnb.exe45⤵
- Executes dropped EXE
-
\??\c:\7jvvd.exec:\7jvvd.exe46⤵
- Executes dropped EXE
-
\??\c:\ffllxff.exec:\ffllxff.exe47⤵
- Executes dropped EXE
-
\??\c:\xflflfr.exec:\xflflfr.exe48⤵
- Executes dropped EXE
-
\??\c:\5htttn.exec:\5htttn.exe49⤵
- Executes dropped EXE
-
\??\c:\bnhhhb.exec:\bnhhhb.exe50⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe51⤵
- Executes dropped EXE
-
\??\c:\ppvvv.exec:\ppvvv.exe52⤵
- Executes dropped EXE
-
\??\c:\5nhhnt.exec:\5nhhnt.exe53⤵
- Executes dropped EXE
-
\??\c:\bnthhb.exec:\bnthhb.exe54⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe55⤵
- Executes dropped EXE
-
\??\c:\9lxrlff.exec:\9lxrlff.exe56⤵
- Executes dropped EXE
-
\??\c:\7flrxxx.exec:\7flrxxx.exe57⤵
- Executes dropped EXE
-
\??\c:\7hhttn.exec:\7hhttn.exe58⤵
- Executes dropped EXE
-
\??\c:\jjvjd.exec:\jjvjd.exe59⤵
- Executes dropped EXE
-
\??\c:\jvpjj.exec:\jvpjj.exe60⤵
- Executes dropped EXE
-
\??\c:\lllrrxf.exec:\lllrrxf.exe61⤵
- Executes dropped EXE
-
\??\c:\rfrxfrr.exec:\rfrxfrr.exe62⤵
- Executes dropped EXE
-
\??\c:\nbhnnt.exec:\nbhnnt.exe63⤵
- Executes dropped EXE
-
\??\c:\1tnhnn.exec:\1tnhnn.exe64⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe65⤵
- Executes dropped EXE
-
\??\c:\rfxxrrx.exec:\rfxxrrx.exe66⤵
-
\??\c:\frxrrll.exec:\frxrrll.exe67⤵
-
\??\c:\bnttbt.exec:\bnttbt.exe68⤵
-
\??\c:\ttnthb.exec:\ttnthb.exe69⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe70⤵
-
\??\c:\5lxfllr.exec:\5lxfllr.exe71⤵
-
\??\c:\lfllrlr.exec:\lfllrlr.exe72⤵
-
\??\c:\nhhntt.exec:\nhhntt.exe73⤵
-
\??\c:\bthntn.exec:\bthntn.exe74⤵
-
\??\c:\7djpd.exec:\7djpd.exe75⤵
-
\??\c:\1llfffx.exec:\1llfffx.exe76⤵
-
\??\c:\rfffffl.exec:\rfffffl.exe77⤵
-
\??\c:\tnhtbb.exec:\tnhtbb.exe78⤵
-
\??\c:\9bttbh.exec:\9bttbh.exe79⤵
-
\??\c:\7vjdd.exec:\7vjdd.exe80⤵
-
\??\c:\7pdjp.exec:\7pdjp.exe81⤵
-
\??\c:\lxlxrlf.exec:\lxlxrlf.exe82⤵
-
\??\c:\htnnbb.exec:\htnnbb.exe83⤵
-
\??\c:\3tbnnh.exec:\3tbnnh.exe84⤵
-
\??\c:\pddvd.exec:\pddvd.exe85⤵
-
\??\c:\xrlllll.exec:\xrlllll.exe86⤵
-
\??\c:\5fllxxl.exec:\5fllxxl.exe87⤵
-
\??\c:\tbthth.exec:\tbthth.exe88⤵
-
\??\c:\thbbnt.exec:\thbbnt.exe89⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe90⤵
-
\??\c:\lxllllr.exec:\lxllllr.exe91⤵
-
\??\c:\rlrflff.exec:\rlrflff.exe92⤵
-
\??\c:\9rxfxxx.exec:\9rxfxxx.exe93⤵
-
\??\c:\9thttt.exec:\9thttt.exe94⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe95⤵
-
\??\c:\dvdjp.exec:\dvdjp.exe96⤵
-
\??\c:\rlxxfff.exec:\rlxxfff.exe97⤵
-
\??\c:\3ntntn.exec:\3ntntn.exe98⤵
-
\??\c:\nhbhtn.exec:\nhbhtn.exe99⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe100⤵
-
\??\c:\pjvdj.exec:\pjvdj.exe101⤵
-
\??\c:\xlrfxrr.exec:\xlrfxrr.exe102⤵
-
\??\c:\rrflxxl.exec:\rrflxxl.exe103⤵
-
\??\c:\1ntbhn.exec:\1ntbhn.exe104⤵
-
\??\c:\vjvdd.exec:\vjvdd.exe105⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe106⤵
-
\??\c:\7frxxff.exec:\7frxxff.exe107⤵
-
\??\c:\httntn.exec:\httntn.exe108⤵
-
\??\c:\tnbbht.exec:\tnbbht.exe109⤵
-
\??\c:\jvdvd.exec:\jvdvd.exe110⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe111⤵
-
\??\c:\lrfffrx.exec:\lrfffrx.exe112⤵
-
\??\c:\nhthtn.exec:\nhthtn.exe113⤵
-
\??\c:\thnbbn.exec:\thnbbn.exe114⤵
-
\??\c:\ppddp.exec:\ppddp.exe115⤵
-
\??\c:\vdjjd.exec:\vdjjd.exe116⤵
-
\??\c:\rflllrr.exec:\rflllrr.exe117⤵
-
\??\c:\rlrxxxx.exec:\rlrxxxx.exe118⤵
-
\??\c:\thhhnh.exec:\thhhnh.exe119⤵
-
\??\c:\bntthn.exec:\bntthn.exe120⤵
-
\??\c:\1jdjp.exec:\1jdjp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-