Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
07/05/2024, 21:56
General
-
Target
45ad4a225521a820122f30c93a1a1880_NEIKI.exe
-
Size
441KB
-
MD5
45ad4a225521a820122f30c93a1a1880
-
SHA1
a25c29353069b78a00d308fdf17f8f0ecd2f5d82
-
SHA256
8eb76559650e76d1019b09d77bf25267d9677410a14bb61ec31c30931e85b331
-
SHA512
d757b16f9abfc5a1ed3cdec65f3dfc177f897a2f953253cf6ea26908ead990156175a965703439db0837242705a729fe531d5c81c591e69282c7588fe5232238
-
SSDEEP
12288:M4wFHoSpg4wFHonR/nPF2LnFL4wF04wFK4wFK4wlu3:UrR/nPW
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 58 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45ad4a225521a820122f30c93a1a1880_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\45ad4a225521a820122f30c93a1a1880_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7lfrlxr.exec:\7lfrlxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthhnh.exec:\nthhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbnhn.exec:\btbnhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddd.exec:\jdddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdpp.exec:\pjdpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhnbb.exec:\nhhnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppdpd.exec:\ppdpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtbnn.exec:\tbtbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthbbb.exec:\hthbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vpvd.exec:\7vpvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfrrll.exec:\xlfrrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbhnn.exec:\hnbhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddpd.exec:\pddpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxrxfr.exec:\llxrxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjv.exec:\dvjjv.exe17⤵
- Executes dropped EXE
-
\??\c:\lllrxxf.exec:\lllrxxf.exe18⤵
- Executes dropped EXE
-
\??\c:\ttttth.exec:\ttttth.exe19⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe20⤵
- Executes dropped EXE
-
\??\c:\dvjpv.exec:\dvjpv.exe21⤵
- Executes dropped EXE
-
\??\c:\frrllxf.exec:\frrllxf.exe22⤵
- Executes dropped EXE
-
\??\c:\nhhhtn.exec:\nhhhtn.exe23⤵
- Executes dropped EXE
-
\??\c:\htbhhh.exec:\htbhhh.exe24⤵
- Executes dropped EXE
-
\??\c:\7bhhtn.exec:\7bhhtn.exe25⤵
- Executes dropped EXE
-
\??\c:\bthnbh.exec:\bthnbh.exe26⤵
- Executes dropped EXE
-
\??\c:\rrxfxll.exec:\rrxfxll.exe27⤵
- Executes dropped EXE
-
\??\c:\hbbtbh.exec:\hbbtbh.exe28⤵
- Executes dropped EXE
-
\??\c:\7vjvj.exec:\7vjvj.exe29⤵
- Executes dropped EXE
-
\??\c:\7pppd.exec:\7pppd.exe30⤵
- Executes dropped EXE
-
\??\c:\jjvjv.exec:\jjvjv.exe31⤵
- Executes dropped EXE
-
\??\c:\httbnt.exec:\httbnt.exe32⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe33⤵
- Executes dropped EXE
-
\??\c:\7tthtb.exec:\7tthtb.exe34⤵
- Executes dropped EXE
-
\??\c:\ttntnb.exec:\ttntnb.exe35⤵
- Executes dropped EXE
-
\??\c:\7vddd.exec:\7vddd.exe36⤵
- Executes dropped EXE
-
\??\c:\tnnbtb.exec:\tnnbtb.exe37⤵
- Executes dropped EXE
-
\??\c:\bbtbnt.exec:\bbtbnt.exe38⤵
- Executes dropped EXE
-
\??\c:\vvjdj.exec:\vvjdj.exe39⤵
- Executes dropped EXE
-
\??\c:\fxrxllr.exec:\fxrxllr.exe40⤵
- Executes dropped EXE
-
\??\c:\7lxfrxf.exec:\7lxfrxf.exe41⤵
- Executes dropped EXE
-
\??\c:\hhbtht.exec:\hhbtht.exe42⤵
- Executes dropped EXE
-
\??\c:\9vpjp.exec:\9vpjp.exe43⤵
- Executes dropped EXE
-
\??\c:\9fxxrxl.exec:\9fxxrxl.exe44⤵
- Executes dropped EXE
-
\??\c:\rfxfrxx.exec:\rfxfrxx.exe45⤵
- Executes dropped EXE
-
\??\c:\5tnttn.exec:\5tnttn.exe46⤵
- Executes dropped EXE
-
\??\c:\thbthn.exec:\thbthn.exe47⤵
- Executes dropped EXE
-
\??\c:\xlrrrlf.exec:\xlrrrlf.exe48⤵
- Executes dropped EXE
-
\??\c:\3xxxxrx.exec:\3xxxxrx.exe49⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe50⤵
- Executes dropped EXE
-
\??\c:\7pjpp.exec:\7pjpp.exe51⤵
- Executes dropped EXE
-
\??\c:\9rlrffr.exec:\9rlrffr.exe52⤵
- Executes dropped EXE
-
\??\c:\3tnbth.exec:\3tnbth.exe53⤵
- Executes dropped EXE
-
\??\c:\jdvdj.exec:\jdvdj.exe54⤵
- Executes dropped EXE
-
\??\c:\jjdjv.exec:\jjdjv.exe55⤵
- Executes dropped EXE
-
\??\c:\fxrfrrl.exec:\fxrfrrl.exe56⤵
- Executes dropped EXE
-
\??\c:\1htnbb.exec:\1htnbb.exe57⤵
- Executes dropped EXE
-
\??\c:\jjdvp.exec:\jjdvp.exe58⤵
- Executes dropped EXE
-
\??\c:\1pppp.exec:\1pppp.exe59⤵
- Executes dropped EXE
-
\??\c:\lxlrlxr.exec:\lxlrlxr.exe60⤵
- Executes dropped EXE
-
\??\c:\rrllxfx.exec:\rrllxfx.exe61⤵
- Executes dropped EXE
-
\??\c:\tbnbtt.exec:\tbnbtt.exe62⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe63⤵
- Executes dropped EXE
-
\??\c:\xxfrlxx.exec:\xxfrlxx.exe64⤵
- Executes dropped EXE
-
\??\c:\ffxrlxl.exec:\ffxrlxl.exe65⤵
- Executes dropped EXE
-
\??\c:\hbtbnb.exec:\hbtbnb.exe66⤵
-
\??\c:\ntbhbn.exec:\ntbhbn.exe67⤵
-
\??\c:\dpjvp.exec:\dpjvp.exe68⤵
-
\??\c:\rxfrfrl.exec:\rxfrfrl.exe69⤵
-
\??\c:\7lxlrxl.exec:\7lxlrxl.exe70⤵
-
\??\c:\tttttn.exec:\tttttn.exe71⤵
-
\??\c:\pjpdd.exec:\pjpdd.exe72⤵
-
\??\c:\djpdj.exec:\djpdj.exe73⤵
-
\??\c:\xlxlflr.exec:\xlxlflr.exe74⤵
-
\??\c:\ffflfrl.exec:\ffflfrl.exe75⤵
-
\??\c:\ttntbn.exec:\ttntbn.exe76⤵
-
\??\c:\hnbnhb.exec:\hnbnhb.exe77⤵
-
\??\c:\dvjpj.exec:\dvjpj.exe78⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe79⤵
-
\??\c:\lrxxflf.exec:\lrxxflf.exe80⤵
-
\??\c:\fxfllxr.exec:\fxfllxr.exe81⤵
-
\??\c:\tnntbn.exec:\tnntbn.exe82⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe83⤵
-
\??\c:\jjpvv.exec:\jjpvv.exe84⤵
-
\??\c:\fxfllxr.exec:\fxfllxr.exe85⤵
-
\??\c:\fxllxlf.exec:\fxllxlf.exe86⤵
-
\??\c:\bhbbhb.exec:\bhbbhb.exe87⤵
-
\??\c:\nhbnhn.exec:\nhbnhn.exe88⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe89⤵
-
\??\c:\fffrlrl.exec:\fffrlrl.exe90⤵
-
\??\c:\lllfxfx.exec:\lllfxfx.exe91⤵
-
\??\c:\bbthbh.exec:\bbthbh.exe92⤵
-
\??\c:\tnhhth.exec:\tnhhth.exe93⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe94⤵
-
\??\c:\vdddj.exec:\vdddj.exe95⤵
-
\??\c:\xlrrxrx.exec:\xlrrxrx.exe96⤵
-
\??\c:\rfxxxxl.exec:\rfxxxxl.exe97⤵
-
\??\c:\thtntt.exec:\thtntt.exe98⤵
-
\??\c:\1jjdp.exec:\1jjdp.exe99⤵
-
\??\c:\pddvj.exec:\pddvj.exe100⤵
-
\??\c:\llflxxl.exec:\llflxxl.exe101⤵
-
\??\c:\frxfffx.exec:\frxfffx.exe102⤵
-
\??\c:\1hbnth.exec:\1hbnth.exe103⤵
-
\??\c:\9nhnhb.exec:\9nhnhb.exe104⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe105⤵
-
\??\c:\pjjvj.exec:\pjjvj.exe106⤵
-
\??\c:\xfxlrrf.exec:\xfxlrrf.exe107⤵
-
\??\c:\1lrfxlx.exec:\1lrfxlx.exe108⤵
-
\??\c:\hbttbb.exec:\hbttbb.exe109⤵
-
\??\c:\ddvpd.exec:\ddvpd.exe110⤵
-
\??\c:\pppdp.exec:\pppdp.exe111⤵
-
\??\c:\rrxfrxl.exec:\rrxfrxl.exe112⤵
-
\??\c:\7xrflfr.exec:\7xrflfr.exe113⤵
-
\??\c:\bnhntb.exec:\bnhntb.exe114⤵
-
\??\c:\nbtttb.exec:\nbtttb.exe115⤵
-
\??\c:\pvppd.exec:\pvppd.exe116⤵
-
\??\c:\xxfrxfr.exec:\xxfrxfr.exe117⤵
-
\??\c:\xrrxlxr.exec:\xrrxlxr.exe118⤵
-
\??\c:\hhbttn.exec:\hhbttn.exe119⤵
-
\??\c:\tnhnbn.exec:\tnhnbn.exe120⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-