Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07/05/2024, 23:58
General
-
Target
6f92a47978dba204bac824c671d20c80_NEIKI.exe
-
Size
433KB
-
MD5
6f92a47978dba204bac824c671d20c80
-
SHA1
b653fa1b9a68a599d196a9c25063fe127fc57cad
-
SHA256
f89397809333c39f43fba2b2c6822c90a00bb12aa5f91319aaf34566a4a8c014
-
SHA512
23a84b8001f2f79fb3214747aa1dfd2415b6b9c5cf88379687e6bd0a3a1c6d72f23d03a8c5b5f235b36f038a130134e264927bbe8ab1420825295d6c5c2d345f
-
SSDEEP
12288:n3C9uMPh2kkkkK4kXkkkkkkkkl888888888888888888nF:ShPh2kkkkK4kXkkkkkkkkr
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f92a47978dba204bac824c671d20c80_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\6f92a47978dba204bac824c671d20c80_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3ntnhh.exec:\3ntnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xxrlfx.exec:\1xxrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrlffx.exec:\llrlffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtnnn.exec:\tbtnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnnn.exec:\hhtnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllffxr.exec:\rllffxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthbtn.exec:\nthbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thhbt.exec:\7thhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdv.exec:\dpjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtnh.exec:\nbbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jjpj.exec:\3jjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthbbb.exec:\hthbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxxrrr.exec:\llxxrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjp.exec:\dvpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9tntnn.exec:\9tntnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jpjv.exec:\5jpjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvjd.exec:\dvvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrllr.exec:\llrrllr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtnhh.exec:\bbtnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfxxr.exec:\rflfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pvvp.exec:\1pvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrrlf.exec:\rlxrrlf.exe23⤵
- Executes dropped EXE
-
\??\c:\hhtthh.exec:\hhtthh.exe24⤵
- Executes dropped EXE
-
\??\c:\pjvjd.exec:\pjvjd.exe25⤵
- Executes dropped EXE
-
\??\c:\thnhhb.exec:\thnhhb.exe26⤵
- Executes dropped EXE
-
\??\c:\dddvj.exec:\dddvj.exe27⤵
- Executes dropped EXE
-
\??\c:\tnbnth.exec:\tnbnth.exe28⤵
- Executes dropped EXE
-
\??\c:\hhnhhh.exec:\hhnhhh.exe29⤵
- Executes dropped EXE
-
\??\c:\jdppp.exec:\jdppp.exe30⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe31⤵
- Executes dropped EXE
-
\??\c:\5flfxxr.exec:\5flfxxr.exe32⤵
- Executes dropped EXE
-
\??\c:\jvjdv.exec:\jvjdv.exe33⤵
- Executes dropped EXE
-
\??\c:\rlxllff.exec:\rlxllff.exe34⤵
- Executes dropped EXE
-
\??\c:\hbnhhh.exec:\hbnhhh.exe35⤵
- Executes dropped EXE
-
\??\c:\dvjjd.exec:\dvjjd.exe36⤵
- Executes dropped EXE
-
\??\c:\xrllffx.exec:\xrllffx.exe37⤵
- Executes dropped EXE
-
\??\c:\hbhbbb.exec:\hbhbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\ttnhbb.exec:\ttnhbb.exe39⤵
- Executes dropped EXE
-
\??\c:\vjpdd.exec:\vjpdd.exe40⤵
- Executes dropped EXE
-
\??\c:\3ffxrrr.exec:\3ffxrrr.exe41⤵
- Executes dropped EXE
-
\??\c:\nbnbtt.exec:\nbnbtt.exe42⤵
- Executes dropped EXE
-
\??\c:\hbhbnt.exec:\hbhbnt.exe43⤵
- Executes dropped EXE
-
\??\c:\vpdvv.exec:\vpdvv.exe44⤵
- Executes dropped EXE
-
\??\c:\rllxrrl.exec:\rllxrrl.exe45⤵
- Executes dropped EXE
-
\??\c:\5flxxrx.exec:\5flxxrx.exe46⤵
- Executes dropped EXE
-
\??\c:\nbnhbb.exec:\nbnhbb.exe47⤵
- Executes dropped EXE
-
\??\c:\pvdvp.exec:\pvdvp.exe48⤵
- Executes dropped EXE
-
\??\c:\dvddv.exec:\dvddv.exe49⤵
- Executes dropped EXE
-
\??\c:\lffxfll.exec:\lffxfll.exe50⤵
- Executes dropped EXE
-
\??\c:\nntnhh.exec:\nntnhh.exe51⤵
- Executes dropped EXE
-
\??\c:\tbtnhb.exec:\tbtnhb.exe52⤵
- Executes dropped EXE
-
\??\c:\dppdd.exec:\dppdd.exe53⤵
- Executes dropped EXE
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe54⤵
- Executes dropped EXE
-
\??\c:\3ntbth.exec:\3ntbth.exe55⤵
- Executes dropped EXE
-
\??\c:\btbhbt.exec:\btbhbt.exe56⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe57⤵
- Executes dropped EXE
-
\??\c:\lxfxllf.exec:\lxfxllf.exe58⤵
- Executes dropped EXE
-
\??\c:\1xxxlff.exec:\1xxxlff.exe59⤵
- Executes dropped EXE
-
\??\c:\1bhnnb.exec:\1bhnnb.exe60⤵
- Executes dropped EXE
-
\??\c:\dvdvd.exec:\dvdvd.exe61⤵
- Executes dropped EXE
-
\??\c:\rrrrllf.exec:\rrrrllf.exe62⤵
- Executes dropped EXE
-
\??\c:\1lrrlfr.exec:\1lrrlfr.exe63⤵
- Executes dropped EXE
-
\??\c:\nnbbtn.exec:\nnbbtn.exe64⤵
- Executes dropped EXE
-
\??\c:\9ddvj.exec:\9ddvj.exe65⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe66⤵
-
\??\c:\5ffxrlf.exec:\5ffxrlf.exe67⤵
-
\??\c:\tttnbb.exec:\tttnbb.exe68⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe69⤵
-
\??\c:\1jppj.exec:\1jppj.exe70⤵
-
\??\c:\xxlllrr.exec:\xxlllrr.exe71⤵
-
\??\c:\ntbbtb.exec:\ntbbtb.exe72⤵
-
\??\c:\bnbhtn.exec:\bnbhtn.exe73⤵
-
\??\c:\3pjjd.exec:\3pjjd.exe74⤵
-
\??\c:\1jjdv.exec:\1jjdv.exe75⤵
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe76⤵
-
\??\c:\7bhbtt.exec:\7bhbtt.exe77⤵
-
\??\c:\vvvvj.exec:\vvvvj.exe78⤵
-
\??\c:\fxrrlfx.exec:\fxrrlfx.exe79⤵
-
\??\c:\bntnhb.exec:\bntnhb.exe80⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe81⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe82⤵
-
\??\c:\flxrlfx.exec:\flxrlfx.exe83⤵
-
\??\c:\htbbtt.exec:\htbbtt.exe84⤵
-
\??\c:\jdvpj.exec:\jdvpj.exe85⤵
-
\??\c:\lxlffff.exec:\lxlffff.exe86⤵
-
\??\c:\5ffxxff.exec:\5ffxxff.exe87⤵
-
\??\c:\tnnbnb.exec:\tnnbnb.exe88⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe89⤵
-
\??\c:\xfrllll.exec:\xfrllll.exe90⤵
-
\??\c:\tbnnnn.exec:\tbnnnn.exe91⤵
-
\??\c:\5vvvj.exec:\5vvvj.exe92⤵
-
\??\c:\fffxrrl.exec:\fffxrrl.exe93⤵
-
\??\c:\flffxrr.exec:\flffxrr.exe94⤵
-
\??\c:\bnhbhb.exec:\bnhbhb.exe95⤵
-
\??\c:\jpdvv.exec:\jpdvv.exe96⤵
-
\??\c:\jjpjj.exec:\jjpjj.exe97⤵
-
\??\c:\xrrxrfx.exec:\xrrxrfx.exe98⤵
-
\??\c:\bbhbbb.exec:\bbhbbb.exe99⤵
-
\??\c:\dppjd.exec:\dppjd.exe100⤵
-
\??\c:\dpdvp.exec:\dpdvp.exe101⤵
-
\??\c:\fffxrxr.exec:\fffxrxr.exe102⤵
-
\??\c:\bnbbtt.exec:\bnbbtt.exe103⤵
-
\??\c:\jjddv.exec:\jjddv.exe104⤵
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe105⤵
-
\??\c:\rllllrf.exec:\rllllrf.exe106⤵
-
\??\c:\thnhhh.exec:\thnhhh.exe107⤵
-
\??\c:\vppvd.exec:\vppvd.exe108⤵
-
\??\c:\lxrllff.exec:\lxrllff.exe109⤵
-
\??\c:\9lllfll.exec:\9lllfll.exe110⤵
-
\??\c:\hbthhb.exec:\hbthhb.exe111⤵
-
\??\c:\1dvpv.exec:\1dvpv.exe112⤵
-
\??\c:\lllffxx.exec:\lllffxx.exe113⤵
-
\??\c:\ffxrxxl.exec:\ffxrxxl.exe114⤵
-
\??\c:\tnthbt.exec:\tnthbt.exe115⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe116⤵
-
\??\c:\vvpjd.exec:\vvpjd.exe117⤵
-
\??\c:\ffflffx.exec:\ffflffx.exe118⤵
-
\??\c:\tbnhhb.exec:\tbnhhb.exe119⤵
-
\??\c:\vpppj.exec:\vpppj.exe120⤵
-
\??\c:\frrrxxx.exec:\frrrxxx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-