Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
08/05/2024, 22:26
General
-
Target
7ac24cdc19f85014080514e9a720db40_NEIKI.exe
-
Size
250KB
-
MD5
7ac24cdc19f85014080514e9a720db40
-
SHA1
dfb651bf7b1a09615adba05776de03f3bf0d7208
-
SHA256
419326d7c0b586297c4ba8e059a515d73c71dba7f129038644b342652fe4b32f
-
SHA512
9b7e84a76caac4432ba18477e06443cd3fac956ed437d73bf35dd2cf07c6d52b34162226a65eae0469599bb63b5c46e10878c532dcf5b8d3636e8a209c847c38
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOaKHpolTjZXvEQo9dfBPx:y4wFHoS3eFaKHpKT9XvEhdfBPx
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 40 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ac24cdc19f85014080514e9a720db40_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\7ac24cdc19f85014080514e9a720db40_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3lflrrf.exec:\3lflrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrlrrx.exec:\7xrlrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxflrx.exec:\lfxflrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbntt.exec:\htbntt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllrrf.exec:\fxllrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbnbt.exec:\tnbnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dvjp.exec:\3dvjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjp.exec:\dvpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttntnn.exec:\ttntnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vpdj.exec:\5vpdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xffrxl.exec:\3xffrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvp.exec:\vvpvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxflfl.exec:\lfxflfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1frrxxl.exec:\1frrxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbhbh.exec:\hhbhbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvd.exec:\vvpvd.exe17⤵
- Executes dropped EXE
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe18⤵
- Executes dropped EXE
-
\??\c:\nbhbnn.exec:\nbhbnn.exe19⤵
- Executes dropped EXE
-
\??\c:\rrlxlrf.exec:\rrlxlrf.exe20⤵
- Executes dropped EXE
-
\??\c:\9hntbh.exec:\9hntbh.exe21⤵
- Executes dropped EXE
-
\??\c:\vpjvv.exec:\vpjvv.exe22⤵
- Executes dropped EXE
-
\??\c:\lxlxxxr.exec:\lxlxxxr.exe23⤵
- Executes dropped EXE
-
\??\c:\ttnbnb.exec:\ttnbnb.exe24⤵
- Executes dropped EXE
-
\??\c:\vpvjp.exec:\vpvjp.exe25⤵
- Executes dropped EXE
-
\??\c:\rllxllx.exec:\rllxllx.exe26⤵
- Executes dropped EXE
-
\??\c:\tnnbtt.exec:\tnnbtt.exe27⤵
- Executes dropped EXE
-
\??\c:\dvjvd.exec:\dvjvd.exe28⤵
- Executes dropped EXE
-
\??\c:\9jjdv.exec:\9jjdv.exe29⤵
- Executes dropped EXE
-
\??\c:\3rlfrrl.exec:\3rlfrrl.exe30⤵
- Executes dropped EXE
-
\??\c:\vvvvj.exec:\vvvvj.exe31⤵
- Executes dropped EXE
-
\??\c:\5lfrxlf.exec:\5lfrxlf.exe32⤵
- Executes dropped EXE
-
\??\c:\ttnbnt.exec:\ttnbnt.exe33⤵
- Executes dropped EXE
-
\??\c:\vvddj.exec:\vvddj.exe34⤵
- Executes dropped EXE
-
\??\c:\rrffrrx.exec:\rrffrrx.exe35⤵
- Executes dropped EXE
-
\??\c:\nhnhtn.exec:\nhnhtn.exe36⤵
- Executes dropped EXE
-
\??\c:\7jvjj.exec:\7jvjj.exe37⤵
- Executes dropped EXE
-
\??\c:\3rfffrx.exec:\3rfffrx.exe38⤵
- Executes dropped EXE
-
\??\c:\1ntnnh.exec:\1ntnnh.exe39⤵
- Executes dropped EXE
-
\??\c:\thtbbh.exec:\thtbbh.exe40⤵
- Executes dropped EXE
-
\??\c:\pddvd.exec:\pddvd.exe41⤵
- Executes dropped EXE
-
\??\c:\3xrrxxl.exec:\3xrrxxl.exe42⤵
- Executes dropped EXE
-
\??\c:\nbhnnt.exec:\nbhnnt.exe43⤵
- Executes dropped EXE
-
\??\c:\nntbtb.exec:\nntbtb.exe44⤵
- Executes dropped EXE
-
\??\c:\vppjp.exec:\vppjp.exe45⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe46⤵
- Executes dropped EXE
-
\??\c:\lxxxlff.exec:\lxxxlff.exe47⤵
- Executes dropped EXE
-
\??\c:\7htttn.exec:\7htttn.exe48⤵
- Executes dropped EXE
-
\??\c:\djvpv.exec:\djvpv.exe49⤵
- Executes dropped EXE
-
\??\c:\pdpvv.exec:\pdpvv.exe50⤵
- Executes dropped EXE
-
\??\c:\fxxrrlr.exec:\fxxrrlr.exe51⤵
- Executes dropped EXE
-
\??\c:\9nthhn.exec:\9nthhn.exe52⤵
- Executes dropped EXE
-
\??\c:\bttnbh.exec:\bttnbh.exe53⤵
- Executes dropped EXE
-
\??\c:\vpvdd.exec:\vpvdd.exe54⤵
- Executes dropped EXE
-
\??\c:\dpjjj.exec:\dpjjj.exe55⤵
- Executes dropped EXE
-
\??\c:\7rlxlfl.exec:\7rlxlfl.exe56⤵
- Executes dropped EXE
-
\??\c:\bnntbt.exec:\bnntbt.exe57⤵
- Executes dropped EXE
-
\??\c:\nhntbb.exec:\nhntbb.exe58⤵
- Executes dropped EXE
-
\??\c:\vvppv.exec:\vvppv.exe59⤵
- Executes dropped EXE
-
\??\c:\pdjvd.exec:\pdjvd.exe60⤵
- Executes dropped EXE
-
\??\c:\xrxlxxl.exec:\xrxlxxl.exe61⤵
- Executes dropped EXE
-
\??\c:\rflffxf.exec:\rflffxf.exe62⤵
- Executes dropped EXE
-
\??\c:\thbnnh.exec:\thbnnh.exe63⤵
- Executes dropped EXE
-
\??\c:\pppvp.exec:\pppvp.exe64⤵
- Executes dropped EXE
-
\??\c:\llrrllx.exec:\llrrllx.exe65⤵
- Executes dropped EXE
-
\??\c:\xxrffll.exec:\xxrffll.exe66⤵
-
\??\c:\nnthbh.exec:\nnthbh.exe67⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe68⤵
-
\??\c:\xxflrrf.exec:\xxflrrf.exe69⤵
-
\??\c:\5rxrrll.exec:\5rxrrll.exe70⤵
-
\??\c:\nhbnbh.exec:\nhbnbh.exe71⤵
-
\??\c:\dvvdd.exec:\dvvdd.exe72⤵
-
\??\c:\fxfxxfl.exec:\fxfxxfl.exe73⤵
-
\??\c:\hhbbhn.exec:\hhbbhn.exe74⤵
-
\??\c:\nhthnn.exec:\nhthnn.exe75⤵
-
\??\c:\5dddv.exec:\5dddv.exe76⤵
-
\??\c:\lxxxffr.exec:\lxxxffr.exe77⤵
-
\??\c:\fxrflxf.exec:\fxrflxf.exe78⤵
-
\??\c:\bthnnn.exec:\bthnnn.exe79⤵
-
\??\c:\ddvvp.exec:\ddvvp.exe80⤵
-
\??\c:\3pdjv.exec:\3pdjv.exe81⤵
-
\??\c:\xxllrxx.exec:\xxllrxx.exe82⤵
-
\??\c:\bbtnbn.exec:\bbtnbn.exe83⤵
-
\??\c:\nhbntb.exec:\nhbntb.exe84⤵
-
\??\c:\3ddjp.exec:\3ddjp.exe85⤵
-
\??\c:\vpppd.exec:\vpppd.exe86⤵
-
\??\c:\7rrllrr.exec:\7rrllrr.exe87⤵
-
\??\c:\nhhthh.exec:\nhhthh.exe88⤵
-
\??\c:\btnbtb.exec:\btnbtb.exe89⤵
-
\??\c:\vppdp.exec:\vppdp.exe90⤵
-
\??\c:\llxlrrf.exec:\llxlrrf.exe91⤵
-
\??\c:\1nbhht.exec:\1nbhht.exe92⤵
-
\??\c:\7vpdp.exec:\7vpdp.exe93⤵
-
\??\c:\9dvdd.exec:\9dvdd.exe94⤵
-
\??\c:\lfxxxlr.exec:\lfxxxlr.exe95⤵
-
\??\c:\9nhhnn.exec:\9nhhnn.exe96⤵
-
\??\c:\hbhhhb.exec:\hbhhhb.exe97⤵
-
\??\c:\vppvj.exec:\vppvj.exe98⤵
-
\??\c:\rlrrrrx.exec:\rlrrrrx.exe99⤵
-
\??\c:\rrfrflf.exec:\rrfrflf.exe100⤵
-
\??\c:\nhbhnt.exec:\nhbhnt.exe101⤵
-
\??\c:\dpjjp.exec:\dpjjp.exe102⤵
-
\??\c:\jvpvj.exec:\jvpvj.exe103⤵
-
\??\c:\ffxfllx.exec:\ffxfllx.exe104⤵
-
\??\c:\5tbbbb.exec:\5tbbbb.exe105⤵
-
\??\c:\bnttnn.exec:\bnttnn.exe106⤵
-
\??\c:\vpjdj.exec:\vpjdj.exe107⤵
-
\??\c:\flflrfl.exec:\flflrfl.exe108⤵
-
\??\c:\1lllllr.exec:\1lllllr.exe109⤵
-
\??\c:\nhnttn.exec:\nhnttn.exe110⤵
-
\??\c:\thbhhh.exec:\thbhhh.exe111⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe112⤵
-
\??\c:\7lxlrlr.exec:\7lxlrlr.exe113⤵
-
\??\c:\lxflrxx.exec:\lxflrxx.exe114⤵
-
\??\c:\hhhnnt.exec:\hhhnnt.exe115⤵
-
\??\c:\hbtttt.exec:\hbtttt.exe116⤵
-
\??\c:\dpddj.exec:\dpddj.exe117⤵
-
\??\c:\xxrfrrr.exec:\xxrfrrr.exe118⤵
-
\??\c:\9xflrrr.exec:\9xflrrr.exe119⤵
-
\??\c:\thtttt.exec:\thtttt.exe120⤵
-
\??\c:\btnthh.exec:\btnthh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-