Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08/05/2024, 02:47
General
-
Target
ae3455fac489b6042975ca6b3ec2eee0_NEIKI.exe
-
Size
59KB
-
MD5
ae3455fac489b6042975ca6b3ec2eee0
-
SHA1
c9f142391df2a202da460897e7a1c08188f48bb4
-
SHA256
d22503964f19b9909bf9e42362a6c70ea13d37498720189cb81e75387f51b081
-
SHA512
e9dd0ff3305287ba1bf0229aa33e64737ae03959df98963392cd639ad0724e477794e4f468a2c48b151d5fe4e633963b260248f0c604f411b4927328aa239e13
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+j:ymb3NkkiQ3mdBjF0y7j
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae3455fac489b6042975ca6b3ec2eee0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ae3455fac489b6042975ca6b3ec2eee0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9dpdj.exec:\9dpdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxxfxff.exec:\xxxfxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjpp.exec:\ddjpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppp.exec:\dvppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9frxllr.exec:\9frxllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnnnh.exec:\nbnnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvj.exec:\vpdvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jvdd.exec:\3jvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfffl.exec:\rxlfffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfllrx.exec:\rlfllrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7thhnn.exec:\7thhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvd.exec:\jjjvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpjj.exec:\jdpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7frflrr.exec:\7frflrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntbhb.exec:\tntbhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnttb.exec:\nhnttb.exe17⤵
- Executes dropped EXE
-
\??\c:\djvvp.exec:\djvvp.exe18⤵
- Executes dropped EXE
-
\??\c:\jpjdd.exec:\jpjdd.exe19⤵
- Executes dropped EXE
-
\??\c:\lrrlxlf.exec:\lrrlxlf.exe20⤵
- Executes dropped EXE
-
\??\c:\rlxrrlr.exec:\rlxrrlr.exe21⤵
- Executes dropped EXE
-
\??\c:\5htnnt.exec:\5htnnt.exe22⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe23⤵
- Executes dropped EXE
-
\??\c:\1pdvv.exec:\1pdvv.exe24⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe25⤵
- Executes dropped EXE
-
\??\c:\rllrfxf.exec:\rllrfxf.exe26⤵
- Executes dropped EXE
-
\??\c:\5thbbb.exec:\5thbbb.exe27⤵
- Executes dropped EXE
-
\??\c:\htttbb.exec:\htttbb.exe28⤵
- Executes dropped EXE
-
\??\c:\9djjp.exec:\9djjp.exe29⤵
- Executes dropped EXE
-
\??\c:\rlxxflx.exec:\rlxxflx.exe30⤵
- Executes dropped EXE
-
\??\c:\lflrffr.exec:\lflrffr.exe31⤵
- Executes dropped EXE
-
\??\c:\nhthnn.exec:\nhthnn.exe32⤵
- Executes dropped EXE
-
\??\c:\btnbbb.exec:\btnbbb.exe33⤵
- Executes dropped EXE
-
\??\c:\vjvdd.exec:\vjvdd.exe34⤵
- Executes dropped EXE
-
\??\c:\dvvvp.exec:\dvvvp.exe35⤵
- Executes dropped EXE
-
\??\c:\frfxxrf.exec:\frfxxrf.exe36⤵
- Executes dropped EXE
-
\??\c:\xrllrrl.exec:\xrllrrl.exe37⤵
- Executes dropped EXE
-
\??\c:\9xrflrx.exec:\9xrflrx.exe38⤵
- Executes dropped EXE
-
\??\c:\tnbhtb.exec:\tnbhtb.exe39⤵
- Executes dropped EXE
-
\??\c:\nbntbb.exec:\nbntbb.exe40⤵
- Executes dropped EXE
-
\??\c:\7vdjp.exec:\7vdjp.exe41⤵
- Executes dropped EXE
-
\??\c:\vpjvv.exec:\vpjvv.exe42⤵
- Executes dropped EXE
-
\??\c:\lfrllfl.exec:\lfrllfl.exe43⤵
- Executes dropped EXE
-
\??\c:\7lllrlr.exec:\7lllrlr.exe44⤵
- Executes dropped EXE
-
\??\c:\7lxxxxr.exec:\7lxxxxr.exe45⤵
- Executes dropped EXE
-
\??\c:\tbhntb.exec:\tbhntb.exe46⤵
- Executes dropped EXE
-
\??\c:\vjvvd.exec:\vjvvd.exe47⤵
- Executes dropped EXE
-
\??\c:\dvdpd.exec:\dvdpd.exe48⤵
- Executes dropped EXE
-
\??\c:\frfllfl.exec:\frfllfl.exe49⤵
- Executes dropped EXE
-
\??\c:\ffrfxxr.exec:\ffrfxxr.exe50⤵
- Executes dropped EXE
-
\??\c:\3bhbtt.exec:\3bhbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\bnhnnn.exec:\bnhnnn.exe52⤵
- Executes dropped EXE
-
\??\c:\thttnh.exec:\thttnh.exe53⤵
- Executes dropped EXE
-
\??\c:\5pjpj.exec:\5pjpj.exe54⤵
- Executes dropped EXE
-
\??\c:\pjvdv.exec:\pjvdv.exe55⤵
- Executes dropped EXE
-
\??\c:\rfrxlrx.exec:\rfrxlrx.exe56⤵
- Executes dropped EXE
-
\??\c:\3frxllr.exec:\3frxllr.exe57⤵
- Executes dropped EXE
-
\??\c:\nhbbbt.exec:\nhbbbt.exe58⤵
- Executes dropped EXE
-
\??\c:\7httbb.exec:\7httbb.exe59⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe60⤵
- Executes dropped EXE
-
\??\c:\vjvdj.exec:\vjvdj.exe61⤵
- Executes dropped EXE
-
\??\c:\pdvpp.exec:\pdvpp.exe62⤵
- Executes dropped EXE
-
\??\c:\5xxxffr.exec:\5xxxffr.exe63⤵
- Executes dropped EXE
-
\??\c:\tnbntb.exec:\tnbntb.exe64⤵
- Executes dropped EXE
-
\??\c:\nbnthh.exec:\nbnthh.exe65⤵
- Executes dropped EXE
-
\??\c:\3pppv.exec:\3pppv.exe66⤵
-
\??\c:\rrrxrfx.exec:\rrrxrfx.exe67⤵
-
\??\c:\rlrxflx.exec:\rlrxflx.exe68⤵
-
\??\c:\tnhnbh.exec:\tnhnbh.exe69⤵
-
\??\c:\5bnntn.exec:\5bnntn.exe70⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe71⤵
-
\??\c:\jjdjp.exec:\jjdjp.exe72⤵
-
\??\c:\xlxrlrr.exec:\xlxrlrr.exe73⤵
-
\??\c:\frlrflr.exec:\frlrflr.exe74⤵
-
\??\c:\9rffxlf.exec:\9rffxlf.exe75⤵
-
\??\c:\nhbtbn.exec:\nhbtbn.exe76⤵
-
\??\c:\nhtttn.exec:\nhtttn.exe77⤵
-
\??\c:\5dppv.exec:\5dppv.exe78⤵
-
\??\c:\9ddvv.exec:\9ddvv.exe79⤵
-
\??\c:\1xllxxf.exec:\1xllxxf.exe80⤵
-
\??\c:\xrllxrx.exec:\xrllxrx.exe81⤵
-
\??\c:\htthnn.exec:\htthnn.exe82⤵
-
\??\c:\1tnntt.exec:\1tnntt.exe83⤵
-
\??\c:\5dddd.exec:\5dddd.exe84⤵
-
\??\c:\3ddvv.exec:\3ddvv.exe85⤵
-
\??\c:\rlxxlrf.exec:\rlxxlrf.exe86⤵
-
\??\c:\fxfxflx.exec:\fxfxflx.exe87⤵
-
\??\c:\fxffxxf.exec:\fxffxxf.exe88⤵
-
\??\c:\nnbhht.exec:\nnbhht.exe89⤵
-
\??\c:\hbnhhh.exec:\hbnhhh.exe90⤵
-
\??\c:\btnbbb.exec:\btnbbb.exe91⤵
-
\??\c:\1vvvd.exec:\1vvvd.exe92⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe93⤵
-
\??\c:\9rxfllf.exec:\9rxfllf.exe94⤵
-
\??\c:\xxfxxlr.exec:\xxfxxlr.exe95⤵
-
\??\c:\hnnnbn.exec:\hnnnbn.exe96⤵
-
\??\c:\hbhhnt.exec:\hbhhnt.exe97⤵
-
\??\c:\7jdjj.exec:\7jdjj.exe98⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe99⤵
-
\??\c:\rxrrfxf.exec:\rxrrfxf.exe100⤵
-
\??\c:\xxllfrx.exec:\xxllfrx.exe101⤵
-
\??\c:\9bntbb.exec:\9bntbb.exe102⤵
-
\??\c:\hhtbnt.exec:\hhtbnt.exe103⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe104⤵
-
\??\c:\dvpvj.exec:\dvpvj.exe105⤵
-
\??\c:\fxxflrx.exec:\fxxflrx.exe106⤵
-
\??\c:\xlrrxrf.exec:\xlrrxrf.exe107⤵
-
\??\c:\tnbnth.exec:\tnbnth.exe108⤵
-
\??\c:\5tnthh.exec:\5tnthh.exe109⤵
-
\??\c:\hbhnnn.exec:\hbhnnn.exe110⤵
-
\??\c:\vpdjj.exec:\vpdjj.exe111⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe112⤵
-
\??\c:\3xxflll.exec:\3xxflll.exe113⤵
-
\??\c:\fxrfrrf.exec:\fxrfrrf.exe114⤵
-
\??\c:\hbhnnt.exec:\hbhnnt.exe115⤵
-
\??\c:\hbtbhh.exec:\hbtbhh.exe116⤵
-
\??\c:\nhnhnb.exec:\nhnhnb.exe117⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe118⤵
-
\??\c:\9ddpv.exec:\9ddpv.exe119⤵
-
\??\c:\9rfllll.exec:\9rfllll.exe120⤵
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-