Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
08/05/2024, 02:04
General
-
Target
a12074f8e97a865af036978b96d2a5a0_NEIKI.exe
-
Size
73KB
-
MD5
a12074f8e97a865af036978b96d2a5a0
-
SHA1
3d9203d641333c995eb23f0dcb702ce715edf16e
-
SHA256
b043b00b525f363755f1a6e5d98ddef8e01156cbf1c88b76072c65b772db42c2
-
SHA512
7023104acc6bd05acf174e4a6542c49b05f799ee37ea1ef360a20e472ae490a98bb42cfb4b65ffd8ff01f0dc4226e140d37108a10e243b4dbec64165be5b0364
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIjaQkPcy8WTeAw4Pt:ymb3NkkiQ3mdBjFIpkPcy8qs4Pt
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12074f8e97a865af036978b96d2a5a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a12074f8e97a865af036978b96d2a5a0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\o8k8c7.exec:\o8k8c7.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5x574ki.exec:\5x574ki.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\44253e.exec:\44253e.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xmk4dg3.exec:\xmk4dg3.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\v1x20.exec:\v1x20.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7gf6xiu.exec:\7gf6xiu.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\is5e531.exec:\is5e531.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\p5d48jm.exec:\p5d48jm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4qefg.exec:\4qefg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\713o7.exec:\713o7.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\l2j7e6.exec:\l2j7e6.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2d811.exec:\2d811.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\f4wcl8.exec:\f4wcl8.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vheh1.exec:\vheh1.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vkb72.exec:\vkb72.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\40oua3q.exec:\40oua3q.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\mx8pnu.exec:\mx8pnu.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\grjo7.exec:\grjo7.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2t59tl9.exec:\2t59tl9.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\v3c1a0h.exec:\v3c1a0h.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\p562mj8.exec:\p562mj8.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\h7an513.exec:\h7an513.exe23⤵
- Executes dropped EXE
-
\??\c:\to7999.exec:\to7999.exe24⤵
- Executes dropped EXE
-
\??\c:\b1cr6.exec:\b1cr6.exe25⤵
- Executes dropped EXE
-
\??\c:\9wq8f.exec:\9wq8f.exe26⤵
- Executes dropped EXE
-
\??\c:\fio7ir.exec:\fio7ir.exe27⤵
- Executes dropped EXE
-
\??\c:\6gjd7bh.exec:\6gjd7bh.exe28⤵
- Executes dropped EXE
-
\??\c:\uvi1h.exec:\uvi1h.exe29⤵
- Executes dropped EXE
-
\??\c:\60668.exec:\60668.exe30⤵
- Executes dropped EXE
-
\??\c:\rtr2if0.exec:\rtr2if0.exe31⤵
- Executes dropped EXE
-
\??\c:\67h4d8.exec:\67h4d8.exe32⤵
- Executes dropped EXE
-
\??\c:\rsd388.exec:\rsd388.exe33⤵
- Executes dropped EXE
-
\??\c:\7bmh7.exec:\7bmh7.exe34⤵
- Executes dropped EXE
-
\??\c:\vkbl0.exec:\vkbl0.exe35⤵
- Executes dropped EXE
-
\??\c:\1no94d.exec:\1no94d.exe36⤵
- Executes dropped EXE
-
\??\c:\82l9te3.exec:\82l9te3.exe37⤵
- Executes dropped EXE
-
\??\c:\i47o96.exec:\i47o96.exe38⤵
- Executes dropped EXE
-
\??\c:\99768c1.exec:\99768c1.exe39⤵
- Executes dropped EXE
-
\??\c:\jbb1e32.exec:\jbb1e32.exe40⤵
- Executes dropped EXE
-
\??\c:\dpo9ii9.exec:\dpo9ii9.exe41⤵
- Executes dropped EXE
-
\??\c:\o46468.exec:\o46468.exe42⤵
- Executes dropped EXE
-
\??\c:\066497.exec:\066497.exe43⤵
- Executes dropped EXE
-
\??\c:\45165.exec:\45165.exe44⤵
- Executes dropped EXE
-
\??\c:\0ln4q39.exec:\0ln4q39.exe45⤵
- Executes dropped EXE
-
\??\c:\95399.exec:\95399.exe46⤵
- Executes dropped EXE
-
\??\c:\84oxam.exec:\84oxam.exe47⤵
- Executes dropped EXE
-
\??\c:\pe7sv9.exec:\pe7sv9.exe48⤵
- Executes dropped EXE
-
\??\c:\bpxar6.exec:\bpxar6.exe49⤵
- Executes dropped EXE
-
\??\c:\megbo1.exec:\megbo1.exe50⤵
- Executes dropped EXE
-
\??\c:\5k23cs7.exec:\5k23cs7.exe51⤵
- Executes dropped EXE
-
\??\c:\9aa03.exec:\9aa03.exe52⤵
- Executes dropped EXE
-
\??\c:\7e024.exec:\7e024.exe53⤵
- Executes dropped EXE
-
\??\c:\44640.exec:\44640.exe54⤵
- Executes dropped EXE
-
\??\c:\gj5977.exec:\gj5977.exe55⤵
- Executes dropped EXE
-
\??\c:\5q564.exec:\5q564.exe56⤵
- Executes dropped EXE
-
\??\c:\1u10w95.exec:\1u10w95.exe57⤵
- Executes dropped EXE
-
\??\c:\f33ifx5.exec:\f33ifx5.exe58⤵
- Executes dropped EXE
-
\??\c:\63ff9ux.exec:\63ff9ux.exe59⤵
- Executes dropped EXE
-
\??\c:\b9q9sr5.exec:\b9q9sr5.exe60⤵
- Executes dropped EXE
-
\??\c:\630bh4.exec:\630bh4.exe61⤵
- Executes dropped EXE
-
\??\c:\027pqn.exec:\027pqn.exe62⤵
- Executes dropped EXE
-
\??\c:\1n25ew7.exec:\1n25ew7.exe63⤵
- Executes dropped EXE
-
\??\c:\whi96b.exec:\whi96b.exe64⤵
- Executes dropped EXE
-
\??\c:\p651k1e.exec:\p651k1e.exe65⤵
- Executes dropped EXE
-
\??\c:\4x1a957.exec:\4x1a957.exe66⤵
-
\??\c:\e007044.exec:\e007044.exe67⤵
-
\??\c:\14ircis.exec:\14ircis.exe68⤵
-
\??\c:\0wq36fo.exec:\0wq36fo.exe69⤵
-
\??\c:\a18kt7.exec:\a18kt7.exe70⤵
-
\??\c:\w167f.exec:\w167f.exe71⤵
-
\??\c:\06485u5.exec:\06485u5.exe72⤵
-
\??\c:\5135k51.exec:\5135k51.exe73⤵
-
\??\c:\122t3.exec:\122t3.exe74⤵
-
\??\c:\f20irm0.exec:\f20irm0.exe75⤵
-
\??\c:\8jq7e.exec:\8jq7e.exe76⤵
-
\??\c:\6430p.exec:\6430p.exe77⤵
-
\??\c:\c0dfcvb.exec:\c0dfcvb.exe78⤵
-
\??\c:\m1qb4.exec:\m1qb4.exe79⤵
-
\??\c:\f352490.exec:\f352490.exe80⤵
-
\??\c:\71207.exec:\71207.exe81⤵
-
\??\c:\855ow.exec:\855ow.exe82⤵
-
\??\c:\5862o2.exec:\5862o2.exe83⤵
-
\??\c:\89o7v.exec:\89o7v.exe84⤵
-
\??\c:\04464.exec:\04464.exe85⤵
-
\??\c:\51k1ko0.exec:\51k1ko0.exe86⤵
-
\??\c:\i0c4vk.exec:\i0c4vk.exe87⤵
-
\??\c:\b3o320.exec:\b3o320.exe88⤵
-
\??\c:\t52w7.exec:\t52w7.exe89⤵
-
\??\c:\oo0j76k.exec:\oo0j76k.exe90⤵
-
\??\c:\868r7xx.exec:\868r7xx.exe91⤵
-
\??\c:\m4vp4.exec:\m4vp4.exe92⤵
-
\??\c:\h6saum.exec:\h6saum.exe93⤵
-
\??\c:\235m8o.exec:\235m8o.exe94⤵
-
\??\c:\6j20q.exec:\6j20q.exe95⤵
-
\??\c:\vv39cml.exec:\vv39cml.exe96⤵
-
\??\c:\716g5.exec:\716g5.exe97⤵
-
\??\c:\uj2a8ru.exec:\uj2a8ru.exe98⤵
-
\??\c:\7t2irr.exec:\7t2irr.exe99⤵
-
\??\c:\9w67g07.exec:\9w67g07.exe100⤵
-
\??\c:\1hno855.exec:\1hno855.exe101⤵
-
\??\c:\f9kxr.exec:\f9kxr.exe102⤵
-
\??\c:\1it3b3d.exec:\1it3b3d.exe103⤵
-
\??\c:\mnh7c.exec:\mnh7c.exe104⤵
-
\??\c:\7cm9430.exec:\7cm9430.exe105⤵
-
\??\c:\tjw2sv.exec:\tjw2sv.exe106⤵
-
\??\c:\7caq4q.exec:\7caq4q.exe107⤵
-
\??\c:\3knwhc3.exec:\3knwhc3.exe108⤵
-
\??\c:\97191.exec:\97191.exe109⤵
-
\??\c:\gb5w0.exec:\gb5w0.exe110⤵
-
\??\c:\wm824.exec:\wm824.exe111⤵
-
\??\c:\54x69j.exec:\54x69j.exe112⤵
-
\??\c:\48x0d.exec:\48x0d.exe113⤵
-
\??\c:\h92o9uc.exec:\h92o9uc.exe114⤵
-
\??\c:\8147a.exec:\8147a.exe115⤵
-
\??\c:\1di0ia.exec:\1di0ia.exe116⤵
-
\??\c:\a5dtd68.exec:\a5dtd68.exe117⤵
-
\??\c:\p1tkrs7.exec:\p1tkrs7.exe118⤵
-
\??\c:\84ut0a.exec:\84ut0a.exe119⤵
-
\??\c:\15ut37.exec:\15ut37.exe120⤵
-
\??\c:\90087w.exec:\90087w.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-