Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
08/05/2024, 02:50
General
-
Target
aeebd387ddb82597cc5d8de63b776ae0_NEIKI.exe
-
Size
471KB
-
MD5
aeebd387ddb82597cc5d8de63b776ae0
-
SHA1
3287004472dd61d4fc267f70e5c4bcf19f56faba
-
SHA256
b1ad523cb637ac508fdaa5f3ae9cefdeb53d841dd3063ee04058195ab4c76aa7
-
SHA512
e0afdd3c79df40fc9eeb9a020ae482f64f29d8f550633953743178e7c7a0704bc17677b4450e0fb6718291ac90c532dcf7e6c194842fd7b096b3c60e979e4ebf
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93sY0AJq4mZAx5t:n3C9yMo+S0L9xRnoq7H9pmoV
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 19 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aeebd387ddb82597cc5d8de63b776ae0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\aeebd387ddb82597cc5d8de63b776ae0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxllr.exec:\xrfxllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxlxfx.exec:\lfxlxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hnthb.exec:\7hnthb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjpj.exec:\pjjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhnbt.exec:\nhhnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jpvj.exec:\3jpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbnbt.exec:\9hbnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvpd.exec:\vdvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhhnn.exec:\tnhhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frllxfx.exec:\frllxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1btbnt.exec:\1btbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pdvd.exec:\7pdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ffrlxx.exec:\3ffrlxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tnttb.exec:\1tnttb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rflrfl.exec:\9rflrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pvpj.exec:\7pvpj.exe17⤵
- Executes dropped EXE
-
\??\c:\fxflxfx.exec:\fxflxfx.exe18⤵
- Executes dropped EXE
-
\??\c:\hhhnbt.exec:\hhhnbt.exe19⤵
- Executes dropped EXE
-
\??\c:\rrrrrff.exec:\rrrrrff.exe20⤵
- Executes dropped EXE
-
\??\c:\htthbh.exec:\htthbh.exe21⤵
- Executes dropped EXE
-
\??\c:\jdvdd.exec:\jdvdd.exe22⤵
- Executes dropped EXE
-
\??\c:\1rrxlxr.exec:\1rrxlxr.exe23⤵
- Executes dropped EXE
-
\??\c:\3httbb.exec:\3httbb.exe24⤵
- Executes dropped EXE
-
\??\c:\vppvp.exec:\vppvp.exe25⤵
- Executes dropped EXE
-
\??\c:\nhbhnn.exec:\nhbhnn.exe26⤵
- Executes dropped EXE
-
\??\c:\5djpj.exec:\5djpj.exe27⤵
- Executes dropped EXE
-
\??\c:\btnnbh.exec:\btnnbh.exe28⤵
- Executes dropped EXE
-
\??\c:\vddpj.exec:\vddpj.exe29⤵
- Executes dropped EXE
-
\??\c:\xxxlflx.exec:\xxxlflx.exe30⤵
- Executes dropped EXE
-
\??\c:\hnbnnt.exec:\hnbnnt.exe31⤵
- Executes dropped EXE
-
\??\c:\bbbntb.exec:\bbbntb.exe32⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe33⤵
- Executes dropped EXE
-
\??\c:\fxllrxf.exec:\fxllrxf.exe34⤵
-
\??\c:\9tthtt.exec:\9tthtt.exe35⤵
- Executes dropped EXE
-
\??\c:\jdvjp.exec:\jdvjp.exe36⤵
- Executes dropped EXE
-
\??\c:\1xlfxxf.exec:\1xlfxxf.exe37⤵
- Executes dropped EXE
-
\??\c:\rrflrxf.exec:\rrflrxf.exe38⤵
- Executes dropped EXE
-
\??\c:\hhbbth.exec:\hhbbth.exe39⤵
- Executes dropped EXE
-
\??\c:\pjppd.exec:\pjppd.exe40⤵
- Executes dropped EXE
-
\??\c:\xrlxxfl.exec:\xrlxxfl.exe41⤵
- Executes dropped EXE
-
\??\c:\5xxflrx.exec:\5xxflrx.exe42⤵
- Executes dropped EXE
-
\??\c:\tntbnn.exec:\tntbnn.exe43⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe44⤵
- Executes dropped EXE
-
\??\c:\xrflrfl.exec:\xrflrfl.exe45⤵
- Executes dropped EXE
-
\??\c:\3lxxffr.exec:\3lxxffr.exe46⤵
- Executes dropped EXE
-
\??\c:\hhbbnt.exec:\hhbbnt.exe47⤵
- Executes dropped EXE
-
\??\c:\jvpvd.exec:\jvpvd.exe48⤵
- Executes dropped EXE
-
\??\c:\frffllf.exec:\frffllf.exe49⤵
- Executes dropped EXE
-
\??\c:\lfflxfr.exec:\lfflxfr.exe50⤵
- Executes dropped EXE
-
\??\c:\hbttbt.exec:\hbttbt.exe51⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe52⤵
- Executes dropped EXE
-
\??\c:\fxrxxfx.exec:\fxrxxfx.exe53⤵
- Executes dropped EXE
-
\??\c:\rxlrfrf.exec:\rxlrfrf.exe54⤵
- Executes dropped EXE
-
\??\c:\3nbnnn.exec:\3nbnnn.exe55⤵
- Executes dropped EXE
-
\??\c:\dpjjd.exec:\dpjjd.exe56⤵
- Executes dropped EXE
-
\??\c:\xrlrffr.exec:\xrlrffr.exe57⤵
- Executes dropped EXE
-
\??\c:\1frxffr.exec:\1frxffr.exe58⤵
- Executes dropped EXE
-
\??\c:\hbthnt.exec:\hbthnt.exe59⤵
- Executes dropped EXE
-
\??\c:\ppjvd.exec:\ppjvd.exe60⤵
- Executes dropped EXE
-
\??\c:\fxrflrl.exec:\fxrflrl.exe61⤵
- Executes dropped EXE
-
\??\c:\rlxlxxl.exec:\rlxlxxl.exe62⤵
- Executes dropped EXE
-
\??\c:\9bhnnt.exec:\9bhnnt.exe63⤵
- Executes dropped EXE
-
\??\c:\1vddv.exec:\1vddv.exe64⤵
- Executes dropped EXE
-
\??\c:\vpdjd.exec:\vpdjd.exe65⤵
- Executes dropped EXE
-
\??\c:\9fxxffl.exec:\9fxxffl.exe66⤵
- Executes dropped EXE
-
\??\c:\nhtbnt.exec:\nhtbnt.exe67⤵
-
\??\c:\jdvvd.exec:\jdvvd.exe68⤵
-
\??\c:\9vpvj.exec:\9vpvj.exe69⤵
-
\??\c:\rlfffll.exec:\rlfffll.exe70⤵
-
\??\c:\rllrrfx.exec:\rllrrfx.exe71⤵
-
\??\c:\nhtbhh.exec:\nhtbhh.exe72⤵
-
\??\c:\vpvdj.exec:\vpvdj.exe73⤵
-
\??\c:\7jjpj.exec:\7jjpj.exe74⤵
-
\??\c:\rrlrlrf.exec:\rrlrlrf.exe75⤵
-
\??\c:\nhnbhn.exec:\nhnbhn.exe76⤵
-
\??\c:\7nbbht.exec:\7nbbht.exe77⤵
-
\??\c:\pvvpj.exec:\pvvpj.exe78⤵
-
\??\c:\lllxllx.exec:\lllxllx.exe79⤵
-
\??\c:\1xrrxfr.exec:\1xrrxfr.exe80⤵
-
\??\c:\nhbhnn.exec:\nhbhnn.exe81⤵
-
\??\c:\pjddv.exec:\pjddv.exe82⤵
-
\??\c:\frlrlrl.exec:\frlrlrl.exe83⤵
-
\??\c:\xxxfxfx.exec:\xxxfxfx.exe84⤵
-
\??\c:\nnnnht.exec:\nnnnht.exe85⤵
-
\??\c:\jvdjp.exec:\jvdjp.exe86⤵
-
\??\c:\pjppd.exec:\pjppd.exe87⤵
-
\??\c:\lfxlxxr.exec:\lfxlxxr.exe88⤵
-
\??\c:\bbthtt.exec:\bbthtt.exe89⤵
-
\??\c:\bbnthh.exec:\bbnthh.exe90⤵
-
\??\c:\pjjjp.exec:\pjjjp.exe91⤵
-
\??\c:\xrflrrf.exec:\xrflrrf.exe92⤵
-
\??\c:\xrlxlrf.exec:\xrlxlrf.exe93⤵
-
\??\c:\9thntb.exec:\9thntb.exe94⤵
-
\??\c:\ppjvp.exec:\ppjvp.exe95⤵
-
\??\c:\lrrxlrl.exec:\lrrxlrl.exe96⤵
-
\??\c:\3llrfrx.exec:\3llrfrx.exe97⤵
-
\??\c:\bnbhnn.exec:\bnbhnn.exe98⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe99⤵
-
\??\c:\dpjjp.exec:\dpjjp.exe100⤵
-
\??\c:\5lxxrxl.exec:\5lxxrxl.exe101⤵
-
\??\c:\9hnntb.exec:\9hnntb.exe102⤵
-
\??\c:\ppjdp.exec:\ppjdp.exe103⤵
-
\??\c:\pjvjv.exec:\pjvjv.exe104⤵
-
\??\c:\lrlrllx.exec:\lrlrllx.exe105⤵
-
\??\c:\bbbbtb.exec:\bbbbtb.exe106⤵
-
\??\c:\hbtbtb.exec:\hbtbtb.exe107⤵
-
\??\c:\pdpvj.exec:\pdpvj.exe108⤵
-
\??\c:\lfxfrxf.exec:\lfxfrxf.exe109⤵
-
\??\c:\7fxrflx.exec:\7fxrflx.exe110⤵
-
\??\c:\thhbnh.exec:\thhbnh.exe111⤵
-
\??\c:\9dddd.exec:\9dddd.exe112⤵
-
\??\c:\rrllrxx.exec:\rrllrxx.exe113⤵
-
\??\c:\7lfflrx.exec:\7lfflrx.exe114⤵
-
\??\c:\tnttnn.exec:\tnttnn.exe115⤵
-
\??\c:\pdvvj.exec:\pdvvj.exe116⤵
-
\??\c:\1jvvv.exec:\1jvvv.exe117⤵
-
\??\c:\9lfxrrf.exec:\9lfxrrf.exe118⤵
-
\??\c:\7btbnn.exec:\7btbnn.exe119⤵
-
\??\c:\btnnhb.exec:\btnnhb.exe120⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-