Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
08-05-2024 02:50
General
-
Target
aeebd387ddb82597cc5d8de63b776ae0_NEIKI.exe
-
Size
471KB
-
MD5
aeebd387ddb82597cc5d8de63b776ae0
-
SHA1
3287004472dd61d4fc267f70e5c4bcf19f56faba
-
SHA256
b1ad523cb637ac508fdaa5f3ae9cefdeb53d841dd3063ee04058195ab4c76aa7
-
SHA512
e0afdd3c79df40fc9eeb9a020ae482f64f29d8f550633953743178e7c7a0704bc17677b4450e0fb6718291ac90c532dcf7e6c194842fd7b096b3c60e979e4ebf
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93sY0AJq4mZAx5t:n3C9yMo+S0L9xRnoq7H9pmoV
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aeebd387ddb82597cc5d8de63b776ae0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\aeebd387ddb82597cc5d8de63b776ae0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlfxrr.exec:\rrlfxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btnht.exec:\3btnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnhh.exec:\ttnnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nhbbb.exec:\3nhbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpp.exec:\pjvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrllll.exec:\lfrllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdvp.exec:\7vdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddv.exec:\pvddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjj.exec:\pjpjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrlffx.exec:\rrrlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppp.exec:\vvppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllfxr.exec:\rxllfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhhhn.exec:\nnhhhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpj.exec:\vjvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxrrl.exec:\frxxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxfff.exec:\xrfxfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntntt.exec:\nntntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvp.exec:\vpdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvp.exec:\vpvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxffl.exec:\lxfxffl.exe23⤵
- Executes dropped EXE
-
\??\c:\nnttnt.exec:\nnttnt.exe24⤵
- Executes dropped EXE
-
\??\c:\xrrffxx.exec:\xrrffxx.exe25⤵
- Executes dropped EXE
-
\??\c:\nnnnhb.exec:\nnnnhb.exe26⤵
- Executes dropped EXE
-
\??\c:\7ntnnn.exec:\7ntnnn.exe27⤵
- Executes dropped EXE
-
\??\c:\vdjdv.exec:\vdjdv.exe28⤵
- Executes dropped EXE
-
\??\c:\9djdj.exec:\9djdj.exe29⤵
- Executes dropped EXE
-
\??\c:\tbhbtt.exec:\tbhbtt.exe30⤵
- Executes dropped EXE
-
\??\c:\9dvdd.exec:\9dvdd.exe31⤵
- Executes dropped EXE
-
\??\c:\llflxlx.exec:\llflxlx.exe32⤵
- Executes dropped EXE
-
\??\c:\jvdvp.exec:\jvdvp.exe33⤵
- Executes dropped EXE
-
\??\c:\xlflfll.exec:\xlflfll.exe34⤵
- Executes dropped EXE
-
\??\c:\nbnhbb.exec:\nbnhbb.exe35⤵
- Executes dropped EXE
-
\??\c:\3jppj.exec:\3jppj.exe36⤵
- Executes dropped EXE
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe37⤵
- Executes dropped EXE
-
\??\c:\hnhhbb.exec:\hnhhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\5dddv.exec:\5dddv.exe39⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe40⤵
- Executes dropped EXE
-
\??\c:\nhnhbt.exec:\nhnhbt.exe41⤵
-
\??\c:\3dvpj.exec:\3dvpj.exe42⤵
- Executes dropped EXE
-
\??\c:\1frrllr.exec:\1frrllr.exe43⤵
- Executes dropped EXE
-
\??\c:\ttbthh.exec:\ttbthh.exe44⤵
- Executes dropped EXE
-
\??\c:\7tbhbb.exec:\7tbhbb.exe45⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe46⤵
- Executes dropped EXE
-
\??\c:\fxffxxx.exec:\fxffxxx.exe47⤵
- Executes dropped EXE
-
\??\c:\htbbtt.exec:\htbbtt.exe48⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe49⤵
- Executes dropped EXE
-
\??\c:\rrxlflx.exec:\rrxlflx.exe50⤵
- Executes dropped EXE
-
\??\c:\bbbhbb.exec:\bbbhbb.exe51⤵
- Executes dropped EXE
-
\??\c:\9jpjj.exec:\9jpjj.exe52⤵
- Executes dropped EXE
-
\??\c:\rfrlflf.exec:\rfrlflf.exe53⤵
- Executes dropped EXE
-
\??\c:\xxfxxxr.exec:\xxfxxxr.exe54⤵
- Executes dropped EXE
-
\??\c:\hbhhbb.exec:\hbhhbb.exe55⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe56⤵
- Executes dropped EXE
-
\??\c:\djpjd.exec:\djpjd.exe57⤵
- Executes dropped EXE
-
\??\c:\lllfxrr.exec:\lllfxrr.exe58⤵
- Executes dropped EXE
-
\??\c:\9tbttt.exec:\9tbttt.exe59⤵
- Executes dropped EXE
-
\??\c:\thnhbt.exec:\thnhbt.exe60⤵
- Executes dropped EXE
-
\??\c:\vvjjv.exec:\vvjjv.exe61⤵
- Executes dropped EXE
-
\??\c:\llxrlfx.exec:\llxrlfx.exe62⤵
- Executes dropped EXE
-
\??\c:\bnnhbb.exec:\bnnhbb.exe63⤵
- Executes dropped EXE
-
\??\c:\1vvpj.exec:\1vvpj.exe64⤵
- Executes dropped EXE
-
\??\c:\fxrrlll.exec:\fxrrlll.exe65⤵
- Executes dropped EXE
-
\??\c:\xxffxxx.exec:\xxffxxx.exe66⤵
- Executes dropped EXE
-
\??\c:\nhbntb.exec:\nhbntb.exe67⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe68⤵
-
\??\c:\lxfxrll.exec:\lxfxrll.exe69⤵
-
\??\c:\rlxrlrl.exec:\rlxrlrl.exe70⤵
-
\??\c:\tttnbb.exec:\tttnbb.exe71⤵
-
\??\c:\jvddv.exec:\jvddv.exe72⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe73⤵
-
\??\c:\1rrllll.exec:\1rrllll.exe74⤵
-
\??\c:\1bnhbb.exec:\1bnhbb.exe75⤵
-
\??\c:\bbthbt.exec:\bbthbt.exe76⤵
-
\??\c:\pppdd.exec:\pppdd.exe77⤵
-
\??\c:\llxrllf.exec:\llxrllf.exe78⤵
-
\??\c:\tbhbtt.exec:\tbhbtt.exe79⤵
-
\??\c:\hbhtnh.exec:\hbhtnh.exe80⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe81⤵
-
\??\c:\5rfrllf.exec:\5rfrllf.exe82⤵
-
\??\c:\3flxrlf.exec:\3flxrlf.exe83⤵
-
\??\c:\9nnhbt.exec:\9nnhbt.exe84⤵
-
\??\c:\3hnbnt.exec:\3hnbnt.exe85⤵
-
\??\c:\3vdpd.exec:\3vdpd.exe86⤵
-
\??\c:\3rfxlfx.exec:\3rfxlfx.exe87⤵
-
\??\c:\xllrlrl.exec:\xllrlrl.exe88⤵
-
\??\c:\tthtbb.exec:\tthtbb.exe89⤵
-
\??\c:\djpdv.exec:\djpdv.exe90⤵
-
\??\c:\7jpjv.exec:\7jpjv.exe91⤵
-
\??\c:\rlfxflf.exec:\rlfxflf.exe92⤵
-
\??\c:\7ntnnt.exec:\7ntnnt.exe93⤵
-
\??\c:\bbhtbt.exec:\bbhtbt.exe94⤵
-
\??\c:\pvjdp.exec:\pvjdp.exe95⤵
-
\??\c:\rxfxllf.exec:\rxfxllf.exe96⤵
-
\??\c:\rlrxrrl.exec:\rlrxrrl.exe97⤵
-
\??\c:\bthbnh.exec:\bthbnh.exe98⤵
-
\??\c:\9ntttt.exec:\9ntttt.exe99⤵
-
\??\c:\pdjvv.exec:\pdjvv.exe100⤵
-
\??\c:\fflfrlf.exec:\fflfrlf.exe101⤵
-
\??\c:\frxrllf.exec:\frxrllf.exe102⤵
-
\??\c:\9nhbtn.exec:\9nhbtn.exe103⤵
-
\??\c:\jppjd.exec:\jppjd.exe104⤵
-
\??\c:\3vdvv.exec:\3vdvv.exe105⤵
-
\??\c:\ffxrlff.exec:\ffxrlff.exe106⤵
-
\??\c:\hthbtt.exec:\hthbtt.exe107⤵
-
\??\c:\hhnnbt.exec:\hhnnbt.exe108⤵
-
\??\c:\vppjj.exec:\vppjj.exe109⤵
-
\??\c:\rlrlxrl.exec:\rlrlxrl.exe110⤵
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe111⤵
-
\??\c:\7ddvv.exec:\7ddvv.exe112⤵
-
\??\c:\ppddp.exec:\ppddp.exe113⤵
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe114⤵
-
\??\c:\nbbbnt.exec:\nbbbnt.exe115⤵
-
\??\c:\bbtbtt.exec:\bbtbtt.exe116⤵
-
\??\c:\9ppjj.exec:\9ppjj.exe117⤵
-
\??\c:\rlxlfxf.exec:\rlxlfxf.exe118⤵
-
\??\c:\rllrfrl.exec:\rllrfrl.exe119⤵
-
\??\c:\bnbtnn.exec:\bnbtnn.exe120⤵
-
\??\c:\3ddvp.exec:\3ddvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-