Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
08/05/2024, 04:52
General
-
Target
d7565fe4f5b5d69738574f0029e66580_NEIKI.exe
-
Size
101KB
-
MD5
d7565fe4f5b5d69738574f0029e66580
-
SHA1
aca4fd9c7e8ba772c8f1aa8ed9c0be6a5543d3b1
-
SHA256
572cbd118a18df73c75b7822546f3c2bbc022241ec166f065386588e89376d0d
-
SHA512
ad2b1fa7e695558d0624b2aa7501b60d8b34bf0ad4a1e0945be6cef7f82c902649694c33f6855c13244e32802f880b682c65747ca720e478a09ad166485851fa
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KVT+buwUGu3P3CW:n3C9BRo7MlrWKVT+buBGu3Px
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7565fe4f5b5d69738574f0029e66580_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\d7565fe4f5b5d69738574f0029e66580_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxffllx.exec:\xxffllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hhhhn.exec:\1hhhhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3djpv.exec:\3djpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1llrrlx.exec:\1llrrlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hnntb.exec:\1hnntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddp.exec:\jdddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvdd.exec:\jdvdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7fllffl.exec:\7fllffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnntt.exec:\thnntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttbhh.exec:\bttbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppd.exec:\pdppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjvv.exec:\jpjvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfrxfr.exec:\xrfrxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbntnh.exec:\tbntnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7pdjj.exec:\7pdjj.exe17⤵
- Executes dropped EXE
-
\??\c:\pdvvj.exec:\pdvvj.exe18⤵
- Executes dropped EXE
-
\??\c:\frfflfl.exec:\frfflfl.exe19⤵
- Executes dropped EXE
-
\??\c:\lfxlrrx.exec:\lfxlrrx.exe20⤵
- Executes dropped EXE
-
\??\c:\thnthh.exec:\thnthh.exe21⤵
- Executes dropped EXE
-
\??\c:\dvjpj.exec:\dvjpj.exe22⤵
- Executes dropped EXE
-
\??\c:\1vjpv.exec:\1vjpv.exe23⤵
- Executes dropped EXE
-
\??\c:\rflrxxf.exec:\rflrxxf.exe24⤵
- Executes dropped EXE
-
\??\c:\9fxflrf.exec:\9fxflrf.exe25⤵
- Executes dropped EXE
-
\??\c:\hbhnhh.exec:\hbhnhh.exe26⤵
- Executes dropped EXE
-
\??\c:\nhthnt.exec:\nhthnt.exe27⤵
- Executes dropped EXE
-
\??\c:\vdvdj.exec:\vdvdj.exe28⤵
- Executes dropped EXE
-
\??\c:\xxlrffr.exec:\xxlrffr.exe29⤵
- Executes dropped EXE
-
\??\c:\hbhnbb.exec:\hbhnbb.exe30⤵
- Executes dropped EXE
-
\??\c:\nntnbh.exec:\nntnbh.exe31⤵
- Executes dropped EXE
-
\??\c:\9vppv.exec:\9vppv.exe32⤵
- Executes dropped EXE
-
\??\c:\lfflllf.exec:\lfflllf.exe33⤵
- Executes dropped EXE
-
\??\c:\btbhbh.exec:\btbhbh.exe34⤵
- Executes dropped EXE
-
\??\c:\9bhntt.exec:\9bhntt.exe35⤵
- Executes dropped EXE
-
\??\c:\9vjvd.exec:\9vjvd.exe36⤵
- Executes dropped EXE
-
\??\c:\pjpjd.exec:\pjpjd.exe37⤵
- Executes dropped EXE
-
\??\c:\5pjpv.exec:\5pjpv.exe38⤵
- Executes dropped EXE
-
\??\c:\fxlllff.exec:\fxlllff.exe39⤵
- Executes dropped EXE
-
\??\c:\xrllflr.exec:\xrllflr.exe40⤵
- Executes dropped EXE
-
\??\c:\tnhtbb.exec:\tnhtbb.exe41⤵
- Executes dropped EXE
-
\??\c:\dvpvp.exec:\dvpvp.exe42⤵
- Executes dropped EXE
-
\??\c:\vpppj.exec:\vpppj.exe43⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe44⤵
- Executes dropped EXE
-
\??\c:\5lfxflf.exec:\5lfxflf.exe45⤵
- Executes dropped EXE
-
\??\c:\1lrrxfl.exec:\1lrrxfl.exe46⤵
- Executes dropped EXE
-
\??\c:\thhnht.exec:\thhnht.exe47⤵
- Executes dropped EXE
-
\??\c:\nbnthh.exec:\nbnthh.exe48⤵
- Executes dropped EXE
-
\??\c:\jdjpd.exec:\jdjpd.exe49⤵
- Executes dropped EXE
-
\??\c:\vpdpd.exec:\vpdpd.exe50⤵
- Executes dropped EXE
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe51⤵
- Executes dropped EXE
-
\??\c:\3lflxxl.exec:\3lflxxl.exe52⤵
- Executes dropped EXE
-
\??\c:\bhnbbn.exec:\bhnbbn.exe53⤵
- Executes dropped EXE
-
\??\c:\nhnnbh.exec:\nhnnbh.exe54⤵
- Executes dropped EXE
-
\??\c:\djdjv.exec:\djdjv.exe55⤵
- Executes dropped EXE
-
\??\c:\vppdp.exec:\vppdp.exe56⤵
- Executes dropped EXE
-
\??\c:\rfrrrlr.exec:\rfrrrlr.exe57⤵
- Executes dropped EXE
-
\??\c:\xxllrxf.exec:\xxllrxf.exe58⤵
- Executes dropped EXE
-
\??\c:\xllxxxf.exec:\xllxxxf.exe59⤵
- Executes dropped EXE
-
\??\c:\3thhhn.exec:\3thhhn.exe60⤵
- Executes dropped EXE
-
\??\c:\jjjpj.exec:\jjjpj.exe61⤵
- Executes dropped EXE
-
\??\c:\jjvpd.exec:\jjvpd.exe62⤵
- Executes dropped EXE
-
\??\c:\rfrxrrr.exec:\rfrxrrr.exe63⤵
- Executes dropped EXE
-
\??\c:\3lxfffl.exec:\3lxfffl.exe64⤵
- Executes dropped EXE
-
\??\c:\1bhntn.exec:\1bhntn.exe65⤵
- Executes dropped EXE
-
\??\c:\nhhhtn.exec:\nhhhtn.exe66⤵
-
\??\c:\vpddd.exec:\vpddd.exe67⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe68⤵
-
\??\c:\vpppj.exec:\vpppj.exe69⤵
-
\??\c:\lxxllff.exec:\lxxllff.exe70⤵
-
\??\c:\lxrrrrx.exec:\lxrrrrx.exe71⤵
-
\??\c:\hhhnnb.exec:\hhhnnb.exe72⤵
-
\??\c:\ntbbhh.exec:\ntbbhh.exe73⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe74⤵
-
\??\c:\vpjvj.exec:\vpjvj.exe75⤵
-
\??\c:\jdjpv.exec:\jdjpv.exe76⤵
-
\??\c:\7rflllx.exec:\7rflllx.exe77⤵
-
\??\c:\1lrrrrl.exec:\1lrrrrl.exe78⤵
-
\??\c:\hbnnbh.exec:\hbnnbh.exe79⤵
-
\??\c:\ttthth.exec:\ttthth.exe80⤵
-
\??\c:\jddjv.exec:\jddjv.exe81⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe82⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe83⤵
-
\??\c:\1xfxxrx.exec:\1xfxxrx.exe84⤵
-
\??\c:\7lxfrrx.exec:\7lxfrrx.exe85⤵
-
\??\c:\nhtnnn.exec:\nhtnnn.exe86⤵
-
\??\c:\thtbbb.exec:\thtbbb.exe87⤵
-
\??\c:\vdjjp.exec:\vdjjp.exe88⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe89⤵
-
\??\c:\rfffxxl.exec:\rfffxxl.exe90⤵
-
\??\c:\fxllxfx.exec:\fxllxfx.exe91⤵
-
\??\c:\3htbbt.exec:\3htbbt.exe92⤵
-
\??\c:\hbnthn.exec:\hbnthn.exe93⤵
-
\??\c:\nttttt.exec:\nttttt.exe94⤵
-
\??\c:\dpddj.exec:\dpddj.exe95⤵
-
\??\c:\3djdd.exec:\3djdd.exe96⤵
-
\??\c:\xrxffxf.exec:\xrxffxf.exe97⤵
-
\??\c:\5lfffrr.exec:\5lfffrr.exe98⤵
-
\??\c:\btnbhh.exec:\btnbhh.exe99⤵
-
\??\c:\tbhbtn.exec:\tbhbtn.exe100⤵
-
\??\c:\nhthth.exec:\nhthth.exe101⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe102⤵
-
\??\c:\3jppp.exec:\3jppp.exe103⤵
-
\??\c:\rrflxxr.exec:\rrflxxr.exe104⤵
-
\??\c:\lrllxfx.exec:\lrllxfx.exe105⤵
-
\??\c:\tnbtbb.exec:\tnbtbb.exe106⤵
-
\??\c:\hbhbth.exec:\hbhbth.exe107⤵
-
\??\c:\7pdjv.exec:\7pdjv.exe108⤵
-
\??\c:\dvpvj.exec:\dvpvj.exe109⤵
-
\??\c:\3jvdj.exec:\3jvdj.exe110⤵
-
\??\c:\lfllrrf.exec:\lfllrrf.exe111⤵
-
\??\c:\fxlrrrr.exec:\fxlrrrr.exe112⤵
-
\??\c:\bhthhh.exec:\bhthhh.exe113⤵
-
\??\c:\btnthn.exec:\btnthn.exe114⤵
-
\??\c:\tnhnbb.exec:\tnhnbb.exe115⤵
-
\??\c:\vjppv.exec:\vjppv.exe116⤵
-
\??\c:\9djdd.exec:\9djdd.exe117⤵
-
\??\c:\rlrxxxf.exec:\rlrxxxf.exe118⤵
-
\??\c:\fxffllx.exec:\fxffllx.exe119⤵
-
\??\c:\nbnthb.exec:\nbnthb.exe120⤵
-
\??\c:\3hbhnt.exec:\3hbhnt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-