Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
08/05/2024, 06:15
General
-
Target
f2c61a1f8a30f431647dfdb46d858fa0_NEIKI.exe
-
Size
61KB
-
MD5
f2c61a1f8a30f431647dfdb46d858fa0
-
SHA1
40014712723c88a334baa37960620c96b55a23d9
-
SHA256
c45cb58127c01c256110542325203e3aed84cd7c7e0f8b157f679a5b7084855d
-
SHA512
13624dfba08436d86c99da8a56f5e6755eb833335c7a8ff889ce2809b5bf31299e48dfbe198a4ce1d08e322e00652e27f3841ea6f3fea5de9406b1914ab1a419
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDII9ZvHKEn:ymb3NkkiQ3mdBjFII9ZvHKEn
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c61a1f8a30f431647dfdb46d858fa0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\f2c61a1f8a30f431647dfdb46d858fa0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnthn.exec:\nhnthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppd.exec:\pjppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xrxrrf.exec:\9xrxrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1bttbn.exec:\1bttbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pvvj.exec:\9pvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rlxxxx.exec:\5rlxxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnntt.exec:\hbnntt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnntt.exec:\nbnntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdv.exec:\dvvdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1frflfl.exec:\1frflfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbtb.exec:\bnbbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3httbb.exec:\3httbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjpd.exec:\jdjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvp.exec:\vpdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxlll.exec:\rfxxlll.exe17⤵
- Executes dropped EXE
-
\??\c:\nhtbhh.exec:\nhtbhh.exe18⤵
- Executes dropped EXE
-
\??\c:\dvdjp.exec:\dvdjp.exe19⤵
- Executes dropped EXE
-
\??\c:\rlffllx.exec:\rlffllx.exe20⤵
- Executes dropped EXE
-
\??\c:\xrrllrx.exec:\xrrllrx.exe21⤵
- Executes dropped EXE
-
\??\c:\nhttbb.exec:\nhttbb.exe22⤵
- Executes dropped EXE
-
\??\c:\thnntt.exec:\thnntt.exe23⤵
- Executes dropped EXE
-
\??\c:\jjpdp.exec:\jjpdp.exe24⤵
- Executes dropped EXE
-
\??\c:\rlxxfxl.exec:\rlxxfxl.exe25⤵
- Executes dropped EXE
-
\??\c:\rlfflxl.exec:\rlfflxl.exe26⤵
- Executes dropped EXE
-
\??\c:\1nnnnh.exec:\1nnnnh.exe27⤵
- Executes dropped EXE
-
\??\c:\bttbhh.exec:\bttbhh.exe28⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe29⤵
- Executes dropped EXE
-
\??\c:\rxrrxxx.exec:\rxrrxxx.exe30⤵
- Executes dropped EXE
-
\??\c:\9rllxfr.exec:\9rllxfr.exe31⤵
- Executes dropped EXE
-
\??\c:\nhtttt.exec:\nhtttt.exe32⤵
- Executes dropped EXE
-
\??\c:\nbhhhh.exec:\nbhhhh.exe33⤵
- Executes dropped EXE
-
\??\c:\pdjjj.exec:\pdjjj.exe34⤵
- Executes dropped EXE
-
\??\c:\dpvvv.exec:\dpvvv.exe35⤵
- Executes dropped EXE
-
\??\c:\rfrxrrx.exec:\rfrxrrx.exe36⤵
- Executes dropped EXE
-
\??\c:\1hbhnn.exec:\1hbhnn.exe37⤵
- Executes dropped EXE
-
\??\c:\1pddj.exec:\1pddj.exe38⤵
- Executes dropped EXE
-
\??\c:\ppddd.exec:\ppddd.exe39⤵
- Executes dropped EXE
-
\??\c:\rlxfrxf.exec:\rlxfrxf.exe40⤵
- Executes dropped EXE
-
\??\c:\xlrlrrf.exec:\xlrlrrf.exe41⤵
- Executes dropped EXE
-
\??\c:\nhttbb.exec:\nhttbb.exe42⤵
- Executes dropped EXE
-
\??\c:\1ntbhh.exec:\1ntbhh.exe43⤵
- Executes dropped EXE
-
\??\c:\9htbbb.exec:\9htbbb.exe44⤵
- Executes dropped EXE
-
\??\c:\pjpvj.exec:\pjpvj.exe45⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe46⤵
- Executes dropped EXE
-
\??\c:\xrfflfx.exec:\xrfflfx.exe47⤵
- Executes dropped EXE
-
\??\c:\lxllxff.exec:\lxllxff.exe48⤵
- Executes dropped EXE
-
\??\c:\7hbbhn.exec:\7hbbhn.exe49⤵
- Executes dropped EXE
-
\??\c:\tnhntt.exec:\tnhntt.exe50⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe51⤵
- Executes dropped EXE
-
\??\c:\jdpdj.exec:\jdpdj.exe52⤵
- Executes dropped EXE
-
\??\c:\lfflrlx.exec:\lfflrlx.exe53⤵
- Executes dropped EXE
-
\??\c:\lflrrxf.exec:\lflrrxf.exe54⤵
- Executes dropped EXE
-
\??\c:\hbtbnt.exec:\hbtbnt.exe55⤵
- Executes dropped EXE
-
\??\c:\hbhthn.exec:\hbhthn.exe56⤵
- Executes dropped EXE
-
\??\c:\vjvvj.exec:\vjvvj.exe57⤵
- Executes dropped EXE
-
\??\c:\vjddp.exec:\vjddp.exe58⤵
- Executes dropped EXE
-
\??\c:\xlrflfl.exec:\xlrflfl.exe59⤵
- Executes dropped EXE
-
\??\c:\lfrxxrx.exec:\lfrxxrx.exe60⤵
- Executes dropped EXE
-
\??\c:\7nnnnn.exec:\7nnnnn.exe61⤵
- Executes dropped EXE
-
\??\c:\nbntbh.exec:\nbntbh.exe62⤵
- Executes dropped EXE
-
\??\c:\bthhtn.exec:\bthhtn.exe63⤵
- Executes dropped EXE
-
\??\c:\7jjvd.exec:\7jjvd.exe64⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe65⤵
- Executes dropped EXE
-
\??\c:\rfxxlll.exec:\rfxxlll.exe66⤵
-
\??\c:\1lllffr.exec:\1lllffr.exe67⤵
-
\??\c:\hbhntt.exec:\hbhntt.exe68⤵
-
\??\c:\hbtthb.exec:\hbtthb.exe69⤵
-
\??\c:\9pjjp.exec:\9pjjp.exe70⤵
-
\??\c:\vpjpv.exec:\vpjpv.exe71⤵
-
\??\c:\lfrxflr.exec:\lfrxflr.exe72⤵
-
\??\c:\lxrlrrx.exec:\lxrlrrx.exe73⤵
-
\??\c:\tnthnn.exec:\tnthnn.exe74⤵
-
\??\c:\nhnntt.exec:\nhnntt.exe75⤵
-
\??\c:\1dpvd.exec:\1dpvd.exe76⤵
-
\??\c:\dvddj.exec:\dvddj.exe77⤵
-
\??\c:\9lflffl.exec:\9lflffl.exe78⤵
-
\??\c:\ntbbnn.exec:\ntbbnn.exe79⤵
-
\??\c:\thtnnh.exec:\thtnnh.exe80⤵
-
\??\c:\pdpjv.exec:\pdpjv.exe81⤵
-
\??\c:\pjddp.exec:\pjddp.exe82⤵
-
\??\c:\9rrfrrx.exec:\9rrfrrx.exe83⤵
-
\??\c:\lfxlxlx.exec:\lfxlxlx.exe84⤵
-
\??\c:\hbnnbh.exec:\hbnnbh.exe85⤵
-
\??\c:\hhbhnb.exec:\hhbhnb.exe86⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe87⤵
-
\??\c:\xxxfrrr.exec:\xxxfrrr.exe88⤵
-
\??\c:\llrrxfl.exec:\llrrxfl.exe89⤵
-
\??\c:\1nnhtb.exec:\1nnhtb.exe90⤵
-
\??\c:\nhtntt.exec:\nhtntt.exe91⤵
-
\??\c:\7jddp.exec:\7jddp.exe92⤵
-
\??\c:\5pjjj.exec:\5pjjj.exe93⤵
-
\??\c:\ffrxflr.exec:\ffrxflr.exe94⤵
-
\??\c:\3tntbb.exec:\3tntbb.exe95⤵
-
\??\c:\3nnhhh.exec:\3nnhhh.exe96⤵
-
\??\c:\djvvj.exec:\djvvj.exe97⤵
-
\??\c:\jvjpp.exec:\jvjpp.exe98⤵
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe99⤵
-
\??\c:\1rfxflr.exec:\1rfxflr.exe100⤵
-
\??\c:\thtbhb.exec:\thtbhb.exe101⤵
-
\??\c:\tnhhnn.exec:\tnhhnn.exe102⤵
-
\??\c:\vjjjv.exec:\vjjjv.exe103⤵
-
\??\c:\jjddd.exec:\jjddd.exe104⤵
-
\??\c:\lfxffxx.exec:\lfxffxx.exe105⤵
-
\??\c:\lfxrxfr.exec:\lfxrxfr.exe106⤵
-
\??\c:\nhbbnt.exec:\nhbbnt.exe107⤵
-
\??\c:\3bnnnn.exec:\3bnnnn.exe108⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe109⤵
-
\??\c:\vpjpd.exec:\vpjpd.exe110⤵
-
\??\c:\lfflllr.exec:\lfflllr.exe111⤵
-
\??\c:\rlfxrxf.exec:\rlfxrxf.exe112⤵
-
\??\c:\hbnnbb.exec:\hbnnbb.exe113⤵
-
\??\c:\hbntbh.exec:\hbntbh.exe114⤵
-
\??\c:\vpdvd.exec:\vpdvd.exe115⤵
-
\??\c:\7pjpv.exec:\7pjpv.exe116⤵
-
\??\c:\rlxrffl.exec:\rlxrffl.exe117⤵
-
\??\c:\lflrflf.exec:\lflrflf.exe118⤵
-
\??\c:\nbnnbb.exec:\nbnnbb.exe119⤵
-
\??\c:\hthntt.exec:\hthntt.exe120⤵
-
\??\c:\vjppp.exec:\vjppp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-