Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
08/05/2024, 06:15
General
-
Target
f2c61a1f8a30f431647dfdb46d858fa0_NEIKI.exe
-
Size
61KB
-
MD5
f2c61a1f8a30f431647dfdb46d858fa0
-
SHA1
40014712723c88a334baa37960620c96b55a23d9
-
SHA256
c45cb58127c01c256110542325203e3aed84cd7c7e0f8b157f679a5b7084855d
-
SHA512
13624dfba08436d86c99da8a56f5e6755eb833335c7a8ff889ce2809b5bf31299e48dfbe198a4ce1d08e322e00652e27f3841ea6f3fea5de9406b1914ab1a419
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDII9ZvHKEn:ymb3NkkiQ3mdBjFII9ZvHKEn
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c61a1f8a30f431647dfdb46d858fa0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\f2c61a1f8a30f431647dfdb46d858fa0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5lxxxxf.exec:\5lxxxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhbbt.exec:\hnhbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjj.exec:\jjpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxfxrl.exec:\ffxfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfxxr.exec:\rllfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbbtt.exec:\bnbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjdp.exec:\1pjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjdv.exec:\jjjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5llllrl.exec:\5llllrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthnnb.exec:\hthnnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ttnnh.exec:\9ttnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvdp.exec:\vpvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrlffx.exec:\xxrlffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnhh.exec:\tnnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbnn.exec:\btbbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vdvv.exec:\9vdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlffx.exec:\lxrlffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhbh.exec:\btnhbh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbttt.exec:\ttbttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjdp.exec:\ppjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dddv.exec:\9dddv.exe23⤵
- Executes dropped EXE
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe24⤵
- Executes dropped EXE
-
\??\c:\tbbbtt.exec:\tbbbtt.exe25⤵
- Executes dropped EXE
-
\??\c:\ddjvj.exec:\ddjvj.exe26⤵
- Executes dropped EXE
-
\??\c:\llxxrrl.exec:\llxxrrl.exe27⤵
- Executes dropped EXE
-
\??\c:\tthhhh.exec:\tthhhh.exe28⤵
- Executes dropped EXE
-
\??\c:\1thbhb.exec:\1thbhb.exe29⤵
- Executes dropped EXE
-
\??\c:\1vpvj.exec:\1vpvj.exe30⤵
- Executes dropped EXE
-
\??\c:\lfrlfll.exec:\lfrlfll.exe31⤵
- Executes dropped EXE
-
\??\c:\lllfrlr.exec:\lllfrlr.exe32⤵
- Executes dropped EXE
-
\??\c:\3tbttb.exec:\3tbttb.exe33⤵
- Executes dropped EXE
-
\??\c:\pdvvp.exec:\pdvvp.exe34⤵
- Executes dropped EXE
-
\??\c:\djdpj.exec:\djdpj.exe35⤵
- Executes dropped EXE
-
\??\c:\rxrlllx.exec:\rxrlllx.exe36⤵
- Executes dropped EXE
-
\??\c:\1tnnnn.exec:\1tnnnn.exe37⤵
- Executes dropped EXE
-
\??\c:\bnbtnn.exec:\bnbtnn.exe38⤵
- Executes dropped EXE
-
\??\c:\dpjdp.exec:\dpjdp.exe39⤵
- Executes dropped EXE
-
\??\c:\rfrrlfx.exec:\rfrrlfx.exe40⤵
- Executes dropped EXE
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe41⤵
- Executes dropped EXE
-
\??\c:\tnhtbt.exec:\tnhtbt.exe42⤵
- Executes dropped EXE
-
\??\c:\3hbtnh.exec:\3hbtnh.exe43⤵
- Executes dropped EXE
-
\??\c:\vjvvj.exec:\vjvvj.exe44⤵
- Executes dropped EXE
-
\??\c:\rxfxrfx.exec:\rxfxrfx.exe45⤵
- Executes dropped EXE
-
\??\c:\1rlxrlf.exec:\1rlxrlf.exe46⤵
- Executes dropped EXE
-
\??\c:\pvddd.exec:\pvddd.exe47⤵
- Executes dropped EXE
-
\??\c:\ppppd.exec:\ppppd.exe48⤵
- Executes dropped EXE
-
\??\c:\5flffll.exec:\5flffll.exe49⤵
- Executes dropped EXE
-
\??\c:\frxxfll.exec:\frxxfll.exe50⤵
- Executes dropped EXE
-
\??\c:\ntbbbb.exec:\ntbbbb.exe51⤵
- Executes dropped EXE
-
\??\c:\jjvpp.exec:\jjvpp.exe52⤵
- Executes dropped EXE
-
\??\c:\jvvpj.exec:\jvvpj.exe53⤵
- Executes dropped EXE
-
\??\c:\1lrxxxf.exec:\1lrxxxf.exe54⤵
- Executes dropped EXE
-
\??\c:\1thbtt.exec:\1thbtt.exe55⤵
- Executes dropped EXE
-
\??\c:\bbtbht.exec:\bbtbht.exe56⤵
- Executes dropped EXE
-
\??\c:\rxxxrxx.exec:\rxxxrxx.exe57⤵
- Executes dropped EXE
-
\??\c:\3frrrrx.exec:\3frrrrx.exe58⤵
- Executes dropped EXE
-
\??\c:\hntthh.exec:\hntthh.exe59⤵
- Executes dropped EXE
-
\??\c:\bhnttt.exec:\bhnttt.exe60⤵
- Executes dropped EXE
-
\??\c:\9jddp.exec:\9jddp.exe61⤵
- Executes dropped EXE
-
\??\c:\vdppv.exec:\vdppv.exe62⤵
- Executes dropped EXE
-
\??\c:\rxffflf.exec:\rxffflf.exe63⤵
- Executes dropped EXE
-
\??\c:\xrxxffx.exec:\xrxxffx.exe64⤵
- Executes dropped EXE
-
\??\c:\1flffrl.exec:\1flffrl.exe65⤵
- Executes dropped EXE
-
\??\c:\nbhnhh.exec:\nbhnhh.exe66⤵
-
\??\c:\hbbtnt.exec:\hbbtnt.exe67⤵
-
\??\c:\jjddp.exec:\jjddp.exe68⤵
-
\??\c:\dpvvp.exec:\dpvvp.exe69⤵
-
\??\c:\lrxrllf.exec:\lrxrllf.exe70⤵
-
\??\c:\5xlfrlf.exec:\5xlfrlf.exe71⤵
-
\??\c:\btttbb.exec:\btttbb.exe72⤵
-
\??\c:\bhhhbh.exec:\bhhhbh.exe73⤵
-
\??\c:\5dpjv.exec:\5dpjv.exe74⤵
-
\??\c:\rllffff.exec:\rllffff.exe75⤵
-
\??\c:\htnthh.exec:\htnthh.exe76⤵
-
\??\c:\3nnnbb.exec:\3nnnbb.exe77⤵
-
\??\c:\djvvp.exec:\djvvp.exe78⤵
-
\??\c:\frflxlr.exec:\frflxlr.exe79⤵
-
\??\c:\nhnhhb.exec:\nhnhhb.exe80⤵
-
\??\c:\pdjdv.exec:\pdjdv.exe81⤵
-
\??\c:\lllfxxr.exec:\lllfxxr.exe82⤵
-
\??\c:\vvvvp.exec:\vvvvp.exe83⤵
-
\??\c:\lrflxlx.exec:\lrflxlx.exe84⤵
-
\??\c:\rrrlffr.exec:\rrrlffr.exe85⤵
-
\??\c:\nbtnnb.exec:\nbtnnb.exe86⤵
-
\??\c:\jvvvp.exec:\jvvvp.exe87⤵
-
\??\c:\9dppd.exec:\9dppd.exe88⤵
-
\??\c:\dpjvj.exec:\dpjvj.exe89⤵
-
\??\c:\3rrlffx.exec:\3rrlffx.exe90⤵
-
\??\c:\bttnhh.exec:\bttnhh.exe91⤵
-
\??\c:\dppjv.exec:\dppjv.exe92⤵
-
\??\c:\djpjv.exec:\djpjv.exe93⤵
-
\??\c:\5jjjv.exec:\5jjjv.exe94⤵
-
\??\c:\1xxlffx.exec:\1xxlffx.exe95⤵
-
\??\c:\thhtnh.exec:\thhtnh.exe96⤵
-
\??\c:\nhhbnb.exec:\nhhbnb.exe97⤵
-
\??\c:\pvvjd.exec:\pvvjd.exe98⤵
-
\??\c:\jjjjd.exec:\jjjjd.exe99⤵
-
\??\c:\pvvvv.exec:\pvvvv.exe100⤵
-
\??\c:\rrlxrrx.exec:\rrlxrrx.exe101⤵
-
\??\c:\nhnntt.exec:\nhnntt.exe102⤵
-
\??\c:\bnbbbb.exec:\bnbbbb.exe103⤵
-
\??\c:\7djdv.exec:\7djdv.exe104⤵
-
\??\c:\ddvvj.exec:\ddvvj.exe105⤵
-
\??\c:\lxfxfxf.exec:\lxfxfxf.exe106⤵
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe107⤵
-
\??\c:\bnnbtt.exec:\bnnbtt.exe108⤵
-
\??\c:\nttnhb.exec:\nttnhb.exe109⤵
-
\??\c:\djppd.exec:\djppd.exe110⤵
-
\??\c:\fxfffff.exec:\fxfffff.exe111⤵
-
\??\c:\lflfxrr.exec:\lflfxrr.exe112⤵
-
\??\c:\nttnhb.exec:\nttnhb.exe113⤵
-
\??\c:\3hhbnn.exec:\3hhbnn.exe114⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe115⤵
-
\??\c:\jvdvp.exec:\jvdvp.exe116⤵
-
\??\c:\rxlfrrl.exec:\rxlfrrl.exe117⤵
-
\??\c:\bntttb.exec:\bntttb.exe118⤵
-
\??\c:\djppp.exec:\djppp.exe119⤵
-
\??\c:\jjvpp.exec:\jjvpp.exe120⤵
-
\??\c:\1lllfff.exec:\1lllfff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-