Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-05-2024 09:17
General
-
Target
4171835f7db51b82965ac2fb82fb8d60_NEIKI.exe
-
Size
135KB
-
MD5
4171835f7db51b82965ac2fb82fb8d60
-
SHA1
1b0a7345f56eb710d7d4ac5fb0c88e0ce4fd3885
-
SHA256
49a5d99c281d4b1bb4a32f00ce36fe31fe3d417b49ccfe9fb2fea3915ccc6ae8
-
SHA512
62bd3ff663622d35349af16cdfc8a9cfe68ce4634c4b451b50c398306dc8924482971070f8b78adbac6678ea3d18be142ebf77a2dfafaae3b3e150ca944f91fd
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHVpx+dGoEjZeiV:n3C9BRW0j/1px+dG3FV
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4171835f7db51b82965ac2fb82fb8d60_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\4171835f7db51b82965ac2fb82fb8d60_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\fxllrlr.exec:\fxllrlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhnttn.exec:\nhnttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jvpj.exec:\7jvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrlxx.exec:\xlxrlxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbnt.exec:\thhbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pdjp.exec:\1pdjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jddj.exec:\3jddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxffx.exec:\xlrxffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnhnn.exec:\htnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhnbh.exec:\hbhnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddp.exec:\pjddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvp.exec:\pdvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxfff.exec:\rfrxfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnntb.exec:\bbnntb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtthb.exec:\nhtthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpvj.exec:\jdpvj.exe17⤵
- Executes dropped EXE
-
\??\c:\5lxrfrr.exec:\5lxrfrr.exe18⤵
- Executes dropped EXE
-
\??\c:\bthbhb.exec:\bthbhb.exe19⤵
- Executes dropped EXE
-
\??\c:\nnthbt.exec:\nnthbt.exe20⤵
- Executes dropped EXE
-
\??\c:\1dvjv.exec:\1dvjv.exe21⤵
- Executes dropped EXE
-
\??\c:\fxrrffl.exec:\fxrrffl.exe22⤵
- Executes dropped EXE
-
\??\c:\fxrrffr.exec:\fxrrffr.exe23⤵
- Executes dropped EXE
-
\??\c:\hbnttn.exec:\hbnttn.exe24⤵
- Executes dropped EXE
-
\??\c:\7pdpp.exec:\7pdpp.exe25⤵
- Executes dropped EXE
-
\??\c:\fllrxrf.exec:\fllrxrf.exe26⤵
- Executes dropped EXE
-
\??\c:\fxxfrfl.exec:\fxxfrfl.exe27⤵
- Executes dropped EXE
-
\??\c:\vjvpv.exec:\vjvpv.exe28⤵
- Executes dropped EXE
-
\??\c:\1pjvj.exec:\1pjvj.exe29⤵
- Executes dropped EXE
-
\??\c:\rrlrrll.exec:\rrlrrll.exe30⤵
- Executes dropped EXE
-
\??\c:\hbtbnn.exec:\hbtbnn.exe31⤵
- Executes dropped EXE
-
\??\c:\nhnhnn.exec:\nhnhnn.exe32⤵
- Executes dropped EXE
-
\??\c:\pjvjp.exec:\pjvjp.exe33⤵
- Executes dropped EXE
-
\??\c:\jdjdj.exec:\jdjdj.exe34⤵
- Executes dropped EXE
-
\??\c:\5rrflrl.exec:\5rrflrl.exe35⤵
- Executes dropped EXE
-
\??\c:\frfrfrl.exec:\frfrfrl.exe36⤵
- Executes dropped EXE
-
\??\c:\hntbhb.exec:\hntbhb.exe37⤵
- Executes dropped EXE
-
\??\c:\jdpjp.exec:\jdpjp.exe38⤵
- Executes dropped EXE
-
\??\c:\ddddv.exec:\ddddv.exe39⤵
- Executes dropped EXE
-
\??\c:\1jvdj.exec:\1jvdj.exe40⤵
- Executes dropped EXE
-
\??\c:\frxrxll.exec:\frxrxll.exe41⤵
- Executes dropped EXE
-
\??\c:\xrfllrf.exec:\xrfllrf.exe42⤵
- Executes dropped EXE
-
\??\c:\tnntbb.exec:\tnntbb.exe43⤵
- Executes dropped EXE
-
\??\c:\hbtttt.exec:\hbtttt.exe44⤵
- Executes dropped EXE
-
\??\c:\dpdvd.exec:\dpdvd.exe45⤵
- Executes dropped EXE
-
\??\c:\dpppv.exec:\dpppv.exe46⤵
- Executes dropped EXE
-
\??\c:\vvvvj.exec:\vvvvj.exe47⤵
- Executes dropped EXE
-
\??\c:\lflfllr.exec:\lflfllr.exe48⤵
- Executes dropped EXE
-
\??\c:\llrxrfl.exec:\llrxrfl.exe49⤵
- Executes dropped EXE
-
\??\c:\nhhhhh.exec:\nhhhhh.exe50⤵
- Executes dropped EXE
-
\??\c:\tnnhbb.exec:\tnnhbb.exe51⤵
- Executes dropped EXE
-
\??\c:\bnnnnn.exec:\bnnnnn.exe52⤵
- Executes dropped EXE
-
\??\c:\vpdvd.exec:\vpdvd.exe53⤵
- Executes dropped EXE
-
\??\c:\vjppp.exec:\vjppp.exe54⤵
- Executes dropped EXE
-
\??\c:\5xxxllx.exec:\5xxxllx.exe55⤵
- Executes dropped EXE
-
\??\c:\3fxlrrx.exec:\3fxlrrx.exe56⤵
- Executes dropped EXE
-
\??\c:\fxlxflr.exec:\fxlxflr.exe57⤵
- Executes dropped EXE
-
\??\c:\3tnbhn.exec:\3tnbhn.exe58⤵
- Executes dropped EXE
-
\??\c:\nhhntb.exec:\nhhntb.exe59⤵
- Executes dropped EXE
-
\??\c:\nhthbh.exec:\nhthbh.exe60⤵
- Executes dropped EXE
-
\??\c:\jdvdp.exec:\jdvdp.exe61⤵
- Executes dropped EXE
-
\??\c:\dvddj.exec:\dvddj.exe62⤵
- Executes dropped EXE
-
\??\c:\dvpvv.exec:\dvpvv.exe63⤵
- Executes dropped EXE
-
\??\c:\fxllrrx.exec:\fxllrrx.exe64⤵
- Executes dropped EXE
-
\??\c:\hbhnnt.exec:\hbhnnt.exe65⤵
- Executes dropped EXE
-
\??\c:\tnbhnn.exec:\tnbhnn.exe66⤵
-
\??\c:\bnhhtt.exec:\bnhhtt.exe67⤵
-
\??\c:\jjvdd.exec:\jjvdd.exe68⤵
-
\??\c:\vjvpv.exec:\vjvpv.exe69⤵
-
\??\c:\fxxrrrf.exec:\fxxrrrf.exe70⤵
-
\??\c:\llrflrx.exec:\llrflrx.exe71⤵
-
\??\c:\fxllrxf.exec:\fxllrxf.exe72⤵
-
\??\c:\nbbbhn.exec:\nbbbhn.exe73⤵
-
\??\c:\btbttb.exec:\btbttb.exe74⤵
-
\??\c:\bnntbh.exec:\bnntbh.exe75⤵
-
\??\c:\ppddd.exec:\ppddd.exe76⤵
-
\??\c:\dvpvp.exec:\dvpvp.exe77⤵
-
\??\c:\pjvvv.exec:\pjvvv.exe78⤵
-
\??\c:\1xrlrlr.exec:\1xrlrlr.exe79⤵
-
\??\c:\rlxlxfl.exec:\rlxlxfl.exe80⤵
-
\??\c:\rlffrrf.exec:\rlffrrf.exe81⤵
-
\??\c:\bhnhnt.exec:\bhnhnt.exe82⤵
-
\??\c:\5vppd.exec:\5vppd.exe83⤵
-
\??\c:\jjdpd.exec:\jjdpd.exe84⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe85⤵
-
\??\c:\xrxfllr.exec:\xrxfllr.exe86⤵
-
\??\c:\fxrflrf.exec:\fxrflrf.exe87⤵
-
\??\c:\fxllffl.exec:\fxllffl.exe88⤵
-
\??\c:\bthbbn.exec:\bthbbn.exe89⤵
-
\??\c:\ttntth.exec:\ttntth.exe90⤵
-
\??\c:\bhhntt.exec:\bhhntt.exe91⤵
-
\??\c:\jddpd.exec:\jddpd.exe92⤵
-
\??\c:\pjpjp.exec:\pjpjp.exe93⤵
-
\??\c:\dppvv.exec:\dppvv.exe94⤵
-
\??\c:\1xxxlrx.exec:\1xxxlrx.exe95⤵
-
\??\c:\rlfxflf.exec:\rlfxflf.exe96⤵
-
\??\c:\rlxxlfr.exec:\rlxxlfr.exe97⤵
-
\??\c:\bthhnn.exec:\bthhnn.exe98⤵
-
\??\c:\9ntnhn.exec:\9ntnhn.exe99⤵
-
\??\c:\pjvvj.exec:\pjvvj.exe100⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe101⤵
-
\??\c:\vvppv.exec:\vvppv.exe102⤵
-
\??\c:\xrffrrf.exec:\xrffrrf.exe103⤵
-
\??\c:\rlxfllf.exec:\rlxfllf.exe104⤵
-
\??\c:\fxrrflx.exec:\fxrrflx.exe105⤵
-
\??\c:\5nhthh.exec:\5nhthh.exe106⤵
-
\??\c:\hthnnt.exec:\hthnnt.exe107⤵
-
\??\c:\5vjdj.exec:\5vjdj.exe108⤵
-
\??\c:\vvppd.exec:\vvppd.exe109⤵
-
\??\c:\1pvdj.exec:\1pvdj.exe110⤵
-
\??\c:\9xrxxfr.exec:\9xrxxfr.exe111⤵
-
\??\c:\rxffffl.exec:\rxffffl.exe112⤵
-
\??\c:\nbtbhn.exec:\nbtbhn.exe113⤵
-
\??\c:\btthbb.exec:\btthbb.exe114⤵
-
\??\c:\thtnnt.exec:\thtnnt.exe115⤵
-
\??\c:\pjppd.exec:\pjppd.exe116⤵
-
\??\c:\dvpvp.exec:\dvpvp.exe117⤵
-
\??\c:\xlxxxfl.exec:\xlxxxfl.exe118⤵
-
\??\c:\fxlllrf.exec:\fxlllrf.exe119⤵
-
\??\c:\tnnntt.exec:\tnnntt.exe120⤵
-
\??\c:\nhhttb.exec:\nhhttb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-