Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
08-05-2024 09:17
General
-
Target
4171835f7db51b82965ac2fb82fb8d60_NEIKI.exe
-
Size
135KB
-
MD5
4171835f7db51b82965ac2fb82fb8d60
-
SHA1
1b0a7345f56eb710d7d4ac5fb0c88e0ce4fd3885
-
SHA256
49a5d99c281d4b1bb4a32f00ce36fe31fe3d417b49ccfe9fb2fea3915ccc6ae8
-
SHA512
62bd3ff663622d35349af16cdfc8a9cfe68ce4634c4b451b50c398306dc8924482971070f8b78adbac6678ea3d18be142ebf77a2dfafaae3b3e150ca944f91fd
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHVpx+dGoEjZeiV:n3C9BRW0j/1px+dG3FV
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4171835f7db51b82965ac2fb82fb8d60_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\4171835f7db51b82965ac2fb82fb8d60_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\5vppj.exec:\5vppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlfff.exec:\flrlfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnnn.exec:\httnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnhtt.exec:\hhnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddd.exec:\vpddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnhth.exec:\bbnhth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjvj.exec:\dpjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlffflf.exec:\rlffflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbb.exec:\nhttbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhthtb.exec:\bhthtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpv.exec:\dvvpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddpd.exec:\jddpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthbbb.exec:\hthbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvp.exec:\jddvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlfllx.exec:\lxlfllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxrllf.exec:\llxrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddjj.exec:\dddjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrllfr.exec:\rfrllfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbtt.exec:\thhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjjd.exec:\pjjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvpp.exec:\jpvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfffxxr.exec:\lfffxxr.exe23⤵
- Executes dropped EXE
-
\??\c:\7pddv.exec:\7pddv.exe24⤵
- Executes dropped EXE
-
\??\c:\7xllrrx.exec:\7xllrrx.exe25⤵
- Executes dropped EXE
-
\??\c:\bhnbhn.exec:\bhnbhn.exe26⤵
- Executes dropped EXE
-
\??\c:\3thbhb.exec:\3thbhb.exe27⤵
- Executes dropped EXE
-
\??\c:\7bhhnt.exec:\7bhhnt.exe28⤵
- Executes dropped EXE
-
\??\c:\xrrffxr.exec:\xrrffxr.exe29⤵
- Executes dropped EXE
-
\??\c:\thnnnn.exec:\thnnnn.exe30⤵
- Executes dropped EXE
-
\??\c:\vdjpj.exec:\vdjpj.exe31⤵
- Executes dropped EXE
-
\??\c:\5jjdp.exec:\5jjdp.exe32⤵
- Executes dropped EXE
-
\??\c:\3lfxllr.exec:\3lfxllr.exe33⤵
- Executes dropped EXE
-
\??\c:\bnhnhb.exec:\bnhnhb.exe34⤵
- Executes dropped EXE
-
\??\c:\3bhbbh.exec:\3bhbbh.exe35⤵
- Executes dropped EXE
-
\??\c:\7pvvj.exec:\7pvvj.exe36⤵
- Executes dropped EXE
-
\??\c:\vjddd.exec:\vjddd.exe37⤵
- Executes dropped EXE
-
\??\c:\xlxxfxl.exec:\xlxxfxl.exe38⤵
- Executes dropped EXE
-
\??\c:\btnttb.exec:\btnttb.exe39⤵
- Executes dropped EXE
-
\??\c:\ddvpp.exec:\ddvpp.exe40⤵
- Executes dropped EXE
-
\??\c:\jjppj.exec:\jjppj.exe41⤵
- Executes dropped EXE
-
\??\c:\1jvdd.exec:\1jvdd.exe42⤵
- Executes dropped EXE
-
\??\c:\fllfxrf.exec:\fllfxrf.exe43⤵
- Executes dropped EXE
-
\??\c:\btnttb.exec:\btnttb.exe44⤵
- Executes dropped EXE
-
\??\c:\nttnbt.exec:\nttnbt.exe45⤵
- Executes dropped EXE
-
\??\c:\djdvp.exec:\djdvp.exe46⤵
- Executes dropped EXE
-
\??\c:\dvpjd.exec:\dvpjd.exe47⤵
- Executes dropped EXE
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe48⤵
- Executes dropped EXE
-
\??\c:\xlrlxrr.exec:\xlrlxrr.exe49⤵
- Executes dropped EXE
-
\??\c:\bbbhhn.exec:\bbbhhn.exe50⤵
- Executes dropped EXE
-
\??\c:\bbttbb.exec:\bbttbb.exe51⤵
- Executes dropped EXE
-
\??\c:\pdjpp.exec:\pdjpp.exe52⤵
- Executes dropped EXE
-
\??\c:\vpjjd.exec:\vpjjd.exe53⤵
- Executes dropped EXE
-
\??\c:\5lxrlll.exec:\5lxrlll.exe54⤵
- Executes dropped EXE
-
\??\c:\xflrxff.exec:\xflrxff.exe55⤵
- Executes dropped EXE
-
\??\c:\bhbbbb.exec:\bhbbbb.exe56⤵
- Executes dropped EXE
-
\??\c:\nhhhbb.exec:\nhhhbb.exe57⤵
- Executes dropped EXE
-
\??\c:\9pjjp.exec:\9pjjp.exe58⤵
- Executes dropped EXE
-
\??\c:\lrrxrrr.exec:\lrrxrrr.exe59⤵
- Executes dropped EXE
-
\??\c:\3lxlrff.exec:\3lxlrff.exe60⤵
- Executes dropped EXE
-
\??\c:\nnhbbb.exec:\nnhbbb.exe61⤵
- Executes dropped EXE
-
\??\c:\bnbnbh.exec:\bnbnbh.exe62⤵
- Executes dropped EXE
-
\??\c:\jvvdv.exec:\jvvdv.exe63⤵
- Executes dropped EXE
-
\??\c:\ppdjj.exec:\ppdjj.exe64⤵
- Executes dropped EXE
-
\??\c:\fxlrrxx.exec:\fxlrrxx.exe65⤵
- Executes dropped EXE
-
\??\c:\btnhbb.exec:\btnhbb.exe66⤵
-
\??\c:\bbtbhh.exec:\bbtbhh.exe67⤵
-
\??\c:\pdjjd.exec:\pdjjd.exe68⤵
-
\??\c:\pdppj.exec:\pdppj.exe69⤵
-
\??\c:\1frfffx.exec:\1frfffx.exe70⤵
-
\??\c:\nbnhht.exec:\nbnhht.exe71⤵
-
\??\c:\djddv.exec:\djddv.exe72⤵
-
\??\c:\vpvvd.exec:\vpvvd.exe73⤵
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe74⤵
-
\??\c:\lffxrxx.exec:\lffxrxx.exe75⤵
-
\??\c:\nntnbt.exec:\nntnbt.exe76⤵
-
\??\c:\1bbttt.exec:\1bbttt.exe77⤵
-
\??\c:\pdjvv.exec:\pdjvv.exe78⤵
-
\??\c:\rrxrxxl.exec:\rrxrxxl.exe79⤵
-
\??\c:\fflrrxr.exec:\fflrrxr.exe80⤵
-
\??\c:\tntnnt.exec:\tntnnt.exe81⤵
-
\??\c:\ddpdd.exec:\ddpdd.exe82⤵
-
\??\c:\pjppp.exec:\pjppp.exe83⤵
-
\??\c:\lrxrllf.exec:\lrxrllf.exe84⤵
-
\??\c:\3lffxxr.exec:\3lffxxr.exe85⤵
-
\??\c:\bnhhtt.exec:\bnhhtt.exe86⤵
-
\??\c:\pjjdp.exec:\pjjdp.exe87⤵
-
\??\c:\3pddv.exec:\3pddv.exe88⤵
-
\??\c:\flllxxl.exec:\flllxxl.exe89⤵
-
\??\c:\5bhbhh.exec:\5bhbhh.exe90⤵
-
\??\c:\hnthbh.exec:\hnthbh.exe91⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe92⤵
-
\??\c:\vjjjd.exec:\vjjjd.exe93⤵
-
\??\c:\rxfxrlx.exec:\rxfxrlx.exe94⤵
-
\??\c:\tntbbb.exec:\tntbbb.exe95⤵
-
\??\c:\5vddp.exec:\5vddp.exe96⤵
-
\??\c:\ppvvd.exec:\ppvvd.exe97⤵
-
\??\c:\7lffxxl.exec:\7lffxxl.exe98⤵
-
\??\c:\htbbbb.exec:\htbbbb.exe99⤵
-
\??\c:\ddvpv.exec:\ddvpv.exe100⤵
-
\??\c:\5jppj.exec:\5jppj.exe101⤵
-
\??\c:\llllfff.exec:\llllfff.exe102⤵
-
\??\c:\9httnn.exec:\9httnn.exe103⤵
-
\??\c:\ppppd.exec:\ppppd.exe104⤵
-
\??\c:\9ppjj.exec:\9ppjj.exe105⤵
-
\??\c:\rflfrll.exec:\rflfrll.exe106⤵
-
\??\c:\tbbbbh.exec:\tbbbbh.exe107⤵
-
\??\c:\9djdv.exec:\9djdv.exe108⤵
-
\??\c:\1jjdv.exec:\1jjdv.exe109⤵
-
\??\c:\frxrxxr.exec:\frxrxxr.exe110⤵
-
\??\c:\hhtnhh.exec:\hhtnhh.exe111⤵
-
\??\c:\hnbbbb.exec:\hnbbbb.exe112⤵
-
\??\c:\vdddv.exec:\vdddv.exe113⤵
-
\??\c:\7ffxllf.exec:\7ffxllf.exe114⤵
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe115⤵
-
\??\c:\5nhbbb.exec:\5nhbbb.exe116⤵
-
\??\c:\djpjj.exec:\djpjj.exe117⤵
-
\??\c:\lxlrrfr.exec:\lxlrrfr.exe118⤵
-
\??\c:\frfxfxr.exec:\frfxfxr.exe119⤵
-
\??\c:\9fxrrrx.exec:\9fxrrrx.exe120⤵
-
\??\c:\nttntt.exec:\nttntt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-