Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08/05/2024, 08:57
General
-
Target
384412d1306fc12c2d1c6daeaf279a20_NEIKI.exe
-
Size
198KB
-
MD5
384412d1306fc12c2d1c6daeaf279a20
-
SHA1
4fc230c0f99104dc81b72d118606b3ccdd9aa310
-
SHA256
147982ff10394285870cea869884d8f389b091348d1f1933414f50fc5ec8359c
-
SHA512
ad3c5cf71389714734fd05d5a62020123cdf498fd5d0b97de863a835e51d53f96c05c3f8cb0455e68c9982f4219eb84d5b98e5cbb9b171da13926f6988f0af0f
-
SSDEEP
3072:ZhOmTsF93UYfwC6GIoutFza6BhOmTsUm82xpi8rY9AABa1JePQKN1hJCm:Zcm4FmowdHoSha6Bcm4JddW7Y6XJCm
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\384412d1306fc12c2d1c6daeaf279a20_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\384412d1306fc12c2d1c6daeaf279a20_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hnhnnb.exec:\hnhnnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lffrrl.exec:\9lffrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pddv.exec:\9pddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpjp.exec:\pdpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfrffl.exec:\rrfrffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhntnt.exec:\nhntnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vjjj.exec:\1vjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrrxxx.exec:\rlrrxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbntb.exec:\htbntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjpv.exec:\ddjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflrxll.exec:\rflrxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnnh.exec:\tnnnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxxlfr.exec:\ffxxlfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxfff.exec:\lllxfff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbn.exec:\nhttbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjv.exec:\jdjjv.exe17⤵
- Executes dropped EXE
-
\??\c:\xrfxlrx.exec:\xrfxlrx.exe18⤵
- Executes dropped EXE
-
\??\c:\7xflrrf.exec:\7xflrrf.exe19⤵
- Executes dropped EXE
-
\??\c:\3jdpd.exec:\3jdpd.exe20⤵
- Executes dropped EXE
-
\??\c:\rlxfllr.exec:\rlxfllr.exe21⤵
- Executes dropped EXE
-
\??\c:\hhttbh.exec:\hhttbh.exe22⤵
- Executes dropped EXE
-
\??\c:\pddjj.exec:\pddjj.exe23⤵
- Executes dropped EXE
-
\??\c:\rfxffxf.exec:\rfxffxf.exe24⤵
- Executes dropped EXE
-
\??\c:\tnbbbb.exec:\tnbbbb.exe25⤵
- Executes dropped EXE
-
\??\c:\5pdvv.exec:\5pdvv.exe26⤵
- Executes dropped EXE
-
\??\c:\rrxxffl.exec:\rrxxffl.exe27⤵
- Executes dropped EXE
-
\??\c:\nhtthh.exec:\nhtthh.exe28⤵
- Executes dropped EXE
-
\??\c:\jjppd.exec:\jjppd.exe29⤵
- Executes dropped EXE
-
\??\c:\fxrflrf.exec:\fxrflrf.exe30⤵
- Executes dropped EXE
-
\??\c:\5jvdd.exec:\5jvdd.exe31⤵
- Executes dropped EXE
-
\??\c:\rlffrxf.exec:\rlffrxf.exe32⤵
- Executes dropped EXE
-
\??\c:\hbhbtt.exec:\hbhbtt.exe33⤵
- Executes dropped EXE
-
\??\c:\9tbbhn.exec:\9tbbhn.exe34⤵
- Executes dropped EXE
-
\??\c:\dvjvj.exec:\dvjvj.exe35⤵
- Executes dropped EXE
-
\??\c:\3lxxxxl.exec:\3lxxxxl.exe36⤵
- Executes dropped EXE
-
\??\c:\5ntthh.exec:\5ntthh.exe37⤵
- Executes dropped EXE
-
\??\c:\5vdjj.exec:\5vdjj.exe38⤵
- Executes dropped EXE
-
\??\c:\frxrlfr.exec:\frxrlfr.exe39⤵
- Executes dropped EXE
-
\??\c:\7bbhtt.exec:\7bbhtt.exe40⤵
- Executes dropped EXE
-
\??\c:\1jppp.exec:\1jppp.exe41⤵
- Executes dropped EXE
-
\??\c:\rfrlrrl.exec:\rfrlrrl.exe42⤵
- Executes dropped EXE
-
\??\c:\frlxxxf.exec:\frlxxxf.exe43⤵
- Executes dropped EXE
-
\??\c:\pjvjp.exec:\pjvjp.exe44⤵
- Executes dropped EXE
-
\??\c:\pjpjp.exec:\pjpjp.exe45⤵
- Executes dropped EXE
-
\??\c:\5xlxrxr.exec:\5xlxrxr.exe46⤵
- Executes dropped EXE
-
\??\c:\9hnbnt.exec:\9hnbnt.exe47⤵
- Executes dropped EXE
-
\??\c:\vpjvd.exec:\vpjvd.exe48⤵
- Executes dropped EXE
-
\??\c:\pjppv.exec:\pjppv.exe49⤵
- Executes dropped EXE
-
\??\c:\xrfflrf.exec:\xrfflrf.exe50⤵
- Executes dropped EXE
-
\??\c:\3llrxxl.exec:\3llrxxl.exe51⤵
- Executes dropped EXE
-
\??\c:\hthnhb.exec:\hthnhb.exe52⤵
- Executes dropped EXE
-
\??\c:\bnbbhh.exec:\bnbbhh.exe53⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe54⤵
- Executes dropped EXE
-
\??\c:\dppdd.exec:\dppdd.exe55⤵
- Executes dropped EXE
-
\??\c:\9lfxlll.exec:\9lfxlll.exe56⤵
- Executes dropped EXE
-
\??\c:\rrxffxl.exec:\rrxffxl.exe57⤵
- Executes dropped EXE
-
\??\c:\bnhbhh.exec:\bnhbhh.exe58⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe59⤵
- Executes dropped EXE
-
\??\c:\rlxflrx.exec:\rlxflrx.exe60⤵
- Executes dropped EXE
-
\??\c:\fxlfllr.exec:\fxlfllr.exe61⤵
- Executes dropped EXE
-
\??\c:\5bnbnn.exec:\5bnbnn.exe62⤵
- Executes dropped EXE
-
\??\c:\1hbhht.exec:\1hbhht.exe63⤵
- Executes dropped EXE
-
\??\c:\7pjvd.exec:\7pjvd.exe64⤵
- Executes dropped EXE
-
\??\c:\xrfffll.exec:\xrfffll.exe65⤵
- Executes dropped EXE
-
\??\c:\5ttbbh.exec:\5ttbbh.exe66⤵
-
\??\c:\btnnbb.exec:\btnnbb.exe67⤵
-
\??\c:\dpdvj.exec:\dpdvj.exe68⤵
-
\??\c:\5jdjp.exec:\5jdjp.exe69⤵
-
\??\c:\1xllrrr.exec:\1xllrrr.exe70⤵
-
\??\c:\bttthb.exec:\bttthb.exe71⤵
-
\??\c:\hbnbbh.exec:\hbnbbh.exe72⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe73⤵
-
\??\c:\jvdpd.exec:\jvdpd.exe74⤵
-
\??\c:\flxxllr.exec:\flxxllr.exe75⤵
-
\??\c:\lxxllfl.exec:\lxxllfl.exe76⤵
-
\??\c:\nhtbhn.exec:\nhtbhn.exe77⤵
-
\??\c:\hbtbnn.exec:\hbtbnn.exe78⤵
-
\??\c:\jvvvv.exec:\jvvvv.exe79⤵
-
\??\c:\rfffrlx.exec:\rfffrlx.exe80⤵
-
\??\c:\rlffrrf.exec:\rlffrrf.exe81⤵
-
\??\c:\bnhbbb.exec:\bnhbbb.exe82⤵
-
\??\c:\tnbthh.exec:\tnbthh.exe83⤵
-
\??\c:\7vjpp.exec:\7vjpp.exe84⤵
-
\??\c:\ddjdp.exec:\ddjdp.exe85⤵
-
\??\c:\7fxlxlr.exec:\7fxlxlr.exe86⤵
-
\??\c:\fxflxfl.exec:\fxflxfl.exe87⤵
-
\??\c:\nbnbhn.exec:\nbnbhn.exe88⤵
-
\??\c:\9bnnhn.exec:\9bnnhn.exe89⤵
-
\??\c:\7pjdd.exec:\7pjdd.exe90⤵
-
\??\c:\1jvvj.exec:\1jvvj.exe91⤵
-
\??\c:\1xlrrxf.exec:\1xlrrxf.exe92⤵
-
\??\c:\1xrrrll.exec:\1xrrrll.exe93⤵
-
\??\c:\bnhhnn.exec:\bnhhnn.exe94⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe95⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe96⤵
-
\??\c:\lxlfrlr.exec:\lxlfrlr.exe97⤵
-
\??\c:\lfxfffr.exec:\lfxfffr.exe98⤵
-
\??\c:\thbntb.exec:\thbntb.exe99⤵
-
\??\c:\bthbhh.exec:\bthbhh.exe100⤵
-
\??\c:\vjpdj.exec:\vjpdj.exe101⤵
-
\??\c:\pdpvp.exec:\pdpvp.exe102⤵
-
\??\c:\3xxxllf.exec:\3xxxllf.exe103⤵
-
\??\c:\frfffff.exec:\frfffff.exe104⤵
-
\??\c:\1nbhnt.exec:\1nbhnt.exe105⤵
-
\??\c:\nthhbb.exec:\nthhbb.exe106⤵
-
\??\c:\dpdvv.exec:\dpdvv.exe107⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe108⤵
-
\??\c:\xrlrflx.exec:\xrlrflx.exe109⤵
-
\??\c:\9llffff.exec:\9llffff.exe110⤵
-
\??\c:\nhttbh.exec:\nhttbh.exe111⤵
-
\??\c:\3nttnn.exec:\3nttnn.exe112⤵
-
\??\c:\pjpjp.exec:\pjpjp.exe113⤵
-
\??\c:\xlrxlfl.exec:\xlrxlfl.exe114⤵
-
\??\c:\fxlrffr.exec:\fxlrffr.exe115⤵
-
\??\c:\1hthnn.exec:\1hthnn.exe116⤵
-
\??\c:\hbnttn.exec:\hbnttn.exe117⤵
-
\??\c:\7jpjv.exec:\7jpjv.exe118⤵
-
\??\c:\vpvdd.exec:\vpvdd.exe119⤵
-
\??\c:\frxrlfx.exec:\frxrlfx.exe120⤵
-
\??\c:\lxfflrx.exec:\lxfflrx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-