Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
08/05/2024, 10:53 UTC
General
-
Target
6fdb54431bd0213071e72f9c5d879b90_NEIKI.exe
-
Size
70KB
-
MD5
6fdb54431bd0213071e72f9c5d879b90
-
SHA1
033914eb0fcab854ac9798acc33066af65133cf5
-
SHA256
bd6d2a318f19b6e573bd5ff7597ba7b1abc991da1819c12b24d2a64ee7372687
-
SHA512
b52ed78bf0ba0b93da7acbbc1e70ad91ca9083cfda438d43fcbc25069c2c647b401ba544d3e7db6da35f8e650c6853b8294e20c4ef6c92035c246fe561652d39
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIgUVyiAn7:ymb3NkkiQ3mdBjFIgUE5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fdb54431bd0213071e72f9c5d879b90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\6fdb54431bd0213071e72f9c5d879b90_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhth.exec:\bbhhth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpvj.exec:\vdpvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfllx.exec:\xrlfllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hbhbn.exec:\9hbhbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvp.exec:\vvvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffffrxl.exec:\ffffrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbnb.exec:\hbnbnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbbbn.exec:\ttbbbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvddv.exec:\jvddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddj.exec:\pjddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrxfxf.exec:\llrxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ttbnb.exec:\5ttbnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btthtn.exec:\btthtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjdj.exec:\1pjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvj.exec:\pjdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxxlxx.exec:\xlxxlxx.exe17⤵
- Executes dropped EXE
-
\??\c:\nnhnbh.exec:\nnhnbh.exe18⤵
- Executes dropped EXE
-
\??\c:\7nhbnn.exec:\7nhbnn.exe19⤵
- Executes dropped EXE
-
\??\c:\jdpvp.exec:\jdpvp.exe20⤵
- Executes dropped EXE
-
\??\c:\fxxxlxf.exec:\fxxxlxf.exe21⤵
- Executes dropped EXE
-
\??\c:\hhhnth.exec:\hhhnth.exe22⤵
- Executes dropped EXE
-
\??\c:\tbbhtn.exec:\tbbhtn.exe23⤵
- Executes dropped EXE
-
\??\c:\vpjvv.exec:\vpjvv.exe24⤵
- Executes dropped EXE
-
\??\c:\7rfxllx.exec:\7rfxllx.exe25⤵
- Executes dropped EXE
-
\??\c:\1rrxlrf.exec:\1rrxlrf.exe26⤵
- Executes dropped EXE
-
\??\c:\bhbntn.exec:\bhbntn.exe27⤵
- Executes dropped EXE
-
\??\c:\pppvj.exec:\pppvj.exe28⤵
- Executes dropped EXE
-
\??\c:\rrlfxxl.exec:\rrlfxxl.exe29⤵
- Executes dropped EXE
-
\??\c:\ffrfrxl.exec:\ffrfrxl.exe30⤵
- Executes dropped EXE
-
\??\c:\tttbth.exec:\tttbth.exe31⤵
- Executes dropped EXE
-
\??\c:\dddjv.exec:\dddjv.exe32⤵
- Executes dropped EXE
-
\??\c:\jdjvd.exec:\jdjvd.exe33⤵
- Executes dropped EXE
-
\??\c:\rrlxlrl.exec:\rrlxlrl.exe34⤵
- Executes dropped EXE
-
\??\c:\ffxflrf.exec:\ffxflrf.exe35⤵
- Executes dropped EXE
-
\??\c:\nhbhhn.exec:\nhbhhn.exe36⤵
- Executes dropped EXE
-
\??\c:\bbbbnb.exec:\bbbbnb.exe37⤵
- Executes dropped EXE
-
\??\c:\vpdjj.exec:\vpdjj.exe38⤵
- Executes dropped EXE
-
\??\c:\9ffrfrl.exec:\9ffrfrl.exe39⤵
- Executes dropped EXE
-
\??\c:\xfxlffx.exec:\xfxlffx.exe40⤵
- Executes dropped EXE
-
\??\c:\ttnbtb.exec:\ttnbtb.exe41⤵
- Executes dropped EXE
-
\??\c:\nnhnbh.exec:\nnhnbh.exe42⤵
- Executes dropped EXE
-
\??\c:\jjpdp.exec:\jjpdp.exe43⤵
- Executes dropped EXE
-
\??\c:\1dpvd.exec:\1dpvd.exe44⤵
- Executes dropped EXE
-
\??\c:\3fxllrx.exec:\3fxllrx.exe45⤵
- Executes dropped EXE
-
\??\c:\xxrlrfx.exec:\xxrlrfx.exe46⤵
- Executes dropped EXE
-
\??\c:\btnnnb.exec:\btnnnb.exe47⤵
- Executes dropped EXE
-
\??\c:\bbthbh.exec:\bbthbh.exe48⤵
- Executes dropped EXE
-
\??\c:\ppjpv.exec:\ppjpv.exe49⤵
- Executes dropped EXE
-
\??\c:\jdvvv.exec:\jdvvv.exe50⤵
- Executes dropped EXE
-
\??\c:\jddpd.exec:\jddpd.exe51⤵
- Executes dropped EXE
-
\??\c:\xrfrrfl.exec:\xrfrrfl.exe52⤵
- Executes dropped EXE
-
\??\c:\btbhth.exec:\btbhth.exe53⤵
- Executes dropped EXE
-
\??\c:\bnhttt.exec:\bnhttt.exe54⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe55⤵
- Executes dropped EXE
-
\??\c:\vvvjv.exec:\vvvjv.exe56⤵
- Executes dropped EXE
-
\??\c:\fffxffr.exec:\fffxffr.exe57⤵
- Executes dropped EXE
-
\??\c:\xfllrll.exec:\xfllrll.exe58⤵
- Executes dropped EXE
-
\??\c:\1nnnhb.exec:\1nnnhb.exe59⤵
- Executes dropped EXE
-
\??\c:\bbbbht.exec:\bbbbht.exe60⤵
- Executes dropped EXE
-
\??\c:\5vpdd.exec:\5vpdd.exe61⤵
- Executes dropped EXE
-
\??\c:\dvjdj.exec:\dvjdj.exe62⤵
- Executes dropped EXE
-
\??\c:\ffllrrf.exec:\ffllrrf.exe63⤵
- Executes dropped EXE
-
\??\c:\rlxxxrx.exec:\rlxxxrx.exe64⤵
- Executes dropped EXE
-
\??\c:\nhhthb.exec:\nhhthb.exe65⤵
- Executes dropped EXE
-
\??\c:\ttntbb.exec:\ttntbb.exe66⤵
-
\??\c:\dvdjd.exec:\dvdjd.exe67⤵
-
\??\c:\jjdjj.exec:\jjdjj.exe68⤵
-
\??\c:\5rfxflr.exec:\5rfxflr.exe69⤵
-
\??\c:\xlfrrxl.exec:\xlfrrxl.exe70⤵
-
\??\c:\nbbhbn.exec:\nbbhbn.exe71⤵
-
\??\c:\hbnnbb.exec:\hbnnbb.exe72⤵
-
\??\c:\ppdjp.exec:\ppdjp.exe73⤵
-
\??\c:\fxrrxxf.exec:\fxrrxxf.exe74⤵
-
\??\c:\rxlrxfl.exec:\rxlrxfl.exe75⤵
-
\??\c:\9rfxlfr.exec:\9rfxlfr.exe76⤵
-
\??\c:\9btbnb.exec:\9btbnb.exe77⤵
-
\??\c:\nthbnb.exec:\nthbnb.exe78⤵
-
\??\c:\ddvjj.exec:\ddvjj.exe79⤵
-
\??\c:\vpddj.exec:\vpddj.exe80⤵
-
\??\c:\xxrrrxf.exec:\xxrrrxf.exe81⤵
-
\??\c:\rrrxlxl.exec:\rrrxlxl.exe82⤵
-
\??\c:\lfxlxrf.exec:\lfxlxrf.exe83⤵
-
\??\c:\nnhtnh.exec:\nnhtnh.exe84⤵
-
\??\c:\nbhbnn.exec:\nbhbnn.exe85⤵
-
\??\c:\ddvpd.exec:\ddvpd.exe86⤵
-
\??\c:\ppvdp.exec:\ppvdp.exe87⤵
-
\??\c:\1xlxflr.exec:\1xlxflr.exe88⤵
-
\??\c:\lllxllx.exec:\lllxllx.exe89⤵
-
\??\c:\nthbnb.exec:\nthbnb.exe90⤵
-
\??\c:\9btbhn.exec:\9btbhn.exe91⤵
-
\??\c:\3hbnth.exec:\3hbnth.exe92⤵
-
\??\c:\ppdpv.exec:\ppdpv.exe93⤵
-
\??\c:\pppdp.exec:\pppdp.exe94⤵
-
\??\c:\5flxrfr.exec:\5flxrfr.exe95⤵
-
\??\c:\lrfrlrx.exec:\lrfrlrx.exe96⤵
-
\??\c:\hbbhbh.exec:\hbbhbh.exe97⤵
-
\??\c:\hhnbnb.exec:\hhnbnb.exe98⤵
-
\??\c:\hhtbbb.exec:\hhtbbb.exe99⤵
-
\??\c:\jjjvd.exec:\jjjvd.exe100⤵
-
\??\c:\dpdvj.exec:\dpdvj.exe101⤵
-
\??\c:\3fffxrl.exec:\3fffxrl.exe102⤵
-
\??\c:\lxfrfrf.exec:\lxfrfrf.exe103⤵
-
\??\c:\bhbbtt.exec:\bhbbtt.exe104⤵
-
\??\c:\hbttbb.exec:\hbttbb.exe105⤵
-
\??\c:\nhtntb.exec:\nhtntb.exe106⤵
-
\??\c:\dddjv.exec:\dddjv.exe107⤵
-
\??\c:\vppdj.exec:\vppdj.exe108⤵
-
\??\c:\lllfrxl.exec:\lllfrxl.exe109⤵
-
\??\c:\7rrxlxl.exec:\7rrxlxl.exe110⤵
-
\??\c:\fxxlxfx.exec:\fxxlxfx.exe111⤵
-
\??\c:\5bbntb.exec:\5bbntb.exe112⤵
-
\??\c:\htntnn.exec:\htntnn.exe113⤵
-
\??\c:\pjdjp.exec:\pjdjp.exe114⤵
-
\??\c:\3vdvv.exec:\3vdvv.exe115⤵
-
\??\c:\fxrrxfx.exec:\fxrrxfx.exe116⤵
-
\??\c:\lllfllx.exec:\lllfllx.exe117⤵
-
\??\c:\btnhhh.exec:\btnhhh.exe118⤵
-
\??\c:\bbhtth.exec:\bbhtth.exe119⤵
-
\??\c:\7jpdd.exec:\7jpdd.exe120⤵
-
\??\c:\jvddd.exec:\jvddd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-