Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
08/05/2024, 10:53
General
-
Target
6fdb54431bd0213071e72f9c5d879b90_NEIKI.exe
-
Size
70KB
-
MD5
6fdb54431bd0213071e72f9c5d879b90
-
SHA1
033914eb0fcab854ac9798acc33066af65133cf5
-
SHA256
bd6d2a318f19b6e573bd5ff7597ba7b1abc991da1819c12b24d2a64ee7372687
-
SHA512
b52ed78bf0ba0b93da7acbbc1e70ad91ca9083cfda438d43fcbc25069c2c647b401ba544d3e7db6da35f8e650c6853b8294e20c4ef6c92035c246fe561652d39
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIgUVyiAn7:ymb3NkkiQ3mdBjFIgUE5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fdb54431bd0213071e72f9c5d879b90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\6fdb54431bd0213071e72f9c5d879b90_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxfrx.exec:\rfxxfrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllfxxr.exec:\xllfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nnhhh.exec:\7nnhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnhbtt.exec:\tnhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbtnn.exec:\bhbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjdp.exec:\vpjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrxxx.exec:\rlxrxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxrrxl.exec:\llxrrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhbnn.exec:\hhhbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjd.exec:\dppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpv.exec:\vjvpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllfrrl.exec:\xllfrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httbtb.exec:\httbtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pjjd.exec:\1pjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdvp.exec:\7vdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxlffx.exec:\fxxlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhbn.exec:\bnhhbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbbt.exec:\nbhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpdp.exec:\pdpdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvp.exec:\pjvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfxrrx.exec:\xxfxrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthnhb.exec:\bthnhb.exe23⤵
- Executes dropped EXE
-
\??\c:\nhnnbb.exec:\nhnnbb.exe24⤵
- Executes dropped EXE
-
\??\c:\7dddv.exec:\7dddv.exe25⤵
- Executes dropped EXE
-
\??\c:\xlrfxxr.exec:\xlrfxxr.exe26⤵
- Executes dropped EXE
-
\??\c:\1xfxffx.exec:\1xfxffx.exe27⤵
- Executes dropped EXE
-
\??\c:\bbnbht.exec:\bbnbht.exe28⤵
- Executes dropped EXE
-
\??\c:\jdvdv.exec:\jdvdv.exe29⤵
- Executes dropped EXE
-
\??\c:\jdddd.exec:\jdddd.exe30⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe31⤵
- Executes dropped EXE
-
\??\c:\vppjj.exec:\vppjj.exe32⤵
- Executes dropped EXE
-
\??\c:\fffxllf.exec:\fffxllf.exe33⤵
- Executes dropped EXE
-
\??\c:\xrllfff.exec:\xrllfff.exe34⤵
- Executes dropped EXE
-
\??\c:\hbthhb.exec:\hbthhb.exe35⤵
- Executes dropped EXE
-
\??\c:\bhnhhh.exec:\bhnhhh.exe36⤵
- Executes dropped EXE
-
\??\c:\vdpjv.exec:\vdpjv.exe37⤵
- Executes dropped EXE
-
\??\c:\pvvpd.exec:\pvvpd.exe38⤵
- Executes dropped EXE
-
\??\c:\lffffff.exec:\lffffff.exe39⤵
- Executes dropped EXE
-
\??\c:\9lrrrrr.exec:\9lrrrrr.exe40⤵
- Executes dropped EXE
-
\??\c:\tnhbtt.exec:\tnhbtt.exe41⤵
- Executes dropped EXE
-
\??\c:\pdpdp.exec:\pdpdp.exe42⤵
- Executes dropped EXE
-
\??\c:\xxxrlrl.exec:\xxxrlrl.exe43⤵
- Executes dropped EXE
-
\??\c:\lxrlllf.exec:\lxrlllf.exe44⤵
- Executes dropped EXE
-
\??\c:\tnnntt.exec:\tnnntt.exe45⤵
- Executes dropped EXE
-
\??\c:\3ttnhh.exec:\3ttnhh.exe46⤵
- Executes dropped EXE
-
\??\c:\jvddp.exec:\jvddp.exe47⤵
- Executes dropped EXE
-
\??\c:\dvddd.exec:\dvddd.exe48⤵
- Executes dropped EXE
-
\??\c:\1ffxrlf.exec:\1ffxrlf.exe49⤵
- Executes dropped EXE
-
\??\c:\nttttt.exec:\nttttt.exe50⤵
- Executes dropped EXE
-
\??\c:\bhhbtt.exec:\bhhbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\vpjjd.exec:\vpjjd.exe52⤵
- Executes dropped EXE
-
\??\c:\rlrlllr.exec:\rlrlllr.exe53⤵
- Executes dropped EXE
-
\??\c:\rfxfrrr.exec:\rfxfrrr.exe54⤵
- Executes dropped EXE
-
\??\c:\hhbbhn.exec:\hhbbhn.exe55⤵
- Executes dropped EXE
-
\??\c:\hhbthh.exec:\hhbthh.exe56⤵
- Executes dropped EXE
-
\??\c:\1dddv.exec:\1dddv.exe57⤵
- Executes dropped EXE
-
\??\c:\vpjdp.exec:\vpjdp.exe58⤵
- Executes dropped EXE
-
\??\c:\jdvpj.exec:\jdvpj.exe59⤵
- Executes dropped EXE
-
\??\c:\frrllrl.exec:\frrllrl.exe60⤵
- Executes dropped EXE
-
\??\c:\xllrxrx.exec:\xllrxrx.exe61⤵
- Executes dropped EXE
-
\??\c:\hbnthh.exec:\hbnthh.exe62⤵
- Executes dropped EXE
-
\??\c:\hbtnbb.exec:\hbtnbb.exe63⤵
- Executes dropped EXE
-
\??\c:\jpvpp.exec:\jpvpp.exe64⤵
- Executes dropped EXE
-
\??\c:\llxrrxx.exec:\llxrrxx.exe65⤵
- Executes dropped EXE
-
\??\c:\xlfffxx.exec:\xlfffxx.exe66⤵
-
\??\c:\rxrxrlf.exec:\rxrxrlf.exe67⤵
-
\??\c:\9tbbtt.exec:\9tbbtt.exe68⤵
-
\??\c:\htbttt.exec:\htbttt.exe69⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe70⤵
-
\??\c:\pddvj.exec:\pddvj.exe71⤵
-
\??\c:\xflfxrr.exec:\xflfxrr.exe72⤵
-
\??\c:\lrrxrfr.exec:\lrrxrfr.exe73⤵
-
\??\c:\tbbbbb.exec:\tbbbbb.exe74⤵
-
\??\c:\3tbtnn.exec:\3tbtnn.exe75⤵
-
\??\c:\jvjdd.exec:\jvjdd.exe76⤵
-
\??\c:\9jppd.exec:\9jppd.exe77⤵
-
\??\c:\rxffxfl.exec:\rxffxfl.exe78⤵
-
\??\c:\7rrrllf.exec:\7rrrllf.exe79⤵
-
\??\c:\nbthnb.exec:\nbthnb.exe80⤵
-
\??\c:\httnhh.exec:\httnhh.exe81⤵
-
\??\c:\bhtnbb.exec:\bhtnbb.exe82⤵
-
\??\c:\vpddv.exec:\vpddv.exe83⤵
-
\??\c:\vjjvp.exec:\vjjvp.exe84⤵
-
\??\c:\frrrllf.exec:\frrrllf.exe85⤵
-
\??\c:\rxffffl.exec:\rxffffl.exe86⤵
-
\??\c:\thnhnn.exec:\thnhnn.exe87⤵
-
\??\c:\9thbnn.exec:\9thbnn.exe88⤵
-
\??\c:\hhbbnn.exec:\hhbbnn.exe89⤵
-
\??\c:\vvddp.exec:\vvddp.exe90⤵
-
\??\c:\dpddv.exec:\dpddv.exe91⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe92⤵
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe93⤵
-
\??\c:\lrrlffx.exec:\lrrlffx.exe94⤵
-
\??\c:\nbhbbt.exec:\nbhbbt.exe95⤵
-
\??\c:\5nnhbn.exec:\5nnhbn.exe96⤵
-
\??\c:\dvvpv.exec:\dvvpv.exe97⤵
-
\??\c:\djdvv.exec:\djdvv.exe98⤵
-
\??\c:\1lfxllf.exec:\1lfxllf.exe99⤵
-
\??\c:\rfxxrfx.exec:\rfxxrfx.exe100⤵
-
\??\c:\hntttb.exec:\hntttb.exe101⤵
-
\??\c:\bbttnb.exec:\bbttnb.exe102⤵
-
\??\c:\vppjj.exec:\vppjj.exe103⤵
-
\??\c:\vppjd.exec:\vppjd.exe104⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe105⤵
-
\??\c:\rfffrrl.exec:\rfffrrl.exe106⤵
-
\??\c:\lffxxxr.exec:\lffxxxr.exe107⤵
-
\??\c:\bhbtbt.exec:\bhbtbt.exe108⤵
-
\??\c:\tnhbtn.exec:\tnhbtn.exe109⤵
-
\??\c:\jvpjd.exec:\jvpjd.exe110⤵
-
\??\c:\ppvvj.exec:\ppvvj.exe111⤵
-
\??\c:\lffxlll.exec:\lffxlll.exe112⤵
-
\??\c:\xlrrllr.exec:\xlrrllr.exe113⤵
-
\??\c:\ntttnh.exec:\ntttnh.exe114⤵
-
\??\c:\nnhnhb.exec:\nnhnhb.exe115⤵
-
\??\c:\jjdvd.exec:\jjdvd.exe116⤵
-
\??\c:\fllfxxf.exec:\fllfxxf.exe117⤵
-
\??\c:\tnbhbt.exec:\tnbhbt.exe118⤵
-
\??\c:\9nnnbn.exec:\9nnnbn.exe119⤵
-
\??\c:\jdddp.exec:\jdddp.exe120⤵
-
\??\c:\jjpjv.exec:\jjpjv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-