Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
08/05/2024, 17:35
General
-
Target
03e0db243fa680ddfe34ed8b34b4b700_NEIKI.exe
-
Size
201KB
-
MD5
03e0db243fa680ddfe34ed8b34b4b700
-
SHA1
7e3f34846e3a172610824f9b26085d19f9fc96f3
-
SHA256
748483fe1c50aa3764113a9ba6354dff35559bb2e402e9f8457c43ae303ed400
-
SHA512
5100ed252df440050f81773d975a54217ca0e79f8989cb9abe6f5da6c48a6a3af9f4917a9e0c383d52c29bb29c9e14cf38e4bdb514efb619e505b4a7fdae8fbe
-
SSDEEP
3072:ymb3NkkiQ3mdBjFIi/0RU6QeYQsm71vPmc51+GqekBJCvr6zJBUmv:n3C9BRIG0asYFm71m8+GdkB9D
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\03e0db243fa680ddfe34ed8b34b4b700_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\03e0db243fa680ddfe34ed8b34b4b700_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxxfx.exec:\rxfxxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnntn.exec:\bnnntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5vppv.exec:\5vppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bnnbh.exec:\5bnnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbnn.exec:\bbbbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjjv.exec:\pdjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tbbbb.exec:\1tbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddv.exec:\jdddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llffrrx.exec:\llffrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hthhhb.exec:\hthhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpj.exec:\dvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrrll.exec:\xrxrrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxxrr.exec:\rrlxxrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntthbh.exec:\ntthbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jjjd.exec:\1jjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlxrlf.exec:\rxlxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbbb.exec:\nbhbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrrllf.exec:\lxrrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtntt.exec:\hbtntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbbtn.exec:\nbbbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvp.exec:\dvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tnnnt.exec:\5tnnnt.exe23⤵
- Executes dropped EXE
-
\??\c:\djvvd.exec:\djvvd.exe24⤵
- Executes dropped EXE
-
\??\c:\lfrlfxx.exec:\lfrlfxx.exe25⤵
- Executes dropped EXE
-
\??\c:\xxflfxx.exec:\xxflfxx.exe26⤵
- Executes dropped EXE
-
\??\c:\bbbbtb.exec:\bbbbtb.exe27⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe28⤵
- Executes dropped EXE
-
\??\c:\rlfffff.exec:\rlfffff.exe29⤵
- Executes dropped EXE
-
\??\c:\3thnhh.exec:\3thnhh.exe30⤵
- Executes dropped EXE
-
\??\c:\3nhhht.exec:\3nhhht.exe31⤵
- Executes dropped EXE
-
\??\c:\djpjj.exec:\djpjj.exe32⤵
- Executes dropped EXE
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe33⤵
- Executes dropped EXE
-
\??\c:\bnttnb.exec:\bnttnb.exe34⤵
- Executes dropped EXE
-
\??\c:\bthbtt.exec:\bthbtt.exe35⤵
- Executes dropped EXE
-
\??\c:\pjjdp.exec:\pjjdp.exe36⤵
- Executes dropped EXE
-
\??\c:\rlrllrr.exec:\rlrllrr.exe37⤵
- Executes dropped EXE
-
\??\c:\5xffllr.exec:\5xffllr.exe38⤵
- Executes dropped EXE
-
\??\c:\httbbt.exec:\httbbt.exe39⤵
- Executes dropped EXE
-
\??\c:\tthhtt.exec:\tthhtt.exe40⤵
- Executes dropped EXE
-
\??\c:\3dppd.exec:\3dppd.exe41⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe42⤵
- Executes dropped EXE
-
\??\c:\frfllxr.exec:\frfllxr.exe43⤵
- Executes dropped EXE
-
\??\c:\httnhn.exec:\httnhn.exe44⤵
- Executes dropped EXE
-
\??\c:\pjpvv.exec:\pjpvv.exe45⤵
- Executes dropped EXE
-
\??\c:\7xlllrf.exec:\7xlllrf.exe46⤵
- Executes dropped EXE
-
\??\c:\rrxxlrx.exec:\rrxxlrx.exe47⤵
- Executes dropped EXE
-
\??\c:\hbhhhh.exec:\hbhhhh.exe48⤵
- Executes dropped EXE
-
\??\c:\5vjjj.exec:\5vjjj.exe49⤵
- Executes dropped EXE
-
\??\c:\1lfffll.exec:\1lfffll.exe50⤵
- Executes dropped EXE
-
\??\c:\7xxxrrr.exec:\7xxxrrr.exe51⤵
- Executes dropped EXE
-
\??\c:\nhnnnn.exec:\nhnnnn.exe52⤵
- Executes dropped EXE
-
\??\c:\dvppp.exec:\dvppp.exe53⤵
- Executes dropped EXE
-
\??\c:\lrfxxll.exec:\lrfxxll.exe54⤵
- Executes dropped EXE
-
\??\c:\fxlrrxf.exec:\fxlrrxf.exe55⤵
- Executes dropped EXE
-
\??\c:\jpjdv.exec:\jpjdv.exe56⤵
- Executes dropped EXE
-
\??\c:\xrxrlrr.exec:\xrxrlrr.exe57⤵
- Executes dropped EXE
-
\??\c:\dvpvp.exec:\dvpvp.exe58⤵
- Executes dropped EXE
-
\??\c:\lflxxfr.exec:\lflxxfr.exe59⤵
- Executes dropped EXE
-
\??\c:\rlffxxr.exec:\rlffxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\bnbbtb.exec:\bnbbtb.exe61⤵
- Executes dropped EXE
-
\??\c:\jvjjj.exec:\jvjjj.exe62⤵
- Executes dropped EXE
-
\??\c:\nnhhhh.exec:\nnhhhh.exe63⤵
- Executes dropped EXE
-
\??\c:\3vppp.exec:\3vppp.exe64⤵
- Executes dropped EXE
-
\??\c:\1rrfxfx.exec:\1rrfxfx.exe65⤵
- Executes dropped EXE
-
\??\c:\dpdjj.exec:\dpdjj.exe66⤵
-
\??\c:\7hbbbh.exec:\7hbbbh.exe67⤵
-
\??\c:\djjjv.exec:\djjjv.exe68⤵
-
\??\c:\jpjvp.exec:\jpjvp.exe69⤵
-
\??\c:\1xlfffx.exec:\1xlfffx.exe70⤵
-
\??\c:\tnttnn.exec:\tnttnn.exe71⤵
-
\??\c:\3bhbtt.exec:\3bhbtt.exe72⤵
-
\??\c:\pjppp.exec:\pjppp.exe73⤵
-
\??\c:\xllfflf.exec:\xllfflf.exe74⤵
-
\??\c:\hhbtnn.exec:\hhbtnn.exe75⤵
-
\??\c:\jpvdd.exec:\jpvdd.exe76⤵
-
\??\c:\3dppj.exec:\3dppj.exe77⤵
-
\??\c:\rfrrfrr.exec:\rfrrfrr.exe78⤵
-
\??\c:\hhtbhb.exec:\hhtbhb.exe79⤵
-
\??\c:\tbbbth.exec:\tbbbth.exe80⤵
-
\??\c:\djppj.exec:\djppj.exe81⤵
-
\??\c:\flrlrlf.exec:\flrlrlf.exe82⤵
-
\??\c:\ttnhbb.exec:\ttnhbb.exe83⤵
-
\??\c:\htbbtt.exec:\htbbtt.exe84⤵
-
\??\c:\7dppj.exec:\7dppj.exe85⤵
-
\??\c:\xffxxll.exec:\xffxxll.exe86⤵
-
\??\c:\9rrxrxl.exec:\9rrxrxl.exe87⤵
-
\??\c:\tbttnn.exec:\tbttnn.exe88⤵
-
\??\c:\3ddvp.exec:\3ddvp.exe89⤵
-
\??\c:\3vvjj.exec:\3vvjj.exe90⤵
-
\??\c:\xlrrlxx.exec:\xlrrlxx.exe91⤵
-
\??\c:\1htbbh.exec:\1htbbh.exe92⤵
-
\??\c:\ppvpj.exec:\ppvpj.exe93⤵
-
\??\c:\lllrrxf.exec:\lllrrxf.exe94⤵
-
\??\c:\lxlrrrr.exec:\lxlrrrr.exe95⤵
-
\??\c:\ththtn.exec:\ththtn.exe96⤵
-
\??\c:\nnnnnt.exec:\nnnnnt.exe97⤵
-
\??\c:\jjjjj.exec:\jjjjj.exe98⤵
-
\??\c:\xxllfff.exec:\xxllfff.exe99⤵
-
\??\c:\rxfxrxx.exec:\rxfxrxx.exe100⤵
-
\??\c:\hnbbbb.exec:\hnbbbb.exe101⤵
-
\??\c:\vdvvd.exec:\vdvvd.exe102⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe103⤵
-
\??\c:\3flfffx.exec:\3flfffx.exe104⤵
-
\??\c:\bhnnhh.exec:\bhnnhh.exe105⤵
-
\??\c:\tbnnbh.exec:\tbnnbh.exe106⤵
-
\??\c:\dvpjp.exec:\dvpjp.exe107⤵
-
\??\c:\1pjjd.exec:\1pjjd.exe108⤵
-
\??\c:\fxlllll.exec:\fxlllll.exe109⤵
-
\??\c:\bbtttn.exec:\bbtttn.exe110⤵
-
\??\c:\pjppv.exec:\pjppv.exe111⤵
-
\??\c:\rlfxxff.exec:\rlfxxff.exe112⤵
-
\??\c:\rxxxxxx.exec:\rxxxxxx.exe113⤵
-
\??\c:\5ttttt.exec:\5ttttt.exe114⤵
-
\??\c:\7dvvp.exec:\7dvvp.exe115⤵
-
\??\c:\5frrrfx.exec:\5frrrfx.exe116⤵
-
\??\c:\lfrrrxx.exec:\lfrrrxx.exe117⤵
-
\??\c:\1nnhhh.exec:\1nnhhh.exe118⤵
-
\??\c:\hhbtnh.exec:\hhbtnh.exe119⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe120⤵
-
\??\c:\lxflfff.exec:\lxflfff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-