Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
08/05/2024, 21:04
General
-
Target
52165ccb36a7ea9eb447d5afa6401040_NEIKI.exe
-
Size
63KB
-
MD5
52165ccb36a7ea9eb447d5afa6401040
-
SHA1
c2882c50fbf45e59cc38a04b13ef0bc863ffa858
-
SHA256
a1bfa1a37223786a8d651980d578fdf5fef0cc7595f5832687c4cc442c00a96a
-
SHA512
2e008bcdf55d48b2d81022c5203fd5018214f89014d56b53ff31a9af2bd9f48948fe18ead953e691022d0323d8bc2ba75c88415289a01684284e43f03fc7b0fc
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4ReSI:ymb3NkkiQ3mdBjFIsIpZ+R4ReSI
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\52165ccb36a7ea9eb447d5afa6401040_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\52165ccb36a7ea9eb447d5afa6401040_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtnhh.exec:\nhtnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbbbb.exec:\hhbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjjp.exec:\ddjjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjjj.exec:\pdjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxlfxl.exec:\ffxlfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnnnn.exec:\hhnnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhhhn.exec:\nnhhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpdvv.exec:\jpdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrrlf.exec:\xrrrrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httntt.exec:\httntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnhh.exec:\nnnnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpppp.exec:\dpppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxlfx.exec:\rffxlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bhhht.exec:\7bhhht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bttbtt.exec:\bttbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dvvp.exec:\9dvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppp.exec:\vvppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3fxxffl.exec:\3fxxffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbthh.exec:\thbthh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbtt.exec:\btnbtt.exe23⤵
- Executes dropped EXE
-
\??\c:\tnhbnh.exec:\tnhbnh.exe24⤵
- Executes dropped EXE
-
\??\c:\vjpjp.exec:\vjpjp.exe25⤵
- Executes dropped EXE
-
\??\c:\1jjjv.exec:\1jjjv.exe26⤵
- Executes dropped EXE
-
\??\c:\xxlrrrr.exec:\xxlrrrr.exe27⤵
- Executes dropped EXE
-
\??\c:\xrflfrl.exec:\xrflfrl.exe28⤵
- Executes dropped EXE
-
\??\c:\tnnbbt.exec:\tnnbbt.exe29⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe30⤵
- Executes dropped EXE
-
\??\c:\pvpjj.exec:\pvpjj.exe31⤵
- Executes dropped EXE
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe32⤵
- Executes dropped EXE
-
\??\c:\fxxffrx.exec:\fxxffrx.exe33⤵
- Executes dropped EXE
-
\??\c:\xlflxrr.exec:\xlflxrr.exe34⤵
- Executes dropped EXE
-
\??\c:\bththn.exec:\bththn.exe35⤵
- Executes dropped EXE
-
\??\c:\1ttbnb.exec:\1ttbnb.exe36⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe37⤵
- Executes dropped EXE
-
\??\c:\3ppjv.exec:\3ppjv.exe38⤵
- Executes dropped EXE
-
\??\c:\5xxrllr.exec:\5xxrllr.exe39⤵
- Executes dropped EXE
-
\??\c:\rlffrll.exec:\rlffrll.exe40⤵
- Executes dropped EXE
-
\??\c:\bhhhth.exec:\bhhhth.exe41⤵
- Executes dropped EXE
-
\??\c:\nhnbnt.exec:\nhnbnt.exe42⤵
- Executes dropped EXE
-
\??\c:\pddvj.exec:\pddvj.exe43⤵
- Executes dropped EXE
-
\??\c:\pdddp.exec:\pdddp.exe44⤵
- Executes dropped EXE
-
\??\c:\rrxrxll.exec:\rrxrxll.exe45⤵
- Executes dropped EXE
-
\??\c:\5rfxlfx.exec:\5rfxlfx.exe46⤵
- Executes dropped EXE
-
\??\c:\nbtnbb.exec:\nbtnbb.exe47⤵
- Executes dropped EXE
-
\??\c:\bhbnbt.exec:\bhbnbt.exe48⤵
- Executes dropped EXE
-
\??\c:\pvjvj.exec:\pvjvj.exe49⤵
- Executes dropped EXE
-
\??\c:\jvjvd.exec:\jvjvd.exe50⤵
- Executes dropped EXE
-
\??\c:\lllxfxf.exec:\lllxfxf.exe51⤵
- Executes dropped EXE
-
\??\c:\rllfxxl.exec:\rllfxxl.exe52⤵
- Executes dropped EXE
-
\??\c:\3ntnhn.exec:\3ntnhn.exe53⤵
- Executes dropped EXE
-
\??\c:\5nhbnh.exec:\5nhbnh.exe54⤵
- Executes dropped EXE
-
\??\c:\vdjdp.exec:\vdjdp.exe55⤵
- Executes dropped EXE
-
\??\c:\pjjvd.exec:\pjjvd.exe56⤵
- Executes dropped EXE
-
\??\c:\lfrlxrl.exec:\lfrlxrl.exe57⤵
- Executes dropped EXE
-
\??\c:\3xfxlff.exec:\3xfxlff.exe58⤵
- Executes dropped EXE
-
\??\c:\1ttbtn.exec:\1ttbtn.exe59⤵
- Executes dropped EXE
-
\??\c:\ntbnbb.exec:\ntbnbb.exe60⤵
- Executes dropped EXE
-
\??\c:\ttnbht.exec:\ttnbht.exe61⤵
- Executes dropped EXE
-
\??\c:\pdvjv.exec:\pdvjv.exe62⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe63⤵
- Executes dropped EXE
-
\??\c:\fxlflxf.exec:\fxlflxf.exe64⤵
- Executes dropped EXE
-
\??\c:\frlfxrl.exec:\frlfxrl.exe65⤵
- Executes dropped EXE
-
\??\c:\3hnhnn.exec:\3hnhnn.exe66⤵
-
\??\c:\hthhnb.exec:\hthhnb.exe67⤵
-
\??\c:\pdjjv.exec:\pdjjv.exe68⤵
-
\??\c:\dppvj.exec:\dppvj.exe69⤵
-
\??\c:\xrlrfxr.exec:\xrlrfxr.exe70⤵
-
\??\c:\xxrlffx.exec:\xxrlffx.exe71⤵
-
\??\c:\bbtntn.exec:\bbtntn.exe72⤵
-
\??\c:\hbntbn.exec:\hbntbn.exe73⤵
-
\??\c:\nnthbb.exec:\nnthbb.exe74⤵
-
\??\c:\9dvvj.exec:\9dvvj.exe75⤵
-
\??\c:\pvpdj.exec:\pvpdj.exe76⤵
-
\??\c:\llfxlfr.exec:\llfxlfr.exe77⤵
-
\??\c:\llfrlfr.exec:\llfrlfr.exe78⤵
-
\??\c:\lflxrlf.exec:\lflxrlf.exe79⤵
-
\??\c:\httnhb.exec:\httnhb.exe80⤵
-
\??\c:\hhbhnb.exec:\hhbhnb.exe81⤵
-
\??\c:\9pjdp.exec:\9pjdp.exe82⤵
-
\??\c:\vppdv.exec:\vppdv.exe83⤵
-
\??\c:\jppjp.exec:\jppjp.exe84⤵
-
\??\c:\7fflffx.exec:\7fflffx.exe85⤵
-
\??\c:\rfxxrrl.exec:\rfxxrrl.exe86⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe87⤵
-
\??\c:\hhthtb.exec:\hhthtb.exe88⤵
-
\??\c:\ddjvj.exec:\ddjvj.exe89⤵
-
\??\c:\7dpvp.exec:\7dpvp.exe90⤵
-
\??\c:\ppjdp.exec:\ppjdp.exe91⤵
-
\??\c:\xrrrrlr.exec:\xrrrrlr.exe92⤵
-
\??\c:\rflllll.exec:\rflllll.exe93⤵
-
\??\c:\bbhbbh.exec:\bbhbbh.exe94⤵
-
\??\c:\7nbnbh.exec:\7nbnbh.exe95⤵
-
\??\c:\9ddpd.exec:\9ddpd.exe96⤵
-
\??\c:\dpdjp.exec:\dpdjp.exe97⤵
-
\??\c:\xflxrlf.exec:\xflxrlf.exe98⤵
-
\??\c:\7lrxfxr.exec:\7lrxfxr.exe99⤵
-
\??\c:\rfrlxfx.exec:\rfrlxfx.exe100⤵
-
\??\c:\thnhbn.exec:\thnhbn.exe101⤵
-
\??\c:\vpdvv.exec:\vpdvv.exe102⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe103⤵
-
\??\c:\7jddp.exec:\7jddp.exe104⤵
-
\??\c:\1llffrx.exec:\1llffrx.exe105⤵
-
\??\c:\lxrrllf.exec:\lxrrllf.exe106⤵
-
\??\c:\ntntnh.exec:\ntntnh.exe107⤵
-
\??\c:\ffflllx.exec:\ffflllx.exe108⤵
-
\??\c:\nbnbtn.exec:\nbnbtn.exe109⤵
-
\??\c:\thnnbb.exec:\thnnbb.exe110⤵
-
\??\c:\hhnbnh.exec:\hhnbnh.exe111⤵
-
\??\c:\pdpdj.exec:\pdpdj.exe112⤵
-
\??\c:\pdpjp.exec:\pdpjp.exe113⤵
-
\??\c:\xrlxlrx.exec:\xrlxlrx.exe114⤵
-
\??\c:\lffxfff.exec:\lffxfff.exe115⤵
-
\??\c:\tnbthb.exec:\tnbthb.exe116⤵
-
\??\c:\bnhbnn.exec:\bnhbnn.exe117⤵
-
\??\c:\9ppdv.exec:\9ppdv.exe118⤵
-
\??\c:\dppjv.exec:\dppjv.exe119⤵
-
\??\c:\dpdpj.exec:\dpdpj.exe120⤵
-
\??\c:\7llxlfx.exec:\7llxlfx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-