Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09-05-2024 22:29
General
-
Target
10fb5aa4a1fd0af47205251dcaa919d0_NeikiAnalytics.exe
-
Size
91KB
-
MD5
10fb5aa4a1fd0af47205251dcaa919d0
-
SHA1
895f89235478f31eca8c434a5dd39401c31948a9
-
SHA256
349fdae109278a8dc86464df309b7fce2fcfb8d0ba0b4c01dc0e409daffced02
-
SHA512
a280af0a7ea60db915ec2c19ab1daec058cf5070198d5ec6dfa8d1b82e8f9b0526afdc199e6a6b65e7cf427c585993a88ed8479841b1b080ad5089d3506f020f
-
SSDEEP
1536:8vQBeOGtrYS3srx93UBWfwC6Ggnouy80fg3Cip8iXAsG5M0u5YoWp3:8hOmTsF93UYfwC6GIout0fmCiiiXA6m5
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\10fb5aa4a1fd0af47205251dcaa919d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\10fb5aa4a1fd0af47205251dcaa919d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\flllllr.exec:\flllllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntbtn.exec:\nntbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdpv.exec:\dpdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvpp.exec:\vdvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1llfxfx.exec:\1llfxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhtnn.exec:\hhhtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpjd.exec:\jjpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpppd.exec:\dpppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxrlf.exec:\rfxxrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrxffx.exec:\lfrxffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbnh.exec:\nnhbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvdj.exec:\djvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbtn.exec:\bthbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdpjd.exec:\pdpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntnhb.exec:\hntnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvp.exec:\jpvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrfxr.exec:\frxrfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbttt.exec:\nhbttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nnhbb.exec:\5nnhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdjp.exec:\pjdjp.exe23⤵
- Executes dropped EXE
-
\??\c:\frxrlfx.exec:\frxrlfx.exe24⤵
- Executes dropped EXE
-
\??\c:\ttbtbb.exec:\ttbtbb.exe25⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe26⤵
- Executes dropped EXE
-
\??\c:\xllxrfx.exec:\xllxrfx.exe27⤵
- Executes dropped EXE
-
\??\c:\fxxrllf.exec:\fxxrllf.exe28⤵
- Executes dropped EXE
-
\??\c:\nhtnbb.exec:\nhtnbb.exe29⤵
- Executes dropped EXE
-
\??\c:\jvdjj.exec:\jvdjj.exe30⤵
- Executes dropped EXE
-
\??\c:\lfrfxrl.exec:\lfrfxrl.exe31⤵
- Executes dropped EXE
-
\??\c:\nhbbbb.exec:\nhbbbb.exe32⤵
- Executes dropped EXE
-
\??\c:\pvvjv.exec:\pvvjv.exe33⤵
- Executes dropped EXE
-
\??\c:\xlllfxx.exec:\xlllfxx.exe34⤵
- Executes dropped EXE
-
\??\c:\xfxfxlx.exec:\xfxfxlx.exe35⤵
- Executes dropped EXE
-
\??\c:\hbbbtt.exec:\hbbbtt.exe36⤵
- Executes dropped EXE
-
\??\c:\ddvpv.exec:\ddvpv.exe37⤵
- Executes dropped EXE
-
\??\c:\5jpdv.exec:\5jpdv.exe38⤵
- Executes dropped EXE
-
\??\c:\llllflf.exec:\llllflf.exe39⤵
- Executes dropped EXE
-
\??\c:\hbhbtn.exec:\hbhbtn.exe40⤵
- Executes dropped EXE
-
\??\c:\hhthth.exec:\hhthth.exe41⤵
- Executes dropped EXE
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe42⤵
- Executes dropped EXE
-
\??\c:\rlxrllr.exec:\rlxrllr.exe43⤵
- Executes dropped EXE
-
\??\c:\nnhnbh.exec:\nnhnbh.exe44⤵
- Executes dropped EXE
-
\??\c:\jjvvp.exec:\jjvvp.exe45⤵
- Executes dropped EXE
-
\??\c:\tthbtb.exec:\tthbtb.exe46⤵
- Executes dropped EXE
-
\??\c:\hhhbth.exec:\hhhbth.exe47⤵
- Executes dropped EXE
-
\??\c:\dvvpj.exec:\dvvpj.exe48⤵
- Executes dropped EXE
-
\??\c:\lxrlllf.exec:\lxrlllf.exe49⤵
- Executes dropped EXE
-
\??\c:\thnhth.exec:\thnhth.exe50⤵
- Executes dropped EXE
-
\??\c:\pjjdp.exec:\pjjdp.exe51⤵
- Executes dropped EXE
-
\??\c:\3pvpp.exec:\3pvpp.exe52⤵
- Executes dropped EXE
-
\??\c:\xflfxrl.exec:\xflfxrl.exe53⤵
- Executes dropped EXE
-
\??\c:\htbbtt.exec:\htbbtt.exe54⤵
- Executes dropped EXE
-
\??\c:\htbtnb.exec:\htbtnb.exe55⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe56⤵
- Executes dropped EXE
-
\??\c:\7ffxrrl.exec:\7ffxrrl.exe57⤵
- Executes dropped EXE
-
\??\c:\1rxrfxf.exec:\1rxrfxf.exe58⤵
- Executes dropped EXE
-
\??\c:\hnhnnh.exec:\hnhnnh.exe59⤵
- Executes dropped EXE
-
\??\c:\jdvvp.exec:\jdvvp.exe60⤵
- Executes dropped EXE
-
\??\c:\rrxlfxr.exec:\rrxlfxr.exe61⤵
- Executes dropped EXE
-
\??\c:\5lrrffl.exec:\5lrrffl.exe62⤵
- Executes dropped EXE
-
\??\c:\9tbbbb.exec:\9tbbbb.exe63⤵
- Executes dropped EXE
-
\??\c:\vdpjv.exec:\vdpjv.exe64⤵
- Executes dropped EXE
-
\??\c:\jjvvj.exec:\jjvvj.exe65⤵
- Executes dropped EXE
-
\??\c:\llrlffx.exec:\llrlffx.exe66⤵
-
\??\c:\tbbbbb.exec:\tbbbbb.exe67⤵
-
\??\c:\vppdv.exec:\vppdv.exe68⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe69⤵
-
\??\c:\rffrlfx.exec:\rffrlfx.exe70⤵
-
\??\c:\nnhtnn.exec:\nnhtnn.exe71⤵
-
\??\c:\pvvpv.exec:\pvvpv.exe72⤵
-
\??\c:\5pjdp.exec:\5pjdp.exe73⤵
-
\??\c:\3bhnhn.exec:\3bhnhn.exe74⤵
-
\??\c:\bnhbtt.exec:\bnhbtt.exe75⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe76⤵
-
\??\c:\rllfrrr.exec:\rllfrrr.exe77⤵
-
\??\c:\nhbbtt.exec:\nhbbtt.exe78⤵
-
\??\c:\5nhbnn.exec:\5nhbnn.exe79⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe80⤵
-
\??\c:\xrffllr.exec:\xrffllr.exe81⤵
-
\??\c:\bhhhnh.exec:\bhhhnh.exe82⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe83⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe84⤵
-
\??\c:\rlrxrlf.exec:\rlrxrlf.exe85⤵
-
\??\c:\rlrxffr.exec:\rlrxffr.exe86⤵
-
\??\c:\9bbtbh.exec:\9bbtbh.exe87⤵
-
\??\c:\vdvpj.exec:\vdvpj.exe88⤵
-
\??\c:\ddpjd.exec:\ddpjd.exe89⤵
-
\??\c:\rlrxrrl.exec:\rlrxrrl.exe90⤵
-
\??\c:\hhtntb.exec:\hhtntb.exe91⤵
-
\??\c:\7pvvp.exec:\7pvvp.exe92⤵
-
\??\c:\lfllffr.exec:\lfllffr.exe93⤵
-
\??\c:\btthbt.exec:\btthbt.exe94⤵
-
\??\c:\pvvvp.exec:\pvvvp.exe95⤵
-
\??\c:\xlfrxxr.exec:\xlfrxxr.exe96⤵
-
\??\c:\hbnhbb.exec:\hbnhbb.exe97⤵
-
\??\c:\xfrrlfx.exec:\xfrrlfx.exe98⤵
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe99⤵
-
\??\c:\hbntbb.exec:\hbntbb.exe100⤵
-
\??\c:\pvjdd.exec:\pvjdd.exe101⤵
-
\??\c:\rllfxxl.exec:\rllfxxl.exe102⤵
-
\??\c:\9tnhtn.exec:\9tnhtn.exe103⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe104⤵
-
\??\c:\fxxrllf.exec:\fxxrllf.exe105⤵
-
\??\c:\1bhbtt.exec:\1bhbtt.exe106⤵
-
\??\c:\nbhbtb.exec:\nbhbtb.exe107⤵
-
\??\c:\jddvj.exec:\jddvj.exe108⤵
-
\??\c:\xxlrlrr.exec:\xxlrlrr.exe109⤵
-
\??\c:\htbbbb.exec:\htbbbb.exe110⤵
-
\??\c:\nhhtnb.exec:\nhhtnb.exe111⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe112⤵
-
\??\c:\rfffrrr.exec:\rfffrrr.exe113⤵
-
\??\c:\9lfxrrl.exec:\9lfxrrl.exe114⤵
-
\??\c:\nbhhhh.exec:\nbhhhh.exe115⤵
-
\??\c:\hnbtnn.exec:\hnbtnn.exe116⤵
-
\??\c:\jddvv.exec:\jddvv.exe117⤵
-
\??\c:\9lxlrfr.exec:\9lxlrfr.exe118⤵
-
\??\c:\hbhbnn.exec:\hbhbnn.exe119⤵
-
\??\c:\nbhhnn.exec:\nbhhnn.exe120⤵
-
\??\c:\dpjjd.exec:\dpjjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-