Analysis
-
max time kernel
26s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09/05/2024, 00:15
General
-
Target
a9003ddb718372ea09a5419ffa788170_NEIKI.exe
-
Size
67KB
-
MD5
a9003ddb718372ea09a5419ffa788170
-
SHA1
0a15e1ff9e3dfcdacea507b5cce75f54a36d0ba7
-
SHA256
63a2b182d7a57f96cee0819447e322318382e738e8ca1133e02d0744c126f1c5
-
SHA512
168c00bf6eb54472ce94a5ca03923127ac8e3277d2b404f0248686212c86000f60a1ca48198539eb0904bde8a8b7f07012eebe384d0fd0326375d4ee643e7b0b
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIrmCeRMKB:ymb3NkkiQ3mdBjFIjeL
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4156190539\zmstage.exeC:\Users\Admin\AppData\Local\Temp\4156190539\zmstage.exe1⤵
-
C:\Windows\system32\usoclient.exeC:\Windows\system32\usoclient.exe StartScan1⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\a9003ddb718372ea09a5419ffa788170_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a9003ddb718372ea09a5419ffa788170_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ttttnn.exec:\ttttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jjdp.exec:\3jjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrrxx.exec:\fxxrrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflffxr.exec:\xflffxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhbhh.exec:\hbhbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddppj.exec:\ddppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjdv.exec:\djjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlxxx.exec:\flrlxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bbtht.exec:\3bbtht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttnb.exec:\tnttnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvj.exec:\dvpvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxrfff.exec:\ffxrfff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhbb.exec:\bnhhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbtnh.exec:\tbbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvjd.exec:\pjvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvpjd.exec:\jvpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdvp.exec:\jvdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxrllf.exec:\xrxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnnhb.exec:\hnnnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnhbh.exec:\ntnhbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjjd.exec:\vjjjd.exe23⤵
- Executes dropped EXE
-
\??\c:\7llfxxr.exec:\7llfxxr.exe24⤵
- Executes dropped EXE
-
\??\c:\xrffxlf.exec:\xrffxlf.exe25⤵
- Executes dropped EXE
-
\??\c:\ntbtnn.exec:\ntbtnn.exe26⤵
- Executes dropped EXE
-
\??\c:\hhbthb.exec:\hhbthb.exe27⤵
- Executes dropped EXE
-
\??\c:\jdjdj.exec:\jdjdj.exe28⤵
- Executes dropped EXE
-
\??\c:\jdpjv.exec:\jdpjv.exe29⤵
- Executes dropped EXE
-
\??\c:\xlfrllf.exec:\xlfrllf.exe30⤵
- Executes dropped EXE
-
\??\c:\rfrfffl.exec:\rfrfffl.exe31⤵
- Executes dropped EXE
-
\??\c:\ntnnhh.exec:\ntnnhh.exe32⤵
- Executes dropped EXE
-
\??\c:\bnnhbb.exec:\bnnhbb.exe33⤵
- Executes dropped EXE
-
\??\c:\pvpjj.exec:\pvpjj.exe34⤵
- Executes dropped EXE
-
\??\c:\djdpd.exec:\djdpd.exe35⤵
- Executes dropped EXE
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe36⤵
- Executes dropped EXE
-
\??\c:\rrxrlll.exec:\rrxrlll.exe37⤵
- Executes dropped EXE
-
\??\c:\hbbbbb.exec:\hbbbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\bnnnbh.exec:\bnnnbh.exe39⤵
- Executes dropped EXE
-
\??\c:\7djdp.exec:\7djdp.exe40⤵
- Executes dropped EXE
-
\??\c:\jvdvp.exec:\jvdvp.exe41⤵
- Executes dropped EXE
-
\??\c:\pdjvp.exec:\pdjvp.exe42⤵
- Executes dropped EXE
-
\??\c:\llrrrxx.exec:\llrrrxx.exe43⤵
- Executes dropped EXE
-
\??\c:\xxrfxxr.exec:\xxrfxxr.exe44⤵
- Executes dropped EXE
-
\??\c:\9nnbth.exec:\9nnbth.exe45⤵
- Executes dropped EXE
-
\??\c:\bnnbtt.exec:\bnnbtt.exe46⤵
- Executes dropped EXE
-
\??\c:\7jjjd.exec:\7jjjd.exe47⤵
- Executes dropped EXE
-
\??\c:\pjdvp.exec:\pjdvp.exe48⤵
- Executes dropped EXE
-
\??\c:\vjvpj.exec:\vjvpj.exe49⤵
- Executes dropped EXE
-
\??\c:\xlllfff.exec:\xlllfff.exe50⤵
- Executes dropped EXE
-
\??\c:\xrffxxr.exec:\xrffxxr.exe51⤵
- Executes dropped EXE
-
\??\c:\bnnnhn.exec:\bnnnhn.exe52⤵
- Executes dropped EXE
-
\??\c:\5nhbnh.exec:\5nhbnh.exe53⤵
- Executes dropped EXE
-
\??\c:\bnhnth.exec:\bnhnth.exe54⤵
- Executes dropped EXE
-
\??\c:\5dvpd.exec:\5dvpd.exe55⤵
- Executes dropped EXE
-
\??\c:\jjpjd.exec:\jjpjd.exe56⤵
- Executes dropped EXE
-
\??\c:\xflflxl.exec:\xflflxl.exe57⤵
- Executes dropped EXE
-
\??\c:\lflfrlx.exec:\lflfrlx.exe58⤵
- Executes dropped EXE
-
\??\c:\frrlxxr.exec:\frrlxxr.exe59⤵
- Executes dropped EXE
-
\??\c:\5hnhbh.exec:\5hnhbh.exe60⤵
- Executes dropped EXE
-
\??\c:\bttnhb.exec:\bttnhb.exe61⤵
- Executes dropped EXE
-
\??\c:\ttttnt.exec:\ttttnt.exe62⤵
- Executes dropped EXE
-
\??\c:\dvjdv.exec:\dvjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\djjdv.exec:\djjdv.exe64⤵
- Executes dropped EXE
-
\??\c:\xxrxxxx.exec:\xxrxxxx.exe65⤵
- Executes dropped EXE
-
\??\c:\lflfffx.exec:\lflfffx.exe66⤵
-
\??\c:\rlllfxx.exec:\rlllfxx.exe67⤵
-
\??\c:\btttnn.exec:\btttnn.exe68⤵
-
\??\c:\hbbtbb.exec:\hbbtbb.exe69⤵
-
\??\c:\tnnhhh.exec:\tnnhhh.exe70⤵
-
\??\c:\vdpdv.exec:\vdpdv.exe71⤵
-
\??\c:\vddvp.exec:\vddvp.exe72⤵
-
\??\c:\djjdv.exec:\djjdv.exe73⤵
-
\??\c:\fxxrxxx.exec:\fxxrxxx.exe74⤵
-
\??\c:\lffxrrl.exec:\lffxrrl.exe75⤵
-
\??\c:\rffxxxr.exec:\rffxxxr.exe76⤵
-
\??\c:\hnttnn.exec:\hnttnn.exe77⤵
-
\??\c:\nbtnnh.exec:\nbtnnh.exe78⤵
-
\??\c:\hbbbbb.exec:\hbbbbb.exe79⤵
-
\??\c:\ddjvp.exec:\ddjvp.exe80⤵
-
\??\c:\jppvp.exec:\jppvp.exe81⤵
-
\??\c:\5pppj.exec:\5pppj.exe82⤵
-
\??\c:\fxfxxrf.exec:\fxfxxrf.exe83⤵
-
\??\c:\fxxrxxr.exec:\fxxrxxr.exe84⤵
-
\??\c:\htnhbb.exec:\htnhbb.exe85⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe86⤵
-
\??\c:\bttnbh.exec:\bttnbh.exe87⤵
-
\??\c:\pvvjd.exec:\pvvjd.exe88⤵
-
\??\c:\vdvvj.exec:\vdvvj.exe89⤵
-
\??\c:\rxfxfxr.exec:\rxfxfxr.exe90⤵
-
\??\c:\5fffrxx.exec:\5fffrxx.exe91⤵
-
\??\c:\rxffffx.exec:\rxffffx.exe92⤵
-
\??\c:\tthhtt.exec:\tthhtt.exe93⤵
-
\??\c:\ththnh.exec:\ththnh.exe94⤵
-
\??\c:\jjjdd.exec:\jjjdd.exe95⤵
-
\??\c:\1dvpj.exec:\1dvpj.exe96⤵
-
\??\c:\xxllrxf.exec:\xxllrxf.exe97⤵
-
\??\c:\lrxxxrf.exec:\lrxxxrf.exe98⤵
-
\??\c:\frlfxrr.exec:\frlfxrr.exe99⤵
-
\??\c:\7hhbtb.exec:\7hhbtb.exe100⤵
-
\??\c:\nhhttn.exec:\nhhttn.exe101⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe102⤵
-
\??\c:\dvdvj.exec:\dvdvj.exe103⤵
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe104⤵
-
\??\c:\ffffxfx.exec:\ffffxfx.exe105⤵
-
\??\c:\frllflf.exec:\frllflf.exe106⤵
-
\??\c:\5tbtnn.exec:\5tbtnn.exe107⤵
-
\??\c:\nhbtnh.exec:\nhbtnh.exe108⤵
-
\??\c:\pddvj.exec:\pddvj.exe109⤵
-
\??\c:\jvjpj.exec:\jvjpj.exe110⤵
-
\??\c:\pppjv.exec:\pppjv.exe111⤵
-
\??\c:\rlxrxrx.exec:\rlxrxrx.exe112⤵
-
\??\c:\rfxxllf.exec:\rfxxllf.exe113⤵
-
\??\c:\nntnhh.exec:\nntnhh.exe114⤵
-
\??\c:\tbbtnn.exec:\tbbtnn.exe115⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe116⤵
-
\??\c:\ddjdv.exec:\ddjdv.exe117⤵
-
\??\c:\vpjpj.exec:\vpjpj.exe118⤵
-
\??\c:\vdpdp.exec:\vdpdp.exe119⤵
-
\??\c:\frxlfxx.exec:\frxlfxx.exe120⤵
-
\??\c:\fxrrllf.exec:\fxrrllf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-