Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
09/05/2024, 04:10
General
-
Target
ea2c66a10180b08d0d45a46cea1919a0_NEIKI.exe
-
Size
86KB
-
MD5
ea2c66a10180b08d0d45a46cea1919a0
-
SHA1
c1cb5b936c46556408177dbd06277d497622df75
-
SHA256
ac67b343d1222556336ac1ee1f57052cebc131ca9ea860df005e8b57b4098757
-
SHA512
ecb76bf0854405fd605035d7883dc620052a65edd4e374f1af40e0ad20b4dadc3e6bd79a852d1180ae449fa0087c7e44cd4be4f738afd10256064aa90563c7d7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDodtzac0Hobv0byLufTJD:ymb3NkkiQ3mdBjFodt27HobvcyLufND
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea2c66a10180b08d0d45a46cea1919a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\ea2c66a10180b08d0d45a46cea1919a0_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfrllx.exec:\rrfrllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnntb.exec:\btnntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1llxlfr.exec:\1llxlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhnn.exec:\tthhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjvd.exec:\pvjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddj.exec:\jdddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3btbhh.exec:\3btbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvdv.exec:\ppvdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpdv.exec:\vvpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfrxff.exec:\lxfrxff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhntbh.exec:\bhntbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htnbnn.exec:\htnbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvdj.exec:\ddvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5flrxrx.exec:\5flrxrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnbnb.exec:\hbnbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhnnn.exec:\thhnnn.exe17⤵
- Executes dropped EXE
-
\??\c:\vpdvj.exec:\vpdvj.exe18⤵
- Executes dropped EXE
-
\??\c:\jjdpp.exec:\jjdpp.exe19⤵
- Executes dropped EXE
-
\??\c:\1ffxrfr.exec:\1ffxrfr.exe20⤵
- Executes dropped EXE
-
\??\c:\1nbbhh.exec:\1nbbhh.exe21⤵
- Executes dropped EXE
-
\??\c:\nnhntb.exec:\nnhntb.exe22⤵
- Executes dropped EXE
-
\??\c:\pdpvd.exec:\pdpvd.exe23⤵
- Executes dropped EXE
-
\??\c:\fxllxfl.exec:\fxllxfl.exe24⤵
- Executes dropped EXE
-
\??\c:\3ffxlrl.exec:\3ffxlrl.exe25⤵
- Executes dropped EXE
-
\??\c:\nnnbbh.exec:\nnnbbh.exe26⤵
- Executes dropped EXE
-
\??\c:\vvjdj.exec:\vvjdj.exe27⤵
- Executes dropped EXE
-
\??\c:\xrlflrf.exec:\xrlflrf.exe28⤵
- Executes dropped EXE
-
\??\c:\3hbhnn.exec:\3hbhnn.exe29⤵
- Executes dropped EXE
-
\??\c:\hbhhnn.exec:\hbhhnn.exe30⤵
- Executes dropped EXE
-
\??\c:\7pjvd.exec:\7pjvd.exe31⤵
- Executes dropped EXE
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe32⤵
- Executes dropped EXE
-
\??\c:\bbtbhh.exec:\bbtbhh.exe33⤵
- Executes dropped EXE
-
\??\c:\bbnthh.exec:\bbnthh.exe34⤵
- Executes dropped EXE
-
\??\c:\vpdpv.exec:\vpdpv.exe35⤵
- Executes dropped EXE
-
\??\c:\9xrrxfl.exec:\9xrrxfl.exe36⤵
- Executes dropped EXE
-
\??\c:\3rrxlrx.exec:\3rrxlrx.exe37⤵
- Executes dropped EXE
-
\??\c:\tnhntb.exec:\tnhntb.exe38⤵
- Executes dropped EXE
-
\??\c:\btnthn.exec:\btnthn.exe39⤵
- Executes dropped EXE
-
\??\c:\5jjvd.exec:\5jjvd.exe40⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe41⤵
- Executes dropped EXE
-
\??\c:\llfrflx.exec:\llfrflx.exe42⤵
- Executes dropped EXE
-
\??\c:\rrrfxlf.exec:\rrrfxlf.exe43⤵
- Executes dropped EXE
-
\??\c:\tthbnn.exec:\tthbnn.exe44⤵
- Executes dropped EXE
-
\??\c:\3bnnbb.exec:\3bnnbb.exe45⤵
- Executes dropped EXE
-
\??\c:\jjvvd.exec:\jjvvd.exe46⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe47⤵
- Executes dropped EXE
-
\??\c:\rlxxfff.exec:\rlxxfff.exe48⤵
- Executes dropped EXE
-
\??\c:\xrfrxrr.exec:\xrfrxrr.exe49⤵
- Executes dropped EXE
-
\??\c:\1llxllr.exec:\1llxllr.exe50⤵
- Executes dropped EXE
-
\??\c:\tthbnt.exec:\tthbnt.exe51⤵
- Executes dropped EXE
-
\??\c:\nhnbnt.exec:\nhnbnt.exe52⤵
- Executes dropped EXE
-
\??\c:\jjpvj.exec:\jjpvj.exe53⤵
- Executes dropped EXE
-
\??\c:\1ppjp.exec:\1ppjp.exe54⤵
- Executes dropped EXE
-
\??\c:\7xrxlxl.exec:\7xrxlxl.exe55⤵
- Executes dropped EXE
-
\??\c:\xrlrxfl.exec:\xrlrxfl.exe56⤵
- Executes dropped EXE
-
\??\c:\9hhbnt.exec:\9hhbnt.exe57⤵
- Executes dropped EXE
-
\??\c:\thtnth.exec:\thtnth.exe58⤵
- Executes dropped EXE
-
\??\c:\vjvvv.exec:\vjvvv.exe59⤵
- Executes dropped EXE
-
\??\c:\dpdvv.exec:\dpdvv.exe60⤵
- Executes dropped EXE
-
\??\c:\ffffxfx.exec:\ffffxfx.exe61⤵
- Executes dropped EXE
-
\??\c:\vvpdj.exec:\vvpdj.exe62⤵
- Executes dropped EXE
-
\??\c:\jdpjj.exec:\jdpjj.exe63⤵
- Executes dropped EXE
-
\??\c:\7rxflrx.exec:\7rxflrx.exe64⤵
- Executes dropped EXE
-
\??\c:\3lfflrf.exec:\3lfflrf.exe65⤵
- Executes dropped EXE
-
\??\c:\3nnntt.exec:\3nnntt.exe66⤵
-
\??\c:\3hbttt.exec:\3hbttt.exe67⤵
-
\??\c:\5pjjj.exec:\5pjjj.exe68⤵
-
\??\c:\9jdvv.exec:\9jdvv.exe69⤵
-
\??\c:\rlfrflr.exec:\rlfrflr.exe70⤵
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe71⤵
-
\??\c:\3hhhht.exec:\3hhhht.exe72⤵
-
\??\c:\hhbhbb.exec:\hhbhbb.exe73⤵
-
\??\c:\jpvpv.exec:\jpvpv.exe74⤵
-
\??\c:\rlxlllx.exec:\rlxlllx.exe75⤵
-
\??\c:\7lfrlxl.exec:\7lfrlxl.exe76⤵
-
\??\c:\tnhtbh.exec:\tnhtbh.exe77⤵
-
\??\c:\hbntbb.exec:\hbntbb.exe78⤵
-
\??\c:\dvddp.exec:\dvddp.exe79⤵
-
\??\c:\dvddd.exec:\dvddd.exe80⤵
-
\??\c:\xrllrrr.exec:\xrllrrr.exe81⤵
-
\??\c:\7frlrfr.exec:\7frlrfr.exe82⤵
-
\??\c:\1hbntt.exec:\1hbntt.exe83⤵
-
\??\c:\bthntb.exec:\bthntb.exe84⤵
-
\??\c:\jjdpj.exec:\jjdpj.exe85⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe86⤵
-
\??\c:\fxffrrx.exec:\fxffrrx.exe87⤵
-
\??\c:\rfrrllr.exec:\rfrrllr.exe88⤵
-
\??\c:\bntthh.exec:\bntthh.exe89⤵
-
\??\c:\nbnhtt.exec:\nbnhtt.exe90⤵
-
\??\c:\7vpdj.exec:\7vpdj.exe91⤵
-
\??\c:\7vdvv.exec:\7vdvv.exe92⤵
-
\??\c:\lfxllrf.exec:\lfxllrf.exe93⤵
-
\??\c:\rlrlxxl.exec:\rlrlxxl.exe94⤵
-
\??\c:\nbnhnn.exec:\nbnhnn.exe95⤵
-
\??\c:\hbhnnn.exec:\hbhnnn.exe96⤵
-
\??\c:\pdpjd.exec:\pdpjd.exe97⤵
-
\??\c:\vpddp.exec:\vpddp.exe98⤵
-
\??\c:\xrllxxl.exec:\xrllxxl.exe99⤵
-
\??\c:\fxrxllx.exec:\fxrxllx.exe100⤵
-
\??\c:\thttbt.exec:\thttbt.exe101⤵
-
\??\c:\hthhtt.exec:\hthhtt.exe102⤵
-
\??\c:\vpddp.exec:\vpddp.exe103⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe104⤵
-
\??\c:\rlxxffl.exec:\rlxxffl.exe105⤵
-
\??\c:\hbhhnn.exec:\hbhhnn.exe106⤵
-
\??\c:\tnbthn.exec:\tnbthn.exe107⤵
-
\??\c:\jdppd.exec:\jdppd.exe108⤵
-
\??\c:\jjdjp.exec:\jjdjp.exe109⤵
-
\??\c:\rfrxrrf.exec:\rfrxrrf.exe110⤵
-
\??\c:\fxrxllr.exec:\fxrxllr.exe111⤵
-
\??\c:\1nbhtt.exec:\1nbhtt.exe112⤵
-
\??\c:\hthntt.exec:\hthntt.exe113⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe114⤵
-
\??\c:\jdvdd.exec:\jdvdd.exe115⤵
-
\??\c:\lfxllrx.exec:\lfxllrx.exe116⤵
-
\??\c:\frflxrx.exec:\frflxrx.exe117⤵
-
\??\c:\bttbnt.exec:\bttbnt.exe118⤵
-
\??\c:\1jppv.exec:\1jppv.exe119⤵
-
\??\c:\5dppd.exec:\5dppd.exe120⤵
-
\??\c:\frxxxfl.exec:\frxxxfl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-