Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
09/05/2024, 19:52
General
-
Target
e0b072d0ca534f136dc4ec68852a72c0_NeikiAnalytics.exe
-
Size
71KB
-
MD5
e0b072d0ca534f136dc4ec68852a72c0
-
SHA1
826d31ed1580b5692d7ffd97d4e37c8031d967e3
-
SHA256
cf61cb5003dee77a3bd17e571ea804deed4e7611c11f52721f38cd852cffe0c2
-
SHA512
ebdeb32934f6ba781d01432be37ee28e90fe7f4feb867e758d94287529d325d250f5cc7b0ce82d6ec1a457a9484e223f70f71a718a648129f78e66aa9e992a03
-
SSDEEP
1536:NvQBeOGtrYS3srx93UBWfwC6Ggnouy8KlAXmAXIBG/+WIFuTKLXvCB5yAXNlIQkz:NhOmTsF93UYfwC6GIoutOP/WWGKL/SYx
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 59 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0b072d0ca534f136dc4ec68852a72c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e0b072d0ca534f136dc4ec68852a72c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\npvnbph.exec:\npvnbph.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\njddlv.exec:\njddlv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjfvff.exec:\vjfvff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hdtlxdl.exec:\hdtlxdl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjphfl.exec:\jpjphfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ndvtb.exec:\ndvtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnjpr.exec:\hnjpr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnrjv.exec:\tnrjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbpvh.exec:\nbpvh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pbftlt.exec:\pbftlt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dhtdlb.exec:\dhtdlb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djnnv.exec:\djnnv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhpnt.exec:\nhhpnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvnljr.exec:\dvnljr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jxjvll.exec:\jxjvll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rjppxrt.exec:\rjppxrt.exe17⤵
- Executes dropped EXE
-
\??\c:\tbfhf.exec:\tbfhf.exe18⤵
- Executes dropped EXE
-
\??\c:\frfhxvp.exec:\frfhxvp.exe19⤵
- Executes dropped EXE
-
\??\c:\rtdphp.exec:\rtdphp.exe20⤵
- Executes dropped EXE
-
\??\c:\dpbfv.exec:\dpbfv.exe21⤵
- Executes dropped EXE
-
\??\c:\nxtnv.exec:\nxtnv.exe22⤵
- Executes dropped EXE
-
\??\c:\dpplrrj.exec:\dpplrrj.exe23⤵
- Executes dropped EXE
-
\??\c:\rhhlhh.exec:\rhhlhh.exe24⤵
- Executes dropped EXE
-
\??\c:\tjlfb.exec:\tjlfb.exe25⤵
- Executes dropped EXE
-
\??\c:\brjbnl.exec:\brjbnl.exe26⤵
- Executes dropped EXE
-
\??\c:\rjttj.exec:\rjttj.exe27⤵
- Executes dropped EXE
-
\??\c:\jjjlfj.exec:\jjjlfj.exe28⤵
- Executes dropped EXE
-
\??\c:\ffddvf.exec:\ffddvf.exe29⤵
- Executes dropped EXE
-
\??\c:\tjtvp.exec:\tjtvp.exe30⤵
- Executes dropped EXE
-
\??\c:\jnxrd.exec:\jnxrd.exe31⤵
- Executes dropped EXE
-
\??\c:\bjjrfxp.exec:\bjjrfxp.exe32⤵
- Executes dropped EXE
-
\??\c:\htxfxh.exec:\htxfxh.exe33⤵
- Executes dropped EXE
-
\??\c:\xjnrht.exec:\xjnrht.exe34⤵
- Executes dropped EXE
-
\??\c:\dtfhpbv.exec:\dtfhpbv.exe35⤵
- Executes dropped EXE
-
\??\c:\brbjf.exec:\brbjf.exe36⤵
- Executes dropped EXE
-
\??\c:\lnnflvh.exec:\lnnflvh.exe37⤵
- Executes dropped EXE
-
\??\c:\jhthvvf.exec:\jhthvvf.exe38⤵
- Executes dropped EXE
-
\??\c:\htltd.exec:\htltd.exe39⤵
- Executes dropped EXE
-
\??\c:\bnpbbdl.exec:\bnpbbdl.exe40⤵
- Executes dropped EXE
-
\??\c:\jrpfhv.exec:\jrpfhv.exe41⤵
- Executes dropped EXE
-
\??\c:\tjrdl.exec:\tjrdl.exe42⤵
- Executes dropped EXE
-
\??\c:\fjnrthh.exec:\fjnrthh.exe43⤵
- Executes dropped EXE
-
\??\c:\bbrpftv.exec:\bbrpftv.exe44⤵
- Executes dropped EXE
-
\??\c:\jttvx.exec:\jttvx.exe45⤵
- Executes dropped EXE
-
\??\c:\lvpptl.exec:\lvpptl.exe46⤵
- Executes dropped EXE
-
\??\c:\nfbjdjr.exec:\nfbjdjr.exe47⤵
- Executes dropped EXE
-
\??\c:\rnntl.exec:\rnntl.exe48⤵
- Executes dropped EXE
-
\??\c:\tvpdxph.exec:\tvpdxph.exe49⤵
- Executes dropped EXE
-
\??\c:\jfvdpr.exec:\jfvdpr.exe50⤵
- Executes dropped EXE
-
\??\c:\nbvpl.exec:\nbvpl.exe51⤵
- Executes dropped EXE
-
\??\c:\lxvjlj.exec:\lxvjlj.exe52⤵
- Executes dropped EXE
-
\??\c:\jdjjtjh.exec:\jdjjtjh.exe53⤵
- Executes dropped EXE
-
\??\c:\xprdxpn.exec:\xprdxpn.exe54⤵
- Executes dropped EXE
-
\??\c:\rjpphrd.exec:\rjpphrd.exe55⤵
- Executes dropped EXE
-
\??\c:\pxhdpjt.exec:\pxhdpjt.exe56⤵
- Executes dropped EXE
-
\??\c:\ptlhrd.exec:\ptlhrd.exe57⤵
- Executes dropped EXE
-
\??\c:\ljvldd.exec:\ljvldd.exe58⤵
- Executes dropped EXE
-
\??\c:\ddjvlrx.exec:\ddjvlrx.exe59⤵
- Executes dropped EXE
-
\??\c:\jrdpxdj.exec:\jrdpxdj.exe60⤵
- Executes dropped EXE
-
\??\c:\jjlrrlv.exec:\jjlrrlv.exe61⤵
- Executes dropped EXE
-
\??\c:\xrxtvfx.exec:\xrxtvfx.exe62⤵
- Executes dropped EXE
-
\??\c:\hvxjv.exec:\hvxjv.exe63⤵
- Executes dropped EXE
-
\??\c:\lnhdxh.exec:\lnhdxh.exe64⤵
- Executes dropped EXE
-
\??\c:\brpllxl.exec:\brpllxl.exe65⤵
- Executes dropped EXE
-
\??\c:\vjbtxjn.exec:\vjbtxjn.exe66⤵
-
\??\c:\prtphl.exec:\prtphl.exe67⤵
-
\??\c:\fpvrxdr.exec:\fpvrxdr.exe68⤵
-
\??\c:\nhbjthj.exec:\nhbjthj.exe69⤵
-
\??\c:\dntltfv.exec:\dntltfv.exe70⤵
-
\??\c:\hfrtlh.exec:\hfrtlh.exe71⤵
-
\??\c:\vrvxdft.exec:\vrvxdft.exe72⤵
-
\??\c:\prnjjj.exec:\prnjjj.exe73⤵
-
\??\c:\vnxxvpf.exec:\vnxxvpf.exe74⤵
-
\??\c:\rvbhjhn.exec:\rvbhjhn.exe75⤵
-
\??\c:\pxnfvvx.exec:\pxnfvvx.exe76⤵
-
\??\c:\lbnbpvl.exec:\lbnbpvl.exe77⤵
-
\??\c:\xndrh.exec:\xndrh.exe78⤵
-
\??\c:\nnhlt.exec:\nnhlt.exe79⤵
-
\??\c:\htdvbx.exec:\htdvbx.exe80⤵
-
\??\c:\jbtnp.exec:\jbtnp.exe81⤵
-
\??\c:\jtbtll.exec:\jtbtll.exe82⤵
-
\??\c:\jtrpjv.exec:\jtrpjv.exe83⤵
-
\??\c:\dllnb.exec:\dllnb.exe84⤵
-
\??\c:\pdxplx.exec:\pdxplx.exe85⤵
-
\??\c:\bpffnx.exec:\bpffnx.exe86⤵
-
\??\c:\thvht.exec:\thvht.exe87⤵
-
\??\c:\nnvxxd.exec:\nnvxxd.exe88⤵
-
\??\c:\vbljvt.exec:\vbljvt.exe89⤵
-
\??\c:\pvbthd.exec:\pvbthd.exe90⤵
-
\??\c:\xtpfh.exec:\xtpfh.exe91⤵
-
\??\c:\bdjvd.exec:\bdjvd.exe92⤵
-
\??\c:\rltdb.exec:\rltdb.exe93⤵
-
\??\c:\hdlbjd.exec:\hdlbjd.exe94⤵
-
\??\c:\vxxfrnr.exec:\vxxfrnr.exe95⤵
-
\??\c:\btrjjjt.exec:\btrjjjt.exe96⤵
-
\??\c:\vpdxnt.exec:\vpdxnt.exe97⤵
-
\??\c:\blxbvp.exec:\blxbvp.exe98⤵
-
\??\c:\nvlxl.exec:\nvlxl.exe99⤵
-
\??\c:\ljflhtd.exec:\ljflhtd.exe100⤵
-
\??\c:\vfrftbv.exec:\vfrftbv.exe101⤵
-
\??\c:\nfbhlt.exec:\nfbhlt.exe102⤵
-
\??\c:\pjrhl.exec:\pjrhl.exe103⤵
-
\??\c:\prjdr.exec:\prjdr.exe104⤵
-
\??\c:\jpptdl.exec:\jpptdl.exe105⤵
-
\??\c:\xbndhd.exec:\xbndhd.exe106⤵
-
\??\c:\jfjdvlv.exec:\jfjdvlv.exe107⤵
-
\??\c:\dltxpvd.exec:\dltxpvd.exe108⤵
-
\??\c:\dfnrp.exec:\dfnrp.exe109⤵
-
\??\c:\lpvdpl.exec:\lpvdpl.exe110⤵
-
\??\c:\rljdn.exec:\rljdn.exe111⤵
-
\??\c:\tblxl.exec:\tblxl.exe112⤵
-
\??\c:\hppvx.exec:\hppvx.exe113⤵
-
\??\c:\tfvhdt.exec:\tfvhdt.exe114⤵
-
\??\c:\rvdtpx.exec:\rvdtpx.exe115⤵
-
\??\c:\dpxtjp.exec:\dpxtjp.exe116⤵
-
\??\c:\nfnft.exec:\nfnft.exe117⤵
-
\??\c:\fllrdrn.exec:\fllrdrn.exe118⤵
-
\??\c:\tnbdn.exec:\tnbdn.exe119⤵
-
\??\c:\tjpxxrf.exec:\tjpxxrf.exe120⤵
-
\??\c:\pxbhhvt.exec:\pxbhhvt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-