Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
11-05-2024 00:57
General
-
Target
438c2c204bd3f478410246581267f670_NeikiAnalytics.exe
-
Size
392KB
-
MD5
438c2c204bd3f478410246581267f670
-
SHA1
e2b3127f3943ce753ca784376a528a7b254e2ae7
-
SHA256
2f3d907b14c46a0531a6f82dd56768aeb78fc86e8960a451981be95d0d9b7c82
-
SHA512
75eefc596cbd27a84e5e376d37fdaf40e6c21d69cb2bf838260327f9ed117e5d367e4086d3d5da61a391745b88ae61e80ac9289315cd058aa1d6c3126ffd2a44
-
SSDEEP
6144:n3C9BRIG0asYFm71mPfkVB8dKwaO5CVwOV:n3C9uYA7okVqdKwaO5CV3
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\438c2c204bd3f478410246581267f670_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\438c2c204bd3f478410246581267f670_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\20482.exec:\20482.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\44226.exec:\44226.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtnt.exec:\tnbtnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\686020.exec:\686020.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\82488.exec:\82488.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4060400.exec:\4060400.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffffl.exec:\xrffffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfxrl.exec:\rflfxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6868882.exec:\6868882.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhbtt.exec:\nnhbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjd.exec:\jjvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e24088.exec:\e24088.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6622868.exec:\6622868.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hhhbh.exec:\1hhhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\042804.exec:\042804.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbthb.exec:\htbthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\244626.exec:\244626.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhhbn.exec:\bhhhbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbtn.exec:\thbbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\606448.exec:\606448.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\c404882.exec:\c404882.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8002222.exec:\8002222.exe23⤵
- Executes dropped EXE
-
\??\c:\lflfxxx.exec:\lflfxxx.exe24⤵
- Executes dropped EXE
-
\??\c:\4042424.exec:\4042424.exe25⤵
- Executes dropped EXE
-
\??\c:\8062604.exec:\8062604.exe26⤵
- Executes dropped EXE
-
\??\c:\i648882.exec:\i648882.exe27⤵
- Executes dropped EXE
-
\??\c:\2260448.exec:\2260448.exe28⤵
- Executes dropped EXE
-
\??\c:\hntnbh.exec:\hntnbh.exe29⤵
- Executes dropped EXE
-
\??\c:\5xffxxx.exec:\5xffxxx.exe30⤵
- Executes dropped EXE
-
\??\c:\7jvpv.exec:\7jvpv.exe31⤵
- Executes dropped EXE
-
\??\c:\9ppjd.exec:\9ppjd.exe32⤵
- Executes dropped EXE
-
\??\c:\i248822.exec:\i248822.exe33⤵
- Executes dropped EXE
-
\??\c:\8488626.exec:\8488626.exe34⤵
- Executes dropped EXE
-
\??\c:\k42266.exec:\k42266.exe35⤵
- Executes dropped EXE
-
\??\c:\w08662.exec:\w08662.exe36⤵
- Executes dropped EXE
-
\??\c:\64048.exec:\64048.exe37⤵
- Executes dropped EXE
-
\??\c:\42260.exec:\42260.exe38⤵
- Executes dropped EXE
-
\??\c:\thhbtt.exec:\thhbtt.exe39⤵
- Executes dropped EXE
-
\??\c:\262688.exec:\262688.exe40⤵
- Executes dropped EXE
-
\??\c:\6660006.exec:\6660006.exe41⤵
- Executes dropped EXE
-
\??\c:\8462666.exec:\8462666.exe42⤵
- Executes dropped EXE
-
\??\c:\rrrlllf.exec:\rrrlllf.exe43⤵
- Executes dropped EXE
-
\??\c:\bhbbbt.exec:\bhbbbt.exe44⤵
- Executes dropped EXE
-
\??\c:\0228488.exec:\0228488.exe45⤵
- Executes dropped EXE
-
\??\c:\xxxxrxx.exec:\xxxxrxx.exe46⤵
- Executes dropped EXE
-
\??\c:\4684888.exec:\4684888.exe47⤵
- Executes dropped EXE
-
\??\c:\0468680.exec:\0468680.exe48⤵
- Executes dropped EXE
-
\??\c:\bhnhnb.exec:\bhnhnb.exe49⤵
- Executes dropped EXE
-
\??\c:\2060444.exec:\2060444.exe50⤵
- Executes dropped EXE
-
\??\c:\264248.exec:\264248.exe51⤵
- Executes dropped EXE
-
\??\c:\w06268.exec:\w06268.exe52⤵
- Executes dropped EXE
-
\??\c:\8666600.exec:\8666600.exe53⤵
- Executes dropped EXE
-
\??\c:\04024.exec:\04024.exe54⤵
- Executes dropped EXE
-
\??\c:\nnhhhb.exec:\nnhhhb.exe55⤵
- Executes dropped EXE
-
\??\c:\rlrlffx.exec:\rlrlffx.exe56⤵
- Executes dropped EXE
-
\??\c:\tbtbhh.exec:\tbtbhh.exe57⤵
- Executes dropped EXE
-
\??\c:\42660.exec:\42660.exe58⤵
- Executes dropped EXE
-
\??\c:\thtbbb.exec:\thtbbb.exe59⤵
- Executes dropped EXE
-
\??\c:\2804606.exec:\2804606.exe60⤵
- Executes dropped EXE
-
\??\c:\vvdvp.exec:\vvdvp.exe61⤵
- Executes dropped EXE
-
\??\c:\824462.exec:\824462.exe62⤵
- Executes dropped EXE
-
\??\c:\tbbhhn.exec:\tbbhhn.exe63⤵
- Executes dropped EXE
-
\??\c:\s2428.exec:\s2428.exe64⤵
- Executes dropped EXE
-
\??\c:\4060482.exec:\4060482.exe65⤵
- Executes dropped EXE
-
\??\c:\a8426.exec:\a8426.exe66⤵
-
\??\c:\lffxffx.exec:\lffxffx.exe67⤵
-
\??\c:\4468224.exec:\4468224.exe68⤵
-
\??\c:\6026224.exec:\6026224.exe69⤵
-
\??\c:\7tnbtt.exec:\7tnbtt.exe70⤵
-
\??\c:\20882.exec:\20882.exe71⤵
-
\??\c:\822604.exec:\822604.exe72⤵
-
\??\c:\06604.exec:\06604.exe73⤵
-
\??\c:\hbnhhn.exec:\hbnhhn.exe74⤵
-
\??\c:\o060022.exec:\o060022.exe75⤵
-
\??\c:\c686666.exec:\c686666.exe76⤵
-
\??\c:\hnnbtn.exec:\hnnbtn.exe77⤵
-
\??\c:\tnntbh.exec:\tnntbh.exe78⤵
-
\??\c:\hnhnnb.exec:\hnhnnb.exe79⤵
-
\??\c:\2260448.exec:\2260448.exe80⤵
-
\??\c:\tbbnht.exec:\tbbnht.exe81⤵
-
\??\c:\tnntbh.exec:\tnntbh.exe82⤵
-
\??\c:\8848664.exec:\8848664.exe83⤵
-
\??\c:\bthhbn.exec:\bthhbn.exe84⤵
-
\??\c:\rfrllrx.exec:\rfrllrx.exe85⤵
-
\??\c:\8226246.exec:\8226246.exe86⤵
-
\??\c:\2400226.exec:\2400226.exe87⤵
-
\??\c:\468084.exec:\468084.exe88⤵
-
\??\c:\864880.exec:\864880.exe89⤵
-
\??\c:\vpvdd.exec:\vpvdd.exe90⤵
-
\??\c:\nthhbt.exec:\nthhbt.exe91⤵
-
\??\c:\ttbbbb.exec:\ttbbbb.exe92⤵
-
\??\c:\vdvvp.exec:\vdvvp.exe93⤵
-
\??\c:\2600604.exec:\2600604.exe94⤵
-
\??\c:\hnthnt.exec:\hnthnt.exe95⤵
-
\??\c:\hhnnnn.exec:\hhnnnn.exe96⤵
-
\??\c:\04000.exec:\04000.exe97⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe98⤵
-
\??\c:\pdvpj.exec:\pdvpj.exe99⤵
-
\??\c:\0044846.exec:\0044846.exe100⤵
-
\??\c:\hhnnnn.exec:\hhnnnn.exe101⤵
-
\??\c:\w66260.exec:\w66260.exe102⤵
-
\??\c:\xlfrllx.exec:\xlfrllx.exe103⤵
-
\??\c:\pvdpj.exec:\pvdpj.exe104⤵
-
\??\c:\2246000.exec:\2246000.exe105⤵
-
\??\c:\rrxxlrf.exec:\rrxxlrf.exe106⤵
-
\??\c:\624486.exec:\624486.exe107⤵
-
\??\c:\288822.exec:\288822.exe108⤵
-
\??\c:\ttnhth.exec:\ttnhth.exe109⤵
-
\??\c:\nhtnht.exec:\nhtnht.exe110⤵
-
\??\c:\rlxlrlr.exec:\rlxlrlr.exe111⤵
-
\??\c:\a6822.exec:\a6822.exe112⤵
-
\??\c:\6448260.exec:\6448260.exe113⤵
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe114⤵
-
\??\c:\8646824.exec:\8646824.exe115⤵
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe116⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe117⤵
-
\??\c:\xrxrrll.exec:\xrxrrll.exe118⤵
-
\??\c:\xrrllfx.exec:\xrrllfx.exe119⤵
-
\??\c:\604484.exec:\604484.exe120⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-