Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
14/05/2024, 16:42
General
-
Target
cdc6c67f2a54696c9e6c4b3379bf32a0_NeikiAnalytics.exe
-
Size
74KB
-
MD5
cdc6c67f2a54696c9e6c4b3379bf32a0
-
SHA1
1c245b8ff35ba7543dc060d8f2e3c92bc632520e
-
SHA256
457c9c1cb696ca7bb5667f34c3536a53c1c4989f05e709c083a6d7cffd76f0e7
-
SHA512
cfc748278243343f453747b1fbf802bc373ff7c44b68ca015a240ad572c4e5c5ab466b70507dfcc05d16c5c7e9623ccefea065e0e35047741aa02204eb21650a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIrmCeRMKeWqNSd:ymb3NkkiQ3mdBjFIjek5A
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc6c67f2a54696c9e6c4b3379bf32a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cdc6c67f2a54696c9e6c4b3379bf32a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3fffffl.exec:\3fffffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhbhh.exec:\bnhbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dddp.exec:\1dddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjj.exec:\vdjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlrlf.exec:\lxrlrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbthb.exec:\htbthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntthb.exec:\hntthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5pjjj.exec:\5pjjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthbtn.exec:\bthbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjddj.exec:\vjddj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlxlfx.exec:\frlxlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhhh.exec:\tnnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbthnt.exec:\hbthnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdd.exec:\dvvdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrxflx.exec:\flrxflx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhbb.exec:\btbhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbtn.exec:\thhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpj.exec:\vvvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrlxrl.exec:\7rrlxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfflxll.exec:\rfflxll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhttnn.exec:\bhttnn.exe23⤵
- Executes dropped EXE
-
\??\c:\bntntn.exec:\bntntn.exe24⤵
- Executes dropped EXE
-
\??\c:\ddjdj.exec:\ddjdj.exe25⤵
- Executes dropped EXE
-
\??\c:\vddjd.exec:\vddjd.exe26⤵
- Executes dropped EXE
-
\??\c:\7lrlllf.exec:\7lrlllf.exe27⤵
- Executes dropped EXE
-
\??\c:\flrxxfl.exec:\flrxxfl.exe28⤵
- Executes dropped EXE
-
\??\c:\bbhtbn.exec:\bbhtbn.exe29⤵
- Executes dropped EXE
-
\??\c:\dvjjd.exec:\dvjjd.exe30⤵
- Executes dropped EXE
-
\??\c:\fxlffxr.exec:\fxlffxr.exe31⤵
- Executes dropped EXE
-
\??\c:\rxrrxxr.exec:\rxrrxxr.exe32⤵
- Executes dropped EXE
-
\??\c:\bnbttt.exec:\bnbttt.exe33⤵
- Executes dropped EXE
-
\??\c:\nbbhbb.exec:\nbbhbb.exe34⤵
- Executes dropped EXE
-
\??\c:\vpvvp.exec:\vpvvp.exe35⤵
- Executes dropped EXE
-
\??\c:\7djpd.exec:\7djpd.exe36⤵
- Executes dropped EXE
-
\??\c:\5fllfff.exec:\5fllfff.exe37⤵
- Executes dropped EXE
-
\??\c:\hbnhbb.exec:\hbnhbb.exe38⤵
- Executes dropped EXE
-
\??\c:\hbhbtn.exec:\hbhbtn.exe39⤵
- Executes dropped EXE
-
\??\c:\jjdvv.exec:\jjdvv.exe40⤵
- Executes dropped EXE
-
\??\c:\frxrxxx.exec:\frxrxxx.exe41⤵
- Executes dropped EXE
-
\??\c:\hnhbhb.exec:\hnhbhb.exe42⤵
- Executes dropped EXE
-
\??\c:\hntttb.exec:\hntttb.exe43⤵
- Executes dropped EXE
-
\??\c:\pvdjp.exec:\pvdjp.exe44⤵
- Executes dropped EXE
-
\??\c:\rxrxrxx.exec:\rxrxrxx.exe45⤵
- Executes dropped EXE
-
\??\c:\fxxrllf.exec:\fxxrllf.exe46⤵
- Executes dropped EXE
-
\??\c:\hbhntb.exec:\hbhntb.exe47⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe48⤵
- Executes dropped EXE
-
\??\c:\pjddj.exec:\pjddj.exe49⤵
- Executes dropped EXE
-
\??\c:\fffxlfr.exec:\fffxlfr.exe50⤵
- Executes dropped EXE
-
\??\c:\5fxrllf.exec:\5fxrllf.exe51⤵
- Executes dropped EXE
-
\??\c:\tbhhhh.exec:\tbhhhh.exe52⤵
- Executes dropped EXE
-
\??\c:\bbhttb.exec:\bbhttb.exe53⤵
- Executes dropped EXE
-
\??\c:\vjvpd.exec:\vjvpd.exe54⤵
- Executes dropped EXE
-
\??\c:\7ffrffr.exec:\7ffrffr.exe55⤵
- Executes dropped EXE
-
\??\c:\lfffffx.exec:\lfffffx.exe56⤵
- Executes dropped EXE
-
\??\c:\nnnnnn.exec:\nnnnnn.exe57⤵
- Executes dropped EXE
-
\??\c:\jddvp.exec:\jddvp.exe58⤵
- Executes dropped EXE
-
\??\c:\vjddv.exec:\vjddv.exe59⤵
- Executes dropped EXE
-
\??\c:\rffxllf.exec:\rffxllf.exe60⤵
- Executes dropped EXE
-
\??\c:\lfflllf.exec:\lfflllf.exe61⤵
- Executes dropped EXE
-
\??\c:\nnhthb.exec:\nnhthb.exe62⤵
- Executes dropped EXE
-
\??\c:\3btttb.exec:\3btttb.exe63⤵
- Executes dropped EXE
-
\??\c:\7vdpd.exec:\7vdpd.exe64⤵
- Executes dropped EXE
-
\??\c:\pppjp.exec:\pppjp.exe65⤵
- Executes dropped EXE
-
\??\c:\frlfffx.exec:\frlfffx.exe66⤵
-
\??\c:\3xfxrrl.exec:\3xfxrrl.exe67⤵
-
\??\c:\bnbtnt.exec:\bnbtnt.exe68⤵
-
\??\c:\1ttnhh.exec:\1ttnhh.exe69⤵
-
\??\c:\jdjdj.exec:\jdjdj.exe70⤵
-
\??\c:\pjppj.exec:\pjppj.exe71⤵
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe72⤵
-
\??\c:\rfxrlll.exec:\rfxrlll.exe73⤵
-
\??\c:\1bthbb.exec:\1bthbb.exe74⤵
-
\??\c:\hnhbnn.exec:\hnhbnn.exe75⤵
-
\??\c:\nbbthh.exec:\nbbthh.exe76⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe77⤵
-
\??\c:\djpvp.exec:\djpvp.exe78⤵
-
\??\c:\rxlfrrl.exec:\rxlfrrl.exe79⤵
-
\??\c:\nbtbnn.exec:\nbtbnn.exe80⤵
-
\??\c:\thhbth.exec:\thhbth.exe81⤵
-
\??\c:\jppjd.exec:\jppjd.exe82⤵
-
\??\c:\pvvvp.exec:\pvvvp.exe83⤵
-
\??\c:\lfrfxxr.exec:\lfrfxxr.exe84⤵
-
\??\c:\frxrlrr.exec:\frxrlrr.exe85⤵
-
\??\c:\nnbtnn.exec:\nnbtnn.exe86⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe87⤵
-
\??\c:\pdvjd.exec:\pdvjd.exe88⤵
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe89⤵
-
\??\c:\lfxrrll.exec:\lfxrrll.exe90⤵
-
\??\c:\llflllx.exec:\llflllx.exe91⤵
-
\??\c:\bthhhh.exec:\bthhhh.exe92⤵
-
\??\c:\dddpj.exec:\dddpj.exe93⤵
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe94⤵
-
\??\c:\httnhh.exec:\httnhh.exe95⤵
-
\??\c:\nnbbtb.exec:\nnbbtb.exe96⤵
-
\??\c:\jdpvp.exec:\jdpvp.exe97⤵
-
\??\c:\jvvpp.exec:\jvvpp.exe98⤵
-
\??\c:\xlxlllr.exec:\xlxlllr.exe99⤵
-
\??\c:\nbbtnn.exec:\nbbtnn.exe100⤵
-
\??\c:\djpvp.exec:\djpvp.exe101⤵
-
\??\c:\5jdvv.exec:\5jdvv.exe102⤵
-
\??\c:\lrlrrlf.exec:\lrlrrlf.exe103⤵
-
\??\c:\1nnnnn.exec:\1nnnnn.exe104⤵
-
\??\c:\nhbthh.exec:\nhbthh.exe105⤵
-
\??\c:\pddvp.exec:\pddvp.exe106⤵
-
\??\c:\llffxxx.exec:\llffxxx.exe107⤵
-
\??\c:\rffxrrr.exec:\rffxrrr.exe108⤵
-
\??\c:\nbhnhh.exec:\nbhnhh.exe109⤵
-
\??\c:\btttnt.exec:\btttnt.exe110⤵
-
\??\c:\pvpvp.exec:\pvpvp.exe111⤵
-
\??\c:\1jvpj.exec:\1jvpj.exe112⤵
-
\??\c:\lxfffll.exec:\lxfffll.exe113⤵
-
\??\c:\ffrrlll.exec:\ffrrlll.exe114⤵
-
\??\c:\vvdvv.exec:\vvdvv.exe115⤵
-
\??\c:\ddjjj.exec:\ddjjj.exe116⤵
-
\??\c:\xlrlllf.exec:\xlrlllf.exe117⤵
-
\??\c:\xlxxlrx.exec:\xlxxlrx.exe118⤵
-
\??\c:\hbbtnh.exec:\hbbtnh.exe119⤵
-
\??\c:\nhhtnh.exec:\nhhtnh.exe120⤵
-
\??\c:\dvppj.exec:\dvppj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-