Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
16-05-2024 08:12
General
-
Target
c580da6ec82171b892137234ef2d2280_NeikiAnalytics.exe
-
Size
537KB
-
MD5
c580da6ec82171b892137234ef2d2280
-
SHA1
ee265d8c6504e4566e1e38ee8413740a5f24539a
-
SHA256
aada36086bc7822fbb827e231175390923f3227c32785402037d6bec5329f03f
-
SHA512
11faee45de96c41a0656047854d69ad5a7e6464475fd2ae632b0fc04e961f320e6e72e41be281ae9ec5cb230ae90ec09153324d4ec1569b2bf03b8cde25df70d
-
SSDEEP
12288:y4wFHoS3eFp3IDvSbh5nP+UbGTHoSouKs8N0u/D6vIZ6:HFp3lzZbGa5so6
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 64 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c580da6ec82171b892137234ef2d2280_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c580da6ec82171b892137234ef2d2280_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\frxllfl.exec:\frxllfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbtn.exec:\bhhbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbntn.exec:\btbntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvj.exec:\jdjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllxrfx.exec:\rllxrfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrfxlx.exec:\lxrfxlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhbnh.exec:\bnhbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvj.exec:\jdjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppd.exec:\vpppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfrllx.exec:\rlfrllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtnh.exec:\tnbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbnbb.exec:\btbnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpd.exec:\vvvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrfrrxl.exec:\lrfrrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnnhh.exec:\hnnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbtnh.exec:\nbbtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpdd.exec:\vjpdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfxrl.exec:\rxlfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrlxr.exec:\lfxrlxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnbn.exec:\hbtnbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdd.exec:\ddjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflfxlf.exec:\lflfxlf.exe23⤵
- Executes dropped EXE
-
\??\c:\5xlfxrl.exec:\5xlfxrl.exe24⤵
- Executes dropped EXE
-
\??\c:\tnnbth.exec:\tnnbth.exe25⤵
- Executes dropped EXE
-
\??\c:\ppvpd.exec:\ppvpd.exe26⤵
- Executes dropped EXE
-
\??\c:\rflfxrr.exec:\rflfxrr.exe27⤵
- Executes dropped EXE
-
\??\c:\lxxxllf.exec:\lxxxllf.exe28⤵
- Executes dropped EXE
-
\??\c:\ntnhbt.exec:\ntnhbt.exe29⤵
- Executes dropped EXE
-
\??\c:\dpjdv.exec:\dpjdv.exe30⤵
- Executes dropped EXE
-
\??\c:\jvpjv.exec:\jvpjv.exe31⤵
- Executes dropped EXE
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe32⤵
- Executes dropped EXE
-
\??\c:\tnbttn.exec:\tnbttn.exe33⤵
- Executes dropped EXE
-
\??\c:\nnbtbb.exec:\nnbtbb.exe34⤵
- Executes dropped EXE
-
\??\c:\jpdvp.exec:\jpdvp.exe35⤵
- Executes dropped EXE
-
\??\c:\xlrfxrl.exec:\xlrfxrl.exe36⤵
- Executes dropped EXE
-
\??\c:\lffxrrl.exec:\lffxrrl.exe37⤵
- Executes dropped EXE
-
\??\c:\btnbtn.exec:\btnbtn.exe38⤵
- Executes dropped EXE
-
\??\c:\vppdv.exec:\vppdv.exe39⤵
- Executes dropped EXE
-
\??\c:\vdddv.exec:\vdddv.exe40⤵
- Executes dropped EXE
-
\??\c:\rrfxrxl.exec:\rrfxrxl.exe41⤵
- Executes dropped EXE
-
\??\c:\bhnbhh.exec:\bhnbhh.exe42⤵
- Executes dropped EXE
-
\??\c:\hhthtt.exec:\hhthtt.exe43⤵
- Executes dropped EXE
-
\??\c:\1pjdp.exec:\1pjdp.exe44⤵
- Executes dropped EXE
-
\??\c:\5rlflrl.exec:\5rlflrl.exe45⤵
- Executes dropped EXE
-
\??\c:\lxxrxrl.exec:\lxxrxrl.exe46⤵
- Executes dropped EXE
-
\??\c:\hbbnhb.exec:\hbbnhb.exe47⤵
- Executes dropped EXE
-
\??\c:\vppjd.exec:\vppjd.exe48⤵
- Executes dropped EXE
-
\??\c:\7jpdd.exec:\7jpdd.exe49⤵
- Executes dropped EXE
-
\??\c:\3lrfrlx.exec:\3lrfrlx.exe50⤵
- Executes dropped EXE
-
\??\c:\tntttn.exec:\tntttn.exe51⤵
- Executes dropped EXE
-
\??\c:\jjvpv.exec:\jjvpv.exe52⤵
- Executes dropped EXE
-
\??\c:\9vdpj.exec:\9vdpj.exe53⤵
- Executes dropped EXE
-
\??\c:\xxxlfrl.exec:\xxxlfrl.exe54⤵
- Executes dropped EXE
-
\??\c:\1hnnhb.exec:\1hnnhb.exe55⤵
- Executes dropped EXE
-
\??\c:\hnhtnh.exec:\hnhtnh.exe56⤵
- Executes dropped EXE
-
\??\c:\9rlffxr.exec:\9rlffxr.exe57⤵
- Executes dropped EXE
-
\??\c:\hnttnt.exec:\hnttnt.exe58⤵
- Executes dropped EXE
-
\??\c:\hnntnb.exec:\hnntnb.exe59⤵
- Executes dropped EXE
-
\??\c:\jdvjd.exec:\jdvjd.exe60⤵
- Executes dropped EXE
-
\??\c:\5fxrxxf.exec:\5fxrxxf.exe61⤵
- Executes dropped EXE
-
\??\c:\nbhbbb.exec:\nbhbbb.exe62⤵
- Executes dropped EXE
-
\??\c:\vdvvp.exec:\vdvvp.exe63⤵
- Executes dropped EXE
-
\??\c:\rxfrxfx.exec:\rxfrxfx.exe64⤵
- Executes dropped EXE
-
\??\c:\lfrfxlf.exec:\lfrfxlf.exe65⤵
- Executes dropped EXE
-
\??\c:\nbhbnn.exec:\nbhbnn.exe66⤵
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe67⤵
-
\??\c:\9hhbtn.exec:\9hhbtn.exe68⤵
-
\??\c:\vjdjd.exec:\vjdjd.exe69⤵
-
\??\c:\3rxrfxl.exec:\3rxrfxl.exe70⤵
-
\??\c:\1bnbnb.exec:\1bnbnb.exe71⤵
-
\??\c:\bthttt.exec:\bthttt.exe72⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe73⤵
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe74⤵
-
\??\c:\5nbtbb.exec:\5nbtbb.exe75⤵
-
\??\c:\5tbtbb.exec:\5tbtbb.exe76⤵
-
\??\c:\jddvv.exec:\jddvv.exe77⤵
-
\??\c:\llxrrfl.exec:\llxrrfl.exe78⤵
-
\??\c:\9bnthb.exec:\9bnthb.exe79⤵
-
\??\c:\vjdpp.exec:\vjdpp.exe80⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe81⤵
-
\??\c:\fxrrlxl.exec:\fxrrlxl.exe82⤵
-
\??\c:\hnbtth.exec:\hnbtth.exe83⤵
-
\??\c:\vdpjv.exec:\vdpjv.exe84⤵
-
\??\c:\rfflfff.exec:\rfflfff.exe85⤵
-
\??\c:\nnthbt.exec:\nnthbt.exe86⤵
-
\??\c:\hntnhh.exec:\hntnhh.exe87⤵
-
\??\c:\7vpjv.exec:\7vpjv.exe88⤵
-
\??\c:\dpjpd.exec:\dpjpd.exe89⤵
-
\??\c:\fllffxl.exec:\fllffxl.exe90⤵
-
\??\c:\tbbthh.exec:\tbbthh.exe91⤵
-
\??\c:\jvpjd.exec:\jvpjd.exe92⤵
-
\??\c:\xlxlflx.exec:\xlxlflx.exe93⤵
-
\??\c:\thhtnb.exec:\thhtnb.exe94⤵
-
\??\c:\9hhtnb.exec:\9hhtnb.exe95⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe96⤵
-
\??\c:\llxlxrf.exec:\llxlxrf.exe97⤵
-
\??\c:\9thtnh.exec:\9thtnh.exe98⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe99⤵
-
\??\c:\rrxxllr.exec:\rrxxllr.exe100⤵
-
\??\c:\nntttt.exec:\nntttt.exe101⤵
-
\??\c:\ddvvv.exec:\ddvvv.exe102⤵
-
\??\c:\rlrrlxx.exec:\rlrrlxx.exe103⤵
-
\??\c:\rxxlllf.exec:\rxxlllf.exe104⤵
-
\??\c:\tnbttt.exec:\tnbttt.exe105⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe106⤵
-
\??\c:\1xrrlxr.exec:\1xrrlxr.exe107⤵
-
\??\c:\tnttnn.exec:\tnttnn.exe108⤵
-
\??\c:\dppvv.exec:\dppvv.exe109⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe110⤵
-
\??\c:\rrrllll.exec:\rrrllll.exe111⤵
-
\??\c:\nhnnnn.exec:\nhnnnn.exe112⤵
-
\??\c:\btbtnn.exec:\btbtnn.exe113⤵
-
\??\c:\vjjdj.exec:\vjjdj.exe114⤵
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe115⤵
-
\??\c:\hbttnn.exec:\hbttnn.exe116⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe117⤵
-
\??\c:\rfrfrfx.exec:\rfrfrfx.exe118⤵
-
\??\c:\thnnnb.exec:\thnnnb.exe119⤵
-
\??\c:\djjjj.exec:\djjjj.exe120⤵
-
\??\c:\vvddv.exec:\vvddv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-