Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-05-2024 05:24
General
-
Target
b378a13d22be8750c033fb01e84f50c0_NeikiAnalytics.exe
-
Size
385KB
-
MD5
b378a13d22be8750c033fb01e84f50c0
-
SHA1
2ebe767ee584ddd7ceab99920526ebf445084342
-
SHA256
5cdf7c4d6f89c719f9fbc65de79fd75d67cb741db6feefb9531d6aee884042af
-
SHA512
4a969542af19c538c36b3f4c71b4bb9ab208bc6b36b4fb67fac23b390af7d6b6301c9f8975a17b6410ab93715908485523d867cc786844321da46f76b56c1266
-
SSDEEP
12288:n3C9uMPh2kkkkK4kXkkkkkkkkl8888888888888888882:ShPh2kkkkK4kXkkkkkkkkU
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b378a13d22be8750c033fb01e84f50c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b378a13d22be8750c033fb01e84f50c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\nbthbn.exec:\nbthbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhbt.exec:\tnnhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpjv.exec:\djpjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlrxrf.exec:\rxlrxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rflxrf.exec:\7rflxrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btttnn.exec:\btttnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbtnn.exec:\htbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjjp.exec:\jdjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnhnht.exec:\nnhnht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jpjd.exec:\5jpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrrrlf.exec:\frrrrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrllll.exec:\rlrllll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbthn.exec:\bbbthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfxrl.exec:\rxlfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppdj.exec:\vppdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdv.exec:\vjjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrrlxx.exec:\lrrrlxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvdpd.exec:\jvdpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjdv.exec:\djjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnnh.exec:\bntnnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjdv.exec:\jvjdv.exe23⤵
- Executes dropped EXE
-
\??\c:\xffxrll.exec:\xffxrll.exe24⤵
- Executes dropped EXE
-
\??\c:\5dpjj.exec:\5dpjj.exe25⤵
- Executes dropped EXE
-
\??\c:\5dvvj.exec:\5dvvj.exe26⤵
- Executes dropped EXE
-
\??\c:\3nbtnt.exec:\3nbtnt.exe27⤵
- Executes dropped EXE
-
\??\c:\jjvvv.exec:\jjvvv.exe28⤵
- Executes dropped EXE
-
\??\c:\vjjjp.exec:\vjjjp.exe29⤵
- Executes dropped EXE
-
\??\c:\frffflr.exec:\frffflr.exe30⤵
- Executes dropped EXE
-
\??\c:\tnbtnn.exec:\tnbtnn.exe31⤵
- Executes dropped EXE
-
\??\c:\rrrllfx.exec:\rrrllfx.exe32⤵
- Executes dropped EXE
-
\??\c:\pdvvv.exec:\pdvvv.exe33⤵
- Executes dropped EXE
-
\??\c:\xxlrxrr.exec:\xxlrxrr.exe34⤵
- Executes dropped EXE
-
\??\c:\jpvvd.exec:\jpvvd.exe35⤵
- Executes dropped EXE
-
\??\c:\3ddvp.exec:\3ddvp.exe36⤵
- Executes dropped EXE
-
\??\c:\3tbtnn.exec:\3tbtnn.exe37⤵
- Executes dropped EXE
-
\??\c:\pvjjj.exec:\pvjjj.exe38⤵
- Executes dropped EXE
-
\??\c:\rflffxx.exec:\rflffxx.exe39⤵
- Executes dropped EXE
-
\??\c:\btnnnn.exec:\btnnnn.exe40⤵
- Executes dropped EXE
-
\??\c:\ppjjv.exec:\ppjjv.exe41⤵
- Executes dropped EXE
-
\??\c:\jppjj.exec:\jppjj.exe42⤵
- Executes dropped EXE
-
\??\c:\flllrrl.exec:\flllrrl.exe43⤵
- Executes dropped EXE
-
\??\c:\bthbbn.exec:\bthbbn.exe44⤵
- Executes dropped EXE
-
\??\c:\ppdvv.exec:\ppdvv.exe45⤵
- Executes dropped EXE
-
\??\c:\nhhntt.exec:\nhhntt.exe46⤵
- Executes dropped EXE
-
\??\c:\vjppp.exec:\vjppp.exe47⤵
- Executes dropped EXE
-
\??\c:\ddjdj.exec:\ddjdj.exe48⤵
- Executes dropped EXE
-
\??\c:\fxffxff.exec:\fxffxff.exe49⤵
- Executes dropped EXE
-
\??\c:\bbbhbh.exec:\bbbhbh.exe50⤵
- Executes dropped EXE
-
\??\c:\pvppp.exec:\pvppp.exe51⤵
- Executes dropped EXE
-
\??\c:\ffllffr.exec:\ffllffr.exe52⤵
- Executes dropped EXE
-
\??\c:\btnhnn.exec:\btnhnn.exe53⤵
- Executes dropped EXE
-
\??\c:\ppddd.exec:\ppddd.exe54⤵
- Executes dropped EXE
-
\??\c:\jjvvv.exec:\jjvvv.exe55⤵
- Executes dropped EXE
-
\??\c:\5lrlffl.exec:\5lrlffl.exe56⤵
- Executes dropped EXE
-
\??\c:\nhhnht.exec:\nhhnht.exe57⤵
- Executes dropped EXE
-
\??\c:\djppp.exec:\djppp.exe58⤵
- Executes dropped EXE
-
\??\c:\3vddp.exec:\3vddp.exe59⤵
- Executes dropped EXE
-
\??\c:\lrlrrrl.exec:\lrlrrrl.exe60⤵
- Executes dropped EXE
-
\??\c:\flrrrxx.exec:\flrrrxx.exe61⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe62⤵
- Executes dropped EXE
-
\??\c:\ppvvv.exec:\ppvvv.exe63⤵
- Executes dropped EXE
-
\??\c:\xlxxfrx.exec:\xlxxfrx.exe64⤵
- Executes dropped EXE
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe65⤵
- Executes dropped EXE
-
\??\c:\tthhbb.exec:\tthhbb.exe66⤵
-
\??\c:\1pppp.exec:\1pppp.exe67⤵
-
\??\c:\vpdvp.exec:\vpdvp.exe68⤵
-
\??\c:\llrrllf.exec:\llrrllf.exe69⤵
-
\??\c:\3hbtnn.exec:\3hbtnn.exe70⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe71⤵
-
\??\c:\9pvvv.exec:\9pvvv.exe72⤵
-
\??\c:\lxlrflf.exec:\lxlrflf.exe73⤵
-
\??\c:\btbtbh.exec:\btbtbh.exe74⤵
-
\??\c:\rfffrlr.exec:\rfffrlr.exe75⤵
-
\??\c:\xxflllr.exec:\xxflllr.exe76⤵
-
\??\c:\tthhtt.exec:\tthhtt.exe77⤵
-
\??\c:\9pppp.exec:\9pppp.exe78⤵
-
\??\c:\ddvvj.exec:\ddvvj.exe79⤵
-
\??\c:\xrfxfff.exec:\xrfxfff.exe80⤵
-
\??\c:\hbbttb.exec:\hbbttb.exe81⤵
-
\??\c:\pdjjp.exec:\pdjjp.exe82⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe83⤵
-
\??\c:\7lrrxfl.exec:\7lrrxfl.exe84⤵
-
\??\c:\nbhhht.exec:\nbhhht.exe85⤵
-
\??\c:\tbtnnn.exec:\tbtnnn.exe86⤵
-
\??\c:\jpddd.exec:\jpddd.exe87⤵
-
\??\c:\rlxrrxr.exec:\rlxrrxr.exe88⤵
-
\??\c:\htnnnt.exec:\htnnnt.exe89⤵
-
\??\c:\bbtnbh.exec:\bbtnbh.exe90⤵
-
\??\c:\vdpvj.exec:\vdpvj.exe91⤵
-
\??\c:\fffxxxx.exec:\fffxxxx.exe92⤵
-
\??\c:\vjjpv.exec:\vjjpv.exe93⤵
-
\??\c:\jppjp.exec:\jppjp.exe94⤵
-
\??\c:\xrrrlll.exec:\xrrrlll.exe95⤵
-
\??\c:\bnbtnb.exec:\bnbtnb.exe96⤵
-
\??\c:\9nhhhh.exec:\9nhhhh.exe97⤵
-
\??\c:\5dpvp.exec:\5dpvp.exe98⤵
-
\??\c:\xlflflf.exec:\xlflflf.exe99⤵
-
\??\c:\hbhbbh.exec:\hbhbbh.exe100⤵
-
\??\c:\vjvpv.exec:\vjvpv.exe101⤵
-
\??\c:\rrxxxxf.exec:\rrxxxxf.exe102⤵
-
\??\c:\xrrrrrl.exec:\xrrrrrl.exe103⤵
-
\??\c:\hbnhhn.exec:\hbnhhn.exe104⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe105⤵
-
\??\c:\7rxxlrf.exec:\7rxxlrf.exe106⤵
-
\??\c:\bnnnnt.exec:\bnnnnt.exe107⤵
-
\??\c:\htbbhh.exec:\htbbhh.exe108⤵
-
\??\c:\lrlffll.exec:\lrlffll.exe109⤵
-
\??\c:\nbtnnn.exec:\nbtnnn.exe110⤵
-
\??\c:\1htttb.exec:\1htttb.exe111⤵
-
\??\c:\jjjjj.exec:\jjjjj.exe112⤵
-
\??\c:\lfrflll.exec:\lfrflll.exe113⤵
-
\??\c:\lrffxff.exec:\lrffxff.exe114⤵
-
\??\c:\hhttnn.exec:\hhttnn.exe115⤵
-
\??\c:\jppjj.exec:\jppjj.exe116⤵
-
\??\c:\xflllrl.exec:\xflllrl.exe117⤵
-
\??\c:\fffffll.exec:\fffffll.exe118⤵
-
\??\c:\nnnntt.exec:\nnnntt.exe119⤵
-
\??\c:\ppddd.exec:\ppddd.exe120⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-