Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17/05/2024, 16:03
General
-
Target
ef08ab8fa9b6c767f1a1f8006c42f110_NeikiAnalytics.exe
-
Size
492KB
-
MD5
ef08ab8fa9b6c767f1a1f8006c42f110
-
SHA1
430558510a4ed473e1b52572e52ae2beaaac8de0
-
SHA256
7efc8c5773b8996353453ab9cb02746dd3a4300fb0f897623c7fc50453f7ff0c
-
SHA512
801c0b09a031d06f83b2e7a5b09c27718e3929b9ff1e2f6295c413439b7531d7c6c31fc1f7dcf286c1aaa2102cfeadd8706f0d5a57c04aa75c3d1634e2038a00
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93svqTbWL5wEpOQ9DRRv:n3C9yMo+S0L9xRnoq7H9QYcmeN9DX
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef08ab8fa9b6c767f1a1f8006c42f110_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ef08ab8fa9b6c767f1a1f8006c42f110_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvv.exec:\ddvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnhhbh.exec:\bnhhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jvdp.exec:\7jvdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfrlrf.exec:\rrfrlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlrlrf.exec:\lrlrlrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xffrrx.exec:\7xffrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnttbh.exec:\nnttbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddj.exec:\pjddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vvvd.exec:\1vvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9llfrlf.exec:\9llfrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vjpd.exec:\1vjpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfxxrx.exec:\flfxxrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5rllrfr.exec:\5rllrfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjp.exec:\ppjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlxlrf.exec:\lrlxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nhbhh.exec:\1nhbhh.exe17⤵
- Executes dropped EXE
-
\??\c:\vvppd.exec:\vvppd.exe18⤵
- Executes dropped EXE
-
\??\c:\rxxlfrx.exec:\rxxlfrx.exe19⤵
- Executes dropped EXE
-
\??\c:\1tbhnt.exec:\1tbhnt.exe20⤵
- Executes dropped EXE
-
\??\c:\5jvvd.exec:\5jvvd.exe21⤵
- Executes dropped EXE
-
\??\c:\llxrrrf.exec:\llxrrrf.exe22⤵
- Executes dropped EXE
-
\??\c:\nnttnb.exec:\nnttnb.exe23⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe24⤵
- Executes dropped EXE
-
\??\c:\7flfrxx.exec:\7flfrxx.exe25⤵
- Executes dropped EXE
-
\??\c:\lffxffx.exec:\lffxffx.exe26⤵
- Executes dropped EXE
-
\??\c:\bnnhhn.exec:\bnnhhn.exe27⤵
- Executes dropped EXE
-
\??\c:\rffrlll.exec:\rffrlll.exe28⤵
- Executes dropped EXE
-
\??\c:\ntnthn.exec:\ntnthn.exe29⤵
- Executes dropped EXE
-
\??\c:\vdjpd.exec:\vdjpd.exe30⤵
- Executes dropped EXE
-
\??\c:\xrrfllf.exec:\xrrfllf.exe31⤵
- Executes dropped EXE
-
\??\c:\1bntbh.exec:\1bntbh.exe32⤵
- Executes dropped EXE
-
\??\c:\pdppd.exec:\pdppd.exe33⤵
- Executes dropped EXE
-
\??\c:\1lxfffl.exec:\1lxfffl.exe34⤵
- Executes dropped EXE
-
\??\c:\hhbhbn.exec:\hhbhbn.exe35⤵
- Executes dropped EXE
-
\??\c:\jdpvd.exec:\jdpvd.exe36⤵
- Executes dropped EXE
-
\??\c:\llxlxfr.exec:\llxlxfr.exe37⤵
- Executes dropped EXE
-
\??\c:\tnbhnt.exec:\tnbhnt.exe38⤵
- Executes dropped EXE
-
\??\c:\pjvdj.exec:\pjvdj.exe39⤵
- Executes dropped EXE
-
\??\c:\dvppv.exec:\dvppv.exe40⤵
- Executes dropped EXE
-
\??\c:\ffxlfxr.exec:\ffxlfxr.exe41⤵
- Executes dropped EXE
-
\??\c:\btnbht.exec:\btnbht.exe42⤵
- Executes dropped EXE
-
\??\c:\djjpj.exec:\djjpj.exe43⤵
- Executes dropped EXE
-
\??\c:\ddvdp.exec:\ddvdp.exe44⤵
- Executes dropped EXE
-
\??\c:\3xfllrf.exec:\3xfllrf.exe45⤵
- Executes dropped EXE
-
\??\c:\xrrrffr.exec:\xrrrffr.exe46⤵
- Executes dropped EXE
-
\??\c:\5hbthh.exec:\5hbthh.exe47⤵
- Executes dropped EXE
-
\??\c:\jppvj.exec:\jppvj.exe48⤵
- Executes dropped EXE
-
\??\c:\lfrlxxl.exec:\lfrlxxl.exe49⤵
- Executes dropped EXE
-
\??\c:\xfrrxfr.exec:\xfrrxfr.exe50⤵
- Executes dropped EXE
-
\??\c:\tnttbt.exec:\tnttbt.exe51⤵
- Executes dropped EXE
-
\??\c:\nnhthh.exec:\nnhthh.exe52⤵
- Executes dropped EXE
-
\??\c:\ddppv.exec:\ddppv.exe53⤵
- Executes dropped EXE
-
\??\c:\rfrllff.exec:\rfrllff.exe54⤵
- Executes dropped EXE
-
\??\c:\fxrrxrf.exec:\fxrrxrf.exe55⤵
- Executes dropped EXE
-
\??\c:\9thtnn.exec:\9thtnn.exe56⤵
- Executes dropped EXE
-
\??\c:\7pjpd.exec:\7pjpd.exe57⤵
- Executes dropped EXE
-
\??\c:\9xrrffr.exec:\9xrrffr.exe58⤵
- Executes dropped EXE
-
\??\c:\xxxfrxr.exec:\xxxfrxr.exe59⤵
- Executes dropped EXE
-
\??\c:\ttnbhn.exec:\ttnbhn.exe60⤵
- Executes dropped EXE
-
\??\c:\1vvjv.exec:\1vvjv.exe61⤵
- Executes dropped EXE
-
\??\c:\jjjpd.exec:\jjjpd.exe62⤵
- Executes dropped EXE
-
\??\c:\fxflrxf.exec:\fxflrxf.exe63⤵
- Executes dropped EXE
-
\??\c:\hntttn.exec:\hntttn.exe64⤵
- Executes dropped EXE
-
\??\c:\5nbbtt.exec:\5nbbtt.exe65⤵
- Executes dropped EXE
-
\??\c:\vvpdp.exec:\vvpdp.exe66⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe67⤵
-
\??\c:\lfrfrrl.exec:\lfrfrrl.exe68⤵
-
\??\c:\nbbnhh.exec:\nbbnhh.exe69⤵
-
\??\c:\hhtbhb.exec:\hhtbhb.exe70⤵
-
\??\c:\9vpvd.exec:\9vpvd.exe71⤵
-
\??\c:\xlffllx.exec:\xlffllx.exe72⤵
-
\??\c:\lxllxxf.exec:\lxllxxf.exe73⤵
-
\??\c:\nhhhtt.exec:\nhhhtt.exe74⤵
-
\??\c:\jjpvj.exec:\jjpvj.exe75⤵
-
\??\c:\jjvjj.exec:\jjvjj.exe76⤵
-
\??\c:\rlxrffl.exec:\rlxrffl.exe77⤵
-
\??\c:\9tnthn.exec:\9tnthn.exe78⤵
-
\??\c:\tnnbhh.exec:\tnnbhh.exe79⤵
-
\??\c:\jvvdv.exec:\jvvdv.exe80⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe81⤵
-
\??\c:\rlllrlr.exec:\rlllrlr.exe82⤵
-
\??\c:\fxrxllx.exec:\fxrxllx.exe83⤵
-
\??\c:\nhbhnt.exec:\nhbhnt.exe84⤵
-
\??\c:\jjdpd.exec:\jjdpd.exe85⤵
-
\??\c:\jdvdj.exec:\jdvdj.exe86⤵
-
\??\c:\xrfflrx.exec:\xrfflrx.exe87⤵
-
\??\c:\nnhtbb.exec:\nnhtbb.exe88⤵
-
\??\c:\htnhnh.exec:\htnhnh.exe89⤵
-
\??\c:\vvvdj.exec:\vvvdj.exe90⤵
-
\??\c:\3ddpd.exec:\3ddpd.exe91⤵
-
\??\c:\xrrllfl.exec:\xrrllfl.exe92⤵
-
\??\c:\bhtnnh.exec:\bhtnnh.exe93⤵
-
\??\c:\9nnthn.exec:\9nnthn.exe94⤵
-
\??\c:\jjdjp.exec:\jjdjp.exe95⤵
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe96⤵
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe97⤵
-
\??\c:\hhhthn.exec:\hhhthn.exe98⤵
-
\??\c:\ppjjp.exec:\ppjjp.exe99⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe100⤵
-
\??\c:\fxlrflx.exec:\fxlrflx.exe101⤵
-
\??\c:\ffrxfxf.exec:\ffrxfxf.exe102⤵
-
\??\c:\bthttb.exec:\bthttb.exe103⤵
-
\??\c:\9pddj.exec:\9pddj.exe104⤵
-
\??\c:\frfxflr.exec:\frfxflr.exe105⤵
-
\??\c:\lxllllr.exec:\lxllllr.exe106⤵
-
\??\c:\ttttnt.exec:\ttttnt.exe107⤵
-
\??\c:\bbtbnn.exec:\bbtbnn.exe108⤵
-
\??\c:\dpjpv.exec:\dpjpv.exe109⤵
-
\??\c:\pppdj.exec:\pppdj.exe110⤵
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe111⤵
-
\??\c:\5bbhtt.exec:\5bbhtt.exe112⤵
-
\??\c:\nhtbht.exec:\nhtbht.exe113⤵
-
\??\c:\ppjpv.exec:\ppjpv.exe114⤵
-
\??\c:\vpddd.exec:\vpddd.exe115⤵
-
\??\c:\xrffllx.exec:\xrffllx.exe116⤵
-
\??\c:\7hbhnb.exec:\7hbhnb.exe117⤵
-
\??\c:\7vddj.exec:\7vddj.exe118⤵
-
\??\c:\lfrlxxx.exec:\lfrlxxx.exe119⤵
-
\??\c:\9tnthn.exec:\9tnthn.exe120⤵
-
\??\c:\5pjpv.exec:\5pjpv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-