Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-05-2024 22:39
General
-
Target
162dd95e1a00653dcebaf8613d39c6e0_NeikiAnalytics.exe
-
Size
87KB
-
MD5
162dd95e1a00653dcebaf8613d39c6e0
-
SHA1
301b523e943c9c42f41a3d2658ccfef35cf13307
-
SHA256
5775e276c321c39710cc5fc9b16678b99fb62aa7f382b3c3c3d23dedc5869447
-
SHA512
f5c97c667ea65d68c6c42157f294fea5a9880131a59a651ff4a19900db3492bcd8ebdb50fcb1e9570782f0d7e2675fb0b61f6310455207faf16dcdf5edd14239
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2wV3jaCJ5jH3en:ymb3NkkiQ3mdBjF+3TU2K3bJZX6
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\187829366\zmstage.exeC:\Users\Admin\AppData\Local\Temp\187829366\zmstage.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\162dd95e1a00653dcebaf8613d39c6e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\162dd95e1a00653dcebaf8613d39c6e0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\9djpv.exec:\9djpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlffrx.exec:\lxlffrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlflx.exec:\xrrlflx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhnn.exec:\hbhhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btntnb.exec:\btntnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtbbb.exec:\nbtbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjpj.exec:\ppjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjvp.exec:\pjjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xrxlrx.exec:\9xrxlrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbnht.exec:\btbnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hbbhn.exec:\3hbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppd.exec:\vvppd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvvj.exec:\pdvvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfxlxl.exec:\flfxlxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxlfx.exec:\fffxlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9htbnh.exec:\9htbnh.exe17⤵
- Executes dropped EXE
-
\??\c:\nbnnbb.exec:\nbnnbb.exe18⤵
- Executes dropped EXE
-
\??\c:\vjjjv.exec:\vjjjv.exe19⤵
- Executes dropped EXE
-
\??\c:\9jdjj.exec:\9jdjj.exe20⤵
- Executes dropped EXE
-
\??\c:\7rrrxxf.exec:\7rrrxxf.exe21⤵
- Executes dropped EXE
-
\??\c:\9xlrlrf.exec:\9xlrlrf.exe22⤵
- Executes dropped EXE
-
\??\c:\7lflfxf.exec:\7lflfxf.exe23⤵
- Executes dropped EXE
-
\??\c:\nnbhtt.exec:\nnbhtt.exe24⤵
- Executes dropped EXE
-
\??\c:\hhbnnt.exec:\hhbnnt.exe25⤵
- Executes dropped EXE
-
\??\c:\vjjvj.exec:\vjjvj.exe26⤵
- Executes dropped EXE
-
\??\c:\rxffffr.exec:\rxffffr.exe27⤵
- Executes dropped EXE
-
\??\c:\llxlrfl.exec:\llxlrfl.exe28⤵
- Executes dropped EXE
-
\??\c:\5xlrxxx.exec:\5xlrxxx.exe29⤵
- Executes dropped EXE
-
\??\c:\hbhthn.exec:\hbhthn.exe30⤵
- Executes dropped EXE
-
\??\c:\tnbnth.exec:\tnbnth.exe31⤵
- Executes dropped EXE
-
\??\c:\jjpvd.exec:\jjpvd.exe32⤵
- Executes dropped EXE
-
\??\c:\dvdvd.exec:\dvdvd.exe33⤵
- Executes dropped EXE
-
\??\c:\7frrrxf.exec:\7frrrxf.exe34⤵
- Executes dropped EXE
-
\??\c:\xrlrxlx.exec:\xrlrxlx.exe35⤵
- Executes dropped EXE
-
\??\c:\5nbtbb.exec:\5nbtbb.exe36⤵
- Executes dropped EXE
-
\??\c:\thhtbh.exec:\thhtbh.exe37⤵
- Executes dropped EXE
-
\??\c:\vpdjp.exec:\vpdjp.exe38⤵
- Executes dropped EXE
-
\??\c:\dpjjj.exec:\dpjjj.exe39⤵
- Executes dropped EXE
-
\??\c:\pdpvv.exec:\pdpvv.exe40⤵
- Executes dropped EXE
-
\??\c:\lflxfll.exec:\lflxfll.exe41⤵
- Executes dropped EXE
-
\??\c:\rlxfflr.exec:\rlxfflr.exe42⤵
- Executes dropped EXE
-
\??\c:\fflflll.exec:\fflflll.exe43⤵
- Executes dropped EXE
-
\??\c:\nbhbhn.exec:\nbhbhn.exe44⤵
- Executes dropped EXE
-
\??\c:\rlrlxlx.exec:\rlrlxlx.exe45⤵
- Executes dropped EXE
-
\??\c:\xrlfxxf.exec:\xrlfxxf.exe46⤵
- Executes dropped EXE
-
\??\c:\llflxlx.exec:\llflxlx.exe47⤵
- Executes dropped EXE
-
\??\c:\ntthbn.exec:\ntthbn.exe48⤵
- Executes dropped EXE
-
\??\c:\ntntnb.exec:\ntntnb.exe49⤵
- Executes dropped EXE
-
\??\c:\3dvdv.exec:\3dvdv.exe50⤵
- Executes dropped EXE
-
\??\c:\pppdv.exec:\pppdv.exe51⤵
- Executes dropped EXE
-
\??\c:\9rrxflx.exec:\9rrxflx.exe52⤵
- Executes dropped EXE
-
\??\c:\lfllllr.exec:\lfllllr.exe53⤵
- Executes dropped EXE
-
\??\c:\hhhnbh.exec:\hhhnbh.exe54⤵
- Executes dropped EXE
-
\??\c:\hbhtbb.exec:\hbhtbb.exe55⤵
- Executes dropped EXE
-
\??\c:\1vjvj.exec:\1vjvj.exe56⤵
- Executes dropped EXE
-
\??\c:\djjpj.exec:\djjpj.exe57⤵
- Executes dropped EXE
-
\??\c:\5xflfrl.exec:\5xflfrl.exe58⤵
- Executes dropped EXE
-
\??\c:\1xxfxlx.exec:\1xxfxlx.exe59⤵
- Executes dropped EXE
-
\??\c:\lxffrlx.exec:\lxffrlx.exe60⤵
- Executes dropped EXE
-
\??\c:\nbhhtt.exec:\nbhhtt.exe61⤵
- Executes dropped EXE
-
\??\c:\vddvp.exec:\vddvp.exe62⤵
- Executes dropped EXE
-
\??\c:\pjvpd.exec:\pjvpd.exe63⤵
- Executes dropped EXE
-
\??\c:\rxxrrfx.exec:\rxxrrfx.exe64⤵
- Executes dropped EXE
-
\??\c:\xxfxxfx.exec:\xxfxxfx.exe65⤵
- Executes dropped EXE
-
\??\c:\frflrff.exec:\frflrff.exe66⤵
-
\??\c:\ttbbth.exec:\ttbbth.exe67⤵
-
\??\c:\tbhntb.exec:\tbhntb.exe68⤵
-
\??\c:\9vpvj.exec:\9vpvj.exe69⤵
-
\??\c:\9pjvd.exec:\9pjvd.exe70⤵
-
\??\c:\5frxllx.exec:\5frxllx.exe71⤵
-
\??\c:\llxxlxl.exec:\llxxlxl.exe72⤵
-
\??\c:\thtntn.exec:\thtntn.exe73⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe74⤵
-
\??\c:\tnthbh.exec:\tnthbh.exe75⤵
-
\??\c:\jdjpd.exec:\jdjpd.exe76⤵
-
\??\c:\pjddd.exec:\pjddd.exe77⤵
-
\??\c:\ffrfllr.exec:\ffrfllr.exe78⤵
-
\??\c:\llxlxfx.exec:\llxlxfx.exe79⤵
-
\??\c:\fflxlll.exec:\fflxlll.exe80⤵
-
\??\c:\tnbntb.exec:\tnbntb.exe81⤵
-
\??\c:\hbnttb.exec:\hbnttb.exe82⤵
-
\??\c:\7pjpv.exec:\7pjpv.exe83⤵
-
\??\c:\dvvpp.exec:\dvvpp.exe84⤵
-
\??\c:\nnbtbb.exec:\nnbtbb.exe85⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe86⤵
-
\??\c:\fxrrxrl.exec:\fxrrxrl.exe87⤵
-
\??\c:\xrxlxfr.exec:\xrxlxfr.exe88⤵
-
\??\c:\3xrxlrx.exec:\3xrxlrx.exe89⤵
-
\??\c:\nbtthh.exec:\nbtthh.exe90⤵
-
\??\c:\bnthnh.exec:\bnthnh.exe91⤵
-
\??\c:\htbhhh.exec:\htbhhh.exe92⤵
-
\??\c:\5pddp.exec:\5pddp.exe93⤵
-
\??\c:\vjppj.exec:\vjppj.exe94⤵
-
\??\c:\pjddp.exec:\pjddp.exe95⤵
-
\??\c:\fxrfrxl.exec:\fxrfrxl.exe96⤵
-
\??\c:\rlfrxlr.exec:\rlfrxlr.exe97⤵
-
\??\c:\hbhntb.exec:\hbhntb.exe98⤵
-
\??\c:\3tbhtt.exec:\3tbhtt.exe99⤵
-
\??\c:\hbbbbb.exec:\hbbbbb.exe100⤵
-
\??\c:\dpvdd.exec:\dpvdd.exe101⤵
-
\??\c:\1vpjd.exec:\1vpjd.exe102⤵
-
\??\c:\jvdjp.exec:\jvdjp.exe103⤵
-
\??\c:\flfffxf.exec:\flfffxf.exe104⤵
-
\??\c:\btnbnh.exec:\btnbnh.exe105⤵
-
\??\c:\nhthtn.exec:\nhthtn.exe106⤵
-
\??\c:\dpvdj.exec:\dpvdj.exe107⤵
-
\??\c:\pjvvd.exec:\pjvvd.exe108⤵
-
\??\c:\pvpdp.exec:\pvpdp.exe109⤵
-
\??\c:\xxxlflr.exec:\xxxlflr.exe110⤵
-
\??\c:\lffllll.exec:\lffllll.exe111⤵
-
\??\c:\tttttt.exec:\tttttt.exe112⤵
-
\??\c:\tnnnbn.exec:\tnnnbn.exe113⤵
-
\??\c:\thtttt.exec:\thtttt.exe114⤵
-
\??\c:\vjvdp.exec:\vjvdp.exe115⤵
-
\??\c:\9jjdp.exec:\9jjdp.exe116⤵
-
\??\c:\1lffrll.exec:\1lffrll.exe117⤵
-
\??\c:\lffrlrl.exec:\lffrlrl.exe118⤵
-
\??\c:\ttbnht.exec:\ttbnht.exe119⤵
-
\??\c:\bhbttn.exec:\bhbttn.exe120⤵
-
\??\c:\nhhthh.exec:\nhhthh.exe121⤵
-
\??\c:\ppvdp.exec:\ppvdp.exe122⤵
-
\??\c:\pppvv.exec:\pppvv.exe123⤵
-
\??\c:\5frrlxf.exec:\5frrlxf.exe124⤵
-
\??\c:\9lflxfx.exec:\9lflxfx.exe125⤵
-
\??\c:\ffrxllx.exec:\ffrxllx.exe126⤵
-
\??\c:\nnbhbn.exec:\nnbhbn.exe127⤵
-
\??\c:\bbnhht.exec:\bbnhht.exe128⤵
-
\??\c:\vddpj.exec:\vddpj.exe129⤵
-
\??\c:\dvjjv.exec:\dvjjv.exe130⤵
-
\??\c:\9xxfrlx.exec:\9xxfrlx.exe131⤵
-
\??\c:\llfrlxx.exec:\llfrlxx.exe132⤵
-
\??\c:\thtntt.exec:\thtntt.exe133⤵
-
\??\c:\tnbntb.exec:\tnbntb.exe134⤵
-
\??\c:\hhtbhh.exec:\hhtbhh.exe135⤵
-
\??\c:\7jddp.exec:\7jddp.exe136⤵
-
\??\c:\ppdpd.exec:\ppdpd.exe137⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe138⤵
-
\??\c:\7rrfxfx.exec:\7rrfxfx.exe139⤵
-
\??\c:\5llflff.exec:\5llflff.exe140⤵
-
\??\c:\nbbbbb.exec:\nbbbbb.exe141⤵
-
\??\c:\hbntnt.exec:\hbntnt.exe142⤵
-
\??\c:\5bttnb.exec:\5bttnb.exe143⤵
-
\??\c:\vjvdv.exec:\vjvdv.exe144⤵
-
\??\c:\lxlfllr.exec:\lxlfllr.exe145⤵
-
\??\c:\ffxfrrf.exec:\ffxfrrf.exe146⤵
-
\??\c:\xxffrxl.exec:\xxffrxl.exe147⤵
-
\??\c:\hhhnnb.exec:\hhhnnb.exe148⤵
-
\??\c:\1vvjd.exec:\1vvjd.exe149⤵
-
\??\c:\9pvpv.exec:\9pvpv.exe150⤵
-
\??\c:\1dvvd.exec:\1dvvd.exe151⤵
-
\??\c:\xlxrrrf.exec:\xlxrrrf.exe152⤵
-
\??\c:\lrxrrlf.exec:\lrxrrlf.exe153⤵
-
\??\c:\5httbh.exec:\5httbh.exe154⤵
-
\??\c:\htnhtt.exec:\htnhtt.exe155⤵
-
\??\c:\1vdvv.exec:\1vdvv.exe156⤵
-
\??\c:\dvppd.exec:\dvppd.exe157⤵
-
\??\c:\fxffrrl.exec:\fxffrrl.exe158⤵
-
\??\c:\lfllrrx.exec:\lfllrrx.exe159⤵
-
\??\c:\lxxrrff.exec:\lxxrrff.exe160⤵
-
\??\c:\5nnthn.exec:\5nnthn.exe161⤵
-
\??\c:\tbntbh.exec:\tbntbh.exe162⤵
-
\??\c:\ppppj.exec:\ppppj.exe163⤵
-
\??\c:\5vjjd.exec:\5vjjd.exe164⤵
-
\??\c:\jpdpj.exec:\jpdpj.exe165⤵
-
\??\c:\9lfxxfx.exec:\9lfxxfx.exe166⤵
-
\??\c:\fxffxxf.exec:\fxffxxf.exe167⤵
-
\??\c:\7hbhhh.exec:\7hbhhh.exe168⤵
-
\??\c:\nnbntb.exec:\nnbntb.exe169⤵
-
\??\c:\jjdjd.exec:\jjdjd.exe170⤵
-
\??\c:\ppvdj.exec:\ppvdj.exe171⤵
-
\??\c:\3xlrxxf.exec:\3xlrxxf.exe172⤵
-
\??\c:\llxlxlx.exec:\llxlxlx.exe173⤵
-
\??\c:\xfrfxfx.exec:\xfrfxfx.exe174⤵
-
\??\c:\ttthbn.exec:\ttthbn.exe175⤵
-
\??\c:\3bthhb.exec:\3bthhb.exe176⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe177⤵
-
\??\c:\vvdjd.exec:\vvdjd.exe178⤵
-
\??\c:\9fxffxx.exec:\9fxffxx.exe179⤵
-
\??\c:\xlrrxxl.exec:\xlrrxxl.exe180⤵
-
\??\c:\rlrrrxf.exec:\rlrrrxf.exe181⤵
-
\??\c:\tnbnhb.exec:\tnbnhb.exe182⤵
-
\??\c:\tntbhn.exec:\tntbhn.exe183⤵
-
\??\c:\pdppv.exec:\pdppv.exe184⤵
-
\??\c:\3pjjj.exec:\3pjjj.exe185⤵
-
\??\c:\1dpdv.exec:\1dpdv.exe186⤵
-
\??\c:\xrxxffr.exec:\xrxxffr.exe187⤵
-
\??\c:\hbhbhh.exec:\hbhbhh.exe188⤵
-
\??\c:\htbtbb.exec:\htbtbb.exe189⤵
-
\??\c:\bttbtb.exec:\bttbtb.exe190⤵
-
\??\c:\7pjjv.exec:\7pjjv.exe191⤵
-
\??\c:\vvpvd.exec:\vvpvd.exe192⤵
-
\??\c:\dvppj.exec:\dvppj.exe193⤵
-
\??\c:\7lrxflx.exec:\7lrxflx.exe194⤵
-
\??\c:\ffrfflf.exec:\ffrfflf.exe195⤵
-
\??\c:\tnhnht.exec:\tnhnht.exe196⤵
-
\??\c:\bbtbtn.exec:\bbtbtn.exe197⤵
-
\??\c:\thbbth.exec:\thbbth.exe198⤵
-
\??\c:\jpjdp.exec:\jpjdp.exe199⤵
-
\??\c:\jppjd.exec:\jppjd.exe200⤵
-
\??\c:\flrrfxf.exec:\flrrfxf.exe201⤵
-
\??\c:\lxxrfrx.exec:\lxxrfrx.exe202⤵
-
\??\c:\xfrlfrf.exec:\xfrlfrf.exe203⤵
-
\??\c:\nhhhtb.exec:\nhhhtb.exe204⤵
-
\??\c:\thbbnt.exec:\thbbnt.exe205⤵
-
\??\c:\jdppp.exec:\jdppp.exe206⤵
-
\??\c:\pdvdj.exec:\pdvdj.exe207⤵
-
\??\c:\ppvvd.exec:\ppvvd.exe208⤵
-
\??\c:\lrflfrf.exec:\lrflfrf.exe209⤵
-
\??\c:\lrrrfxf.exec:\lrrrfxf.exe210⤵
-
\??\c:\hbnnhb.exec:\hbnnhb.exe211⤵
-
\??\c:\nnbbht.exec:\nnbbht.exe212⤵
-
\??\c:\djdjp.exec:\djdjp.exe213⤵
-
\??\c:\jjddj.exec:\jjddj.exe214⤵
-
\??\c:\1vppp.exec:\1vppp.exe215⤵
-
\??\c:\fxfflrx.exec:\fxfflrx.exe216⤵
-
\??\c:\7xrrxfl.exec:\7xrrxfl.exe217⤵
-
\??\c:\3hhbhn.exec:\3hhbhn.exe218⤵
-
\??\c:\tbhbbb.exec:\tbhbbb.exe219⤵
-
\??\c:\1djvj.exec:\1djvj.exe220⤵
-
\??\c:\9ddjv.exec:\9ddjv.exe221⤵
-
\??\c:\7jppp.exec:\7jppp.exe222⤵
-
\??\c:\5rrrfrx.exec:\5rrrfrx.exe223⤵
-
\??\c:\rlflrlx.exec:\rlflrlx.exe224⤵
-
\??\c:\7rffffl.exec:\7rffffl.exe225⤵
-
\??\c:\7bbbbb.exec:\7bbbbb.exe226⤵
-
\??\c:\bbbhbn.exec:\bbbhbn.exe227⤵
-
\??\c:\3vvdp.exec:\3vvdp.exe228⤵
-
\??\c:\vdpjp.exec:\vdpjp.exe229⤵
-
\??\c:\jjdjv.exec:\jjdjv.exe230⤵
-
\??\c:\3xrfrxr.exec:\3xrfrxr.exe231⤵
-
\??\c:\xxrxfll.exec:\xxrxfll.exe232⤵
-
\??\c:\7xllrrl.exec:\7xllrrl.exe233⤵
-
\??\c:\bhnbhb.exec:\bhnbhb.exe234⤵
-
\??\c:\tttnnh.exec:\tttnnh.exe235⤵
-
\??\c:\vjvpd.exec:\vjvpd.exe236⤵
-
\??\c:\ddvjv.exec:\ddvjv.exe237⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe238⤵
-
\??\c:\xrlfffl.exec:\xrlfffl.exe239⤵
-
\??\c:\fxrrxxr.exec:\fxrrxxr.exe240⤵
-
\??\c:\tnnttt.exec:\tnnttt.exe241⤵