Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
19-05-2024 01:51
General
-
Target
4b94ba8aa80f0d2f319098dc0a3ec970_NeikiAnalytics.exe
-
Size
277KB
-
MD5
4b94ba8aa80f0d2f319098dc0a3ec970
-
SHA1
cc387a62374c6aa9bf42869b9934662b917720ad
-
SHA256
ced3f7480324116317b57e0ab8dc0db3836a69a6227932fa6693836c49c2ac0e
-
SHA512
6304617db62a78e2d50e966c916b057b2733dccefec9991b5caf72840f8169ed502f699725e0a9d20cc2239be52d1b0787c4940ff0dd10aadd3d3f8057a799d0
-
SSDEEP
6144:n3C9BRIG0asYFm71m8+GdkB9yMu7VvemN:n3C9uYA71kSMuP
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4b94ba8aa80f0d2f319098dc0a3ec970_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4b94ba8aa80f0d2f319098dc0a3ec970_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxffllr.exec:\xxffllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\08624.exec:\08624.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nntnnt.exec:\nntnnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppp.exec:\ppppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80000.exec:\80000.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdvp.exec:\dvdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbbtt.exec:\bhbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rrlffr.exec:\1rrlffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnthbn.exec:\tnthbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flffllr.exec:\flffllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxfffr.exec:\lrxfffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\868600.exec:\868600.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dpjj.exec:\1dpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\662600.exec:\662600.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlrrl.exec:\rlrlrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m2082.exec:\m2082.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24060.exec:\24060.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrfrfr.exec:\xrrfrfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4068228.exec:\4068228.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42660.exec:\42660.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtntt.exec:\bhtntt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpjd.exec:\ddpjd.exe23⤵
- Executes dropped EXE
-
\??\c:\s2864.exec:\s2864.exe24⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe25⤵
- Executes dropped EXE
-
\??\c:\e80206.exec:\e80206.exe26⤵
- Executes dropped EXE
-
\??\c:\7nhhhn.exec:\7nhhhn.exe27⤵
- Executes dropped EXE
-
\??\c:\62886.exec:\62886.exe28⤵
- Executes dropped EXE
-
\??\c:\rfrxxrr.exec:\rfrxxrr.exe29⤵
- Executes dropped EXE
-
\??\c:\vjdjp.exec:\vjdjp.exe30⤵
- Executes dropped EXE
-
\??\c:\u086000.exec:\u086000.exe31⤵
- Executes dropped EXE
-
\??\c:\ttbthn.exec:\ttbthn.exe32⤵
- Executes dropped EXE
-
\??\c:\4404866.exec:\4404866.exe33⤵
- Executes dropped EXE
-
\??\c:\062266.exec:\062266.exe34⤵
- Executes dropped EXE
-
\??\c:\7xxrxxr.exec:\7xxrxxr.exe35⤵
- Executes dropped EXE
-
\??\c:\hbhhbb.exec:\hbhhbb.exe36⤵
- Executes dropped EXE
-
\??\c:\fflfffr.exec:\fflfffr.exe37⤵
- Executes dropped EXE
-
\??\c:\006000.exec:\006000.exe38⤵
- Executes dropped EXE
-
\??\c:\6248840.exec:\6248840.exe39⤵
- Executes dropped EXE
-
\??\c:\bthbnn.exec:\bthbnn.exe40⤵
- Executes dropped EXE
-
\??\c:\ddpjp.exec:\ddpjp.exe41⤵
- Executes dropped EXE
-
\??\c:\9vjjp.exec:\9vjjp.exe42⤵
- Executes dropped EXE
-
\??\c:\thtbhh.exec:\thtbhh.exe43⤵
- Executes dropped EXE
-
\??\c:\062680.exec:\062680.exe44⤵
- Executes dropped EXE
-
\??\c:\6624844.exec:\6624844.exe45⤵
- Executes dropped EXE
-
\??\c:\1rxlllx.exec:\1rxlllx.exe46⤵
- Executes dropped EXE
-
\??\c:\xflfxrl.exec:\xflfxrl.exe47⤵
- Executes dropped EXE
-
\??\c:\9xlrrff.exec:\9xlrrff.exe48⤵
- Executes dropped EXE
-
\??\c:\024884.exec:\024884.exe49⤵
- Executes dropped EXE
-
\??\c:\6624684.exec:\6624684.exe50⤵
- Executes dropped EXE
-
\??\c:\xfrrfxf.exec:\xfrrfxf.exe51⤵
- Executes dropped EXE
-
\??\c:\bnhhbt.exec:\bnhhbt.exe52⤵
- Executes dropped EXE
-
\??\c:\208626.exec:\208626.exe53⤵
- Executes dropped EXE
-
\??\c:\bhhhbt.exec:\bhhhbt.exe54⤵
- Executes dropped EXE
-
\??\c:\640040.exec:\640040.exe55⤵
- Executes dropped EXE
-
\??\c:\80222.exec:\80222.exe56⤵
- Executes dropped EXE
-
\??\c:\9tbbhh.exec:\9tbbhh.exe57⤵
- Executes dropped EXE
-
\??\c:\fxxxxxr.exec:\fxxxxxr.exe58⤵
- Executes dropped EXE
-
\??\c:\bbnhtn.exec:\bbnhtn.exe59⤵
- Executes dropped EXE
-
\??\c:\4402288.exec:\4402288.exe60⤵
- Executes dropped EXE
-
\??\c:\1lffxxr.exec:\1lffxxr.exe61⤵
- Executes dropped EXE
-
\??\c:\xrlfffl.exec:\xrlfffl.exe62⤵
- Executes dropped EXE
-
\??\c:\xrxfffx.exec:\xrxfffx.exe63⤵
- Executes dropped EXE
-
\??\c:\44666.exec:\44666.exe64⤵
- Executes dropped EXE
-
\??\c:\9vdpj.exec:\9vdpj.exe65⤵
- Executes dropped EXE
-
\??\c:\ppvjd.exec:\ppvjd.exe66⤵
-
\??\c:\bhttbn.exec:\bhttbn.exe67⤵
-
\??\c:\c808226.exec:\c808226.exe68⤵
-
\??\c:\084848.exec:\084848.exe69⤵
-
\??\c:\06644.exec:\06644.exe70⤵
-
\??\c:\02226.exec:\02226.exe71⤵
-
\??\c:\llxlxfx.exec:\llxlxfx.exe72⤵
-
\??\c:\6660264.exec:\6660264.exe73⤵
-
\??\c:\u026040.exec:\u026040.exe74⤵
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe75⤵
-
\??\c:\vpddv.exec:\vpddv.exe76⤵
-
\??\c:\08088.exec:\08088.exe77⤵
-
\??\c:\s6200.exec:\s6200.exe78⤵
-
\??\c:\7flfxlr.exec:\7flfxlr.exe79⤵
-
\??\c:\06004.exec:\06004.exe80⤵
-
\??\c:\820400.exec:\820400.exe81⤵
-
\??\c:\nnttbt.exec:\nnttbt.exe82⤵
-
\??\c:\2266004.exec:\2266004.exe83⤵
-
\??\c:\pjvpj.exec:\pjvpj.exe84⤵
-
\??\c:\nthhhh.exec:\nthhhh.exe85⤵
-
\??\c:\3dppj.exec:\3dppj.exe86⤵
-
\??\c:\rxfllff.exec:\rxfllff.exe87⤵
-
\??\c:\20082.exec:\20082.exe88⤵
-
\??\c:\606088.exec:\606088.exe89⤵
-
\??\c:\2822602.exec:\2822602.exe90⤵
-
\??\c:\jjddv.exec:\jjddv.exe91⤵
-
\??\c:\lflfxxr.exec:\lflfxxr.exe92⤵
-
\??\c:\jpppd.exec:\jpppd.exe93⤵
-
\??\c:\826482.exec:\826482.exe94⤵
-
\??\c:\844284.exec:\844284.exe95⤵
-
\??\c:\8840646.exec:\8840646.exe96⤵
-
\??\c:\jvvjp.exec:\jvvjp.exe97⤵
-
\??\c:\84602.exec:\84602.exe98⤵
-
\??\c:\jjppj.exec:\jjppj.exe99⤵
-
\??\c:\40260.exec:\40260.exe100⤵
-
\??\c:\020248.exec:\020248.exe101⤵
-
\??\c:\86626.exec:\86626.exe102⤵
-
\??\c:\dpdjj.exec:\dpdjj.exe103⤵
-
\??\c:\2280244.exec:\2280244.exe104⤵
-
\??\c:\422026.exec:\422026.exe105⤵
-
\??\c:\rrrffxr.exec:\rrrffxr.exe106⤵
-
\??\c:\k02022.exec:\k02022.exe107⤵
-
\??\c:\bnnbhb.exec:\bnnbhb.exe108⤵
-
\??\c:\86444.exec:\86444.exe109⤵
-
\??\c:\jdjpj.exec:\jdjpj.exe110⤵
-
\??\c:\628000.exec:\628000.exe111⤵
-
\??\c:\3lfxxrl.exec:\3lfxxrl.exe112⤵
-
\??\c:\24628.exec:\24628.exe113⤵
-
\??\c:\frxrxxx.exec:\frxrxxx.exe114⤵
-
\??\c:\6800444.exec:\6800444.exe115⤵
-
\??\c:\66226.exec:\66226.exe116⤵
-
\??\c:\864024.exec:\864024.exe117⤵
-
\??\c:\rfrfxxr.exec:\rfrfxxr.exe118⤵
-
\??\c:\82040.exec:\82040.exe119⤵
-
\??\c:\2684008.exec:\2684008.exe120⤵
-
\??\c:\88480.exec:\88480.exe121⤵
-
\??\c:\htbnnh.exec:\htbnnh.exe122⤵
-
\??\c:\g0804.exec:\g0804.exe123⤵
-
\??\c:\9llfffr.exec:\9llfffr.exe124⤵
-
\??\c:\vvpvd.exec:\vvpvd.exe125⤵
-
\??\c:\228440.exec:\228440.exe126⤵
-
\??\c:\4006482.exec:\4006482.exe127⤵
-
\??\c:\8266024.exec:\8266024.exe128⤵
-
\??\c:\flllffx.exec:\flllffx.exe129⤵
-
\??\c:\2848284.exec:\2848284.exe130⤵
-
\??\c:\a6486.exec:\a6486.exe131⤵
-
\??\c:\006480.exec:\006480.exe132⤵
-
\??\c:\xrrrllf.exec:\xrrrllf.exe133⤵
-
\??\c:\lfrlrlf.exec:\lfrlrlf.exe134⤵
-
\??\c:\hhnbnh.exec:\hhnbnh.exe135⤵
-
\??\c:\484288.exec:\484288.exe136⤵
-
\??\c:\frfffrr.exec:\frfffrr.exe137⤵
-
\??\c:\4488682.exec:\4488682.exe138⤵
-
\??\c:\llrllrx.exec:\llrllrx.exe139⤵
-
\??\c:\jjpdv.exec:\jjpdv.exe140⤵
-
\??\c:\28822.exec:\28822.exe141⤵
-
\??\c:\hnttnt.exec:\hnttnt.exe142⤵
-
\??\c:\2206266.exec:\2206266.exe143⤵
-
\??\c:\7xxxrrl.exec:\7xxxrrl.exe144⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe145⤵
-
\??\c:\jdddp.exec:\jdddp.exe146⤵
-
\??\c:\djjdd.exec:\djjdd.exe147⤵
-
\??\c:\c808484.exec:\c808484.exe148⤵
-
\??\c:\0620482.exec:\0620482.exe149⤵
-
\??\c:\88668.exec:\88668.exe150⤵
-
\??\c:\9lfxffl.exec:\9lfxffl.exe151⤵
-
\??\c:\nbttbt.exec:\nbttbt.exe152⤵
-
\??\c:\fxlfrff.exec:\fxlfrff.exe153⤵
-
\??\c:\lflfxff.exec:\lflfxff.exe154⤵
-
\??\c:\xfllflr.exec:\xfllflr.exe155⤵
-
\??\c:\628260.exec:\628260.exe156⤵
-
\??\c:\64482.exec:\64482.exe157⤵
-
\??\c:\28482.exec:\28482.exe158⤵
-
\??\c:\dvpjd.exec:\dvpjd.exe159⤵
-
\??\c:\w02600.exec:\w02600.exe160⤵
-
\??\c:\2262284.exec:\2262284.exe161⤵
-
\??\c:\tbnhbn.exec:\tbnhbn.exe162⤵
-
\??\c:\0660660.exec:\0660660.exe163⤵
-
\??\c:\86822.exec:\86822.exe164⤵
-
\??\c:\xlxxxrx.exec:\xlxxxrx.exe165⤵
-
\??\c:\7lflfxf.exec:\7lflfxf.exe166⤵
-
\??\c:\lxllfxl.exec:\lxllfxl.exe167⤵
-
\??\c:\fllxlfr.exec:\fllxlfr.exe168⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe169⤵
-
\??\c:\80886.exec:\80886.exe170⤵
-
\??\c:\668682.exec:\668682.exe171⤵
-
\??\c:\ntbhbt.exec:\ntbhbt.exe172⤵
-
\??\c:\040060.exec:\040060.exe173⤵
-
\??\c:\5vdvj.exec:\5vdvj.exe174⤵
-
\??\c:\0884080.exec:\0884080.exe175⤵
-
\??\c:\htthnt.exec:\htthnt.exe176⤵
-
\??\c:\662666.exec:\662666.exe177⤵
-
\??\c:\5dvpj.exec:\5dvpj.exe178⤵
-
\??\c:\nhhtbb.exec:\nhhtbb.exe179⤵
-
\??\c:\284888.exec:\284888.exe180⤵
-
\??\c:\240088.exec:\240088.exe181⤵
-
\??\c:\9flfrrl.exec:\9flfrrl.exe182⤵
-
\??\c:\440042.exec:\440042.exe183⤵
-
\??\c:\lllfxxr.exec:\lllfxxr.exe184⤵
-
\??\c:\4004826.exec:\4004826.exe185⤵
-
\??\c:\pdjvj.exec:\pdjvj.exe186⤵
-
\??\c:\pjvjd.exec:\pjvjd.exe187⤵
-
\??\c:\w84262.exec:\w84262.exe188⤵
-
\??\c:\402608.exec:\402608.exe189⤵
-
\??\c:\vvppv.exec:\vvppv.exe190⤵
-
\??\c:\pvpdv.exec:\pvpdv.exe191⤵
-
\??\c:\9fflflx.exec:\9fflflx.exe192⤵
-
\??\c:\7ffxrrf.exec:\7ffxrrf.exe193⤵
-
\??\c:\3hnnht.exec:\3hnnht.exe194⤵
-
\??\c:\44620.exec:\44620.exe195⤵
-
\??\c:\5jjvj.exec:\5jjvj.exe196⤵
-
\??\c:\3ddpj.exec:\3ddpj.exe197⤵
-
\??\c:\a4604.exec:\a4604.exe198⤵
-
\??\c:\lllxxxr.exec:\lllxxxr.exe199⤵
-
\??\c:\jvjvp.exec:\jvjvp.exe200⤵
-
\??\c:\660048.exec:\660048.exe201⤵
-
\??\c:\bbhbnn.exec:\bbhbnn.exe202⤵
-
\??\c:\22826.exec:\22826.exe203⤵
-
\??\c:\288428.exec:\288428.exe204⤵
-
\??\c:\tthhtb.exec:\tthhtb.exe205⤵
-
\??\c:\a4626.exec:\a4626.exe206⤵
-
\??\c:\4268226.exec:\4268226.exe207⤵
-
\??\c:\8422600.exec:\8422600.exe208⤵
-
\??\c:\bthnhb.exec:\bthnhb.exe209⤵
-
\??\c:\3lrrllf.exec:\3lrrllf.exe210⤵
-
\??\c:\q60840.exec:\q60840.exe211⤵
-
\??\c:\082644.exec:\082644.exe212⤵
-
\??\c:\1jjdj.exec:\1jjdj.exe213⤵
-
\??\c:\xffrllf.exec:\xffrllf.exe214⤵
-
\??\c:\880600.exec:\880600.exe215⤵
-
\??\c:\1pppv.exec:\1pppv.exe216⤵
-
\??\c:\448622.exec:\448622.exe217⤵
-
\??\c:\llrlfxr.exec:\llrlfxr.exe218⤵
-
\??\c:\pvppp.exec:\pvppp.exe219⤵
-
\??\c:\6668242.exec:\6668242.exe220⤵
-
\??\c:\m0600.exec:\m0600.exe221⤵
-
\??\c:\062482.exec:\062482.exe222⤵
-
\??\c:\lrfxfxr.exec:\lrfxfxr.exe223⤵
-
\??\c:\c640046.exec:\c640046.exe224⤵
-
\??\c:\28622.exec:\28622.exe225⤵
-
\??\c:\g4082.exec:\g4082.exe226⤵
-
\??\c:\480288.exec:\480288.exe227⤵
-
\??\c:\bbbnbt.exec:\bbbnbt.exe228⤵
-
\??\c:\frrfxrf.exec:\frrfxrf.exe229⤵
-
\??\c:\i682048.exec:\i682048.exe230⤵
-
\??\c:\244824.exec:\244824.exe231⤵
-
\??\c:\62846.exec:\62846.exe232⤵
-
\??\c:\804246.exec:\804246.exe233⤵
-
\??\c:\2840628.exec:\2840628.exe234⤵
-
\??\c:\tthhnn.exec:\tthhnn.exe235⤵
-
\??\c:\fxxxxff.exec:\fxxxxff.exe236⤵
-
\??\c:\8288662.exec:\8288662.exe237⤵
-
\??\c:\k20840.exec:\k20840.exe238⤵
-
\??\c:\0462600.exec:\0462600.exe239⤵
-
\??\c:\rxxxxfx.exec:\rxxxxfx.exe240⤵
-
\??\c:\btbbtn.exec:\btbbtn.exe241⤵