Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
19-05-2024 17:09
General
-
Target
fcbc119198856c71d92e740275e28890_NeikiAnalytics.exe
-
Size
343KB
-
MD5
fcbc119198856c71d92e740275e28890
-
SHA1
65055439ff939d23028daad1238486dd613b38aa
-
SHA256
8ee894f4eb1997e4ed2b3500053ac2aee7de380c39ec1d34d827044bd967ab9c
-
SHA512
d94f887fcab6a9a8bb2ee116f9a25948da7cb8726ea2f59bb1dcf99e8b467f52840f871a3315f2df548c060d49128dd08346b51dcf06d3d1a32af284c4fce1a5
-
SSDEEP
6144:n3C9BRo/AIX2MUXownfWQkyCpxwJz9e0pQowLh3EhToK9cT085mnFhXjmnwJQyII:n3C9uDnUXoSWlnwJv90aKToFqwfIBm
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3844809093\zmstage.exeC:\Users\Admin\AppData\Local\Temp\3844809093\zmstage.exe1⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\fcbc119198856c71d92e740275e28890_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\fcbc119198856c71d92e740275e28890_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dddjv.exec:\dddjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpjdp.exec:\jpjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrllll.exec:\xlrllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthbbh.exec:\nthbbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjdd.exec:\vdjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllxxx.exec:\ffllxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbbb.exec:\htbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flfrlfl.exec:\flfrlfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbbbh.exec:\tbbbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvp.exec:\pvvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfrrrrl.exec:\lfrrrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnnn.exec:\btnnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddv.exec:\pvddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrrrrr.exec:\rfrrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnntt.exec:\bbnntt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpp.exec:\pdvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlfxffr.exec:\xlfxffr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvvp.exec:\7vvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvpp.exec:\ppvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffffxfx.exec:\ffffxfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnttbb.exec:\nnttbb.exe23⤵
- Executes dropped EXE
-
\??\c:\5lfxxfl.exec:\5lfxxfl.exe24⤵
- Executes dropped EXE
-
\??\c:\hhnbtt.exec:\hhnbtt.exe25⤵
- Executes dropped EXE
-
\??\c:\dvppd.exec:\dvppd.exe26⤵
- Executes dropped EXE
-
\??\c:\rrfxlll.exec:\rrfxlll.exe27⤵
- Executes dropped EXE
-
\??\c:\lrrxxxf.exec:\lrrxxxf.exe28⤵
- Executes dropped EXE
-
\??\c:\9ttnhh.exec:\9ttnhh.exe29⤵
- Executes dropped EXE
-
\??\c:\djdjj.exec:\djdjj.exe30⤵
- Executes dropped EXE
-
\??\c:\rflxxxf.exec:\rflxxxf.exe31⤵
- Executes dropped EXE
-
\??\c:\5bhnnb.exec:\5bhnnb.exe32⤵
- Executes dropped EXE
-
\??\c:\jvdjj.exec:\jvdjj.exe33⤵
- Executes dropped EXE
-
\??\c:\fllflfl.exec:\fllflfl.exe34⤵
- Executes dropped EXE
-
\??\c:\5hhhhn.exec:\5hhhhn.exe35⤵
- Executes dropped EXE
-
\??\c:\ttnnth.exec:\ttnnth.exe36⤵
- Executes dropped EXE
-
\??\c:\ppvvv.exec:\ppvvv.exe37⤵
- Executes dropped EXE
-
\??\c:\rrlllrr.exec:\rrlllrr.exe38⤵
- Executes dropped EXE
-
\??\c:\xlrxrrf.exec:\xlrxrrf.exe39⤵
- Executes dropped EXE
-
\??\c:\9htbnt.exec:\9htbnt.exe40⤵
- Executes dropped EXE
-
\??\c:\3jvpv.exec:\3jvpv.exe41⤵
- Executes dropped EXE
-
\??\c:\xffxxxf.exec:\xffxxxf.exe42⤵
- Executes dropped EXE
-
\??\c:\llrrllx.exec:\llrrllx.exe43⤵
- Executes dropped EXE
-
\??\c:\hnbbtt.exec:\hnbbtt.exe44⤵
- Executes dropped EXE
-
\??\c:\jpppp.exec:\jpppp.exe45⤵
- Executes dropped EXE
-
\??\c:\jdjpp.exec:\jdjpp.exe46⤵
- Executes dropped EXE
-
\??\c:\lxlxlrf.exec:\lxlxlrf.exe47⤵
- Executes dropped EXE
-
\??\c:\1bbbtb.exec:\1bbbtb.exe48⤵
- Executes dropped EXE
-
\??\c:\tttntt.exec:\tttntt.exe49⤵
- Executes dropped EXE
-
\??\c:\dvvvv.exec:\dvvvv.exe50⤵
- Executes dropped EXE
-
\??\c:\flfxxxr.exec:\flfxxxr.exe51⤵
- Executes dropped EXE
-
\??\c:\rrlllff.exec:\rrlllff.exe52⤵
- Executes dropped EXE
-
\??\c:\nbtnhh.exec:\nbtnhh.exe53⤵
- Executes dropped EXE
-
\??\c:\ppdvv.exec:\ppdvv.exe54⤵
- Executes dropped EXE
-
\??\c:\vdjjv.exec:\vdjjv.exe55⤵
- Executes dropped EXE
-
\??\c:\frrrxrx.exec:\frrrxrx.exe56⤵
- Executes dropped EXE
-
\??\c:\hbttnn.exec:\hbttnn.exe57⤵
- Executes dropped EXE
-
\??\c:\vdvvv.exec:\vdvvv.exe58⤵
- Executes dropped EXE
-
\??\c:\fxffxll.exec:\fxffxll.exe59⤵
- Executes dropped EXE
-
\??\c:\9fffrrl.exec:\9fffrrl.exe60⤵
- Executes dropped EXE
-
\??\c:\hnbbtb.exec:\hnbbtb.exe61⤵
- Executes dropped EXE
-
\??\c:\nbhbbn.exec:\nbhbbn.exe62⤵
- Executes dropped EXE
-
\??\c:\jvjdd.exec:\jvjdd.exe63⤵
- Executes dropped EXE
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe64⤵
- Executes dropped EXE
-
\??\c:\xxfflrf.exec:\xxfflrf.exe65⤵
- Executes dropped EXE
-
\??\c:\5tttnn.exec:\5tttnn.exe66⤵
-
\??\c:\jpdvv.exec:\jpdvv.exe67⤵
-
\??\c:\dvppj.exec:\dvppj.exe68⤵
-
\??\c:\ffrflll.exec:\ffrflll.exe69⤵
-
\??\c:\5thhhn.exec:\5thhhn.exe70⤵
-
\??\c:\bhbttb.exec:\bhbttb.exe71⤵
-
\??\c:\1jjdd.exec:\1jjdd.exe72⤵
-
\??\c:\fxrllxr.exec:\fxrllxr.exe73⤵
-
\??\c:\frrrxlr.exec:\frrrxlr.exe74⤵
-
\??\c:\nhhbbh.exec:\nhhbbh.exe75⤵
-
\??\c:\ddvpv.exec:\ddvpv.exe76⤵
-
\??\c:\ppvdd.exec:\ppvdd.exe77⤵
-
\??\c:\fxffffx.exec:\fxffffx.exe78⤵
-
\??\c:\xlrrrrr.exec:\xlrrrrr.exe79⤵
-
\??\c:\htbnhb.exec:\htbnhb.exe80⤵
-
\??\c:\tttnnt.exec:\tttnnt.exe81⤵
-
\??\c:\jdddv.exec:\jdddv.exe82⤵
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe83⤵
-
\??\c:\llxrllr.exec:\llxrllr.exe84⤵
-
\??\c:\bhbttt.exec:\bhbttt.exe85⤵
-
\??\c:\jppjd.exec:\jppjd.exe86⤵
-
\??\c:\lflfrrf.exec:\lflfrrf.exe87⤵
-
\??\c:\flxrxrf.exec:\flxrxrf.exe88⤵
-
\??\c:\bnhntt.exec:\bnhntt.exe89⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe90⤵
-
\??\c:\5jjdv.exec:\5jjdv.exe91⤵
-
\??\c:\flrffxr.exec:\flrffxr.exe92⤵
-
\??\c:\frxxfff.exec:\frxxfff.exe93⤵
-
\??\c:\bbhnnh.exec:\bbhnnh.exe94⤵
-
\??\c:\hnnttt.exec:\hnnttt.exe95⤵
-
\??\c:\vvvpv.exec:\vvvpv.exe96⤵
-
\??\c:\xxlrflx.exec:\xxlrflx.exe97⤵
-
\??\c:\xxllllr.exec:\xxllllr.exe98⤵
-
\??\c:\nbhbhn.exec:\nbhbhn.exe99⤵
-
\??\c:\tbtnbn.exec:\tbtnbn.exe100⤵
-
\??\c:\3vdvp.exec:\3vdvp.exe101⤵
-
\??\c:\rxllffx.exec:\rxllffx.exe102⤵
-
\??\c:\hhnhhn.exec:\hhnhhn.exe103⤵
-
\??\c:\bbbthh.exec:\bbbthh.exe104⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe105⤵
-
\??\c:\vpvpp.exec:\vpvpp.exe106⤵
-
\??\c:\rffrllf.exec:\rffrllf.exe107⤵
-
\??\c:\tthnth.exec:\tthnth.exe108⤵
-
\??\c:\nnbthh.exec:\nnbthh.exe109⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe110⤵
-
\??\c:\vvvpp.exec:\vvvpp.exe111⤵
-
\??\c:\frxrlfl.exec:\frxrlfl.exe112⤵
-
\??\c:\hntttt.exec:\hntttt.exe113⤵
-
\??\c:\bbhhbt.exec:\bbhhbt.exe114⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe115⤵
-
\??\c:\ddppj.exec:\ddppj.exe116⤵
-
\??\c:\lfrlfxl.exec:\lfrlfxl.exe117⤵
-
\??\c:\tntnhb.exec:\tntnhb.exe118⤵
-
\??\c:\hbhtbt.exec:\hbhtbt.exe119⤵
-
\??\c:\jvpdp.exec:\jvpdp.exe120⤵
-
\??\c:\rflfxrx.exec:\rflfxrx.exe121⤵
-
\??\c:\lxxxxrl.exec:\lxxxxrl.exe122⤵
-
\??\c:\bnhhnb.exec:\bnhhnb.exe123⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe124⤵
-
\??\c:\jpjdp.exec:\jpjdp.exe125⤵
-
\??\c:\flxllxx.exec:\flxllxx.exe126⤵
-
\??\c:\btttnh.exec:\btttnh.exe127⤵
-
\??\c:\dpjdp.exec:\dpjdp.exe128⤵
-
\??\c:\jjvvp.exec:\jjvvp.exe129⤵
-
\??\c:\fffxlfx.exec:\fffxlfx.exe130⤵
-
\??\c:\xffxxrl.exec:\xffxxrl.exe131⤵
-
\??\c:\hnhnth.exec:\hnhnth.exe132⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe133⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe134⤵
-
\??\c:\9fflxlx.exec:\9fflxlx.exe135⤵
-
\??\c:\bnbnhh.exec:\bnbnhh.exe136⤵
-
\??\c:\btnbtn.exec:\btnbtn.exe137⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe138⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe139⤵
-
\??\c:\rxlfffx.exec:\rxlfffx.exe140⤵
-
\??\c:\lxffrrl.exec:\lxffrrl.exe141⤵
-
\??\c:\nnbttt.exec:\nnbttt.exe142⤵
-
\??\c:\ddpdv.exec:\ddpdv.exe143⤵
-
\??\c:\llffllx.exec:\llffllx.exe144⤵
-
\??\c:\xxfrrxr.exec:\xxfrrxr.exe145⤵
-
\??\c:\bbthnn.exec:\bbthnn.exe146⤵
-
\??\c:\djpjv.exec:\djpjv.exe147⤵
-
\??\c:\vvjdv.exec:\vvjdv.exe148⤵
-
\??\c:\rrfrfxf.exec:\rrfrfxf.exe149⤵
-
\??\c:\rrxrxxf.exec:\rrxrxxf.exe150⤵
-
\??\c:\ttbbhh.exec:\ttbbhh.exe151⤵
-
\??\c:\hhnbtn.exec:\hhnbtn.exe152⤵
-
\??\c:\jvjvp.exec:\jvjvp.exe153⤵
-
\??\c:\frxrxrr.exec:\frxrxrr.exe154⤵
-
\??\c:\5rfxrrr.exec:\5rfxrrr.exe155⤵
-
\??\c:\bnhbbn.exec:\bnhbbn.exe156⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe157⤵
-
\??\c:\pppjd.exec:\pppjd.exe158⤵
-
\??\c:\xlfrfrf.exec:\xlfrfrf.exe159⤵
-
\??\c:\xrxrfxx.exec:\xrxrfxx.exe160⤵
-
\??\c:\7hhbnt.exec:\7hhbnt.exe161⤵
-
\??\c:\jpjdd.exec:\jpjdd.exe162⤵
-
\??\c:\jpjjj.exec:\jpjjj.exe163⤵
-
\??\c:\rlxrxrx.exec:\rlxrxrx.exe164⤵
-
\??\c:\hhbbhn.exec:\hhbbhn.exe165⤵
-
\??\c:\hnbbnn.exec:\hnbbnn.exe166⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe167⤵
-
\??\c:\7ppjd.exec:\7ppjd.exe168⤵
-
\??\c:\lfxxffr.exec:\lfxxffr.exe169⤵
-
\??\c:\ttbbth.exec:\ttbbth.exe170⤵
-
\??\c:\bhtttb.exec:\bhtttb.exe171⤵
-
\??\c:\vdddv.exec:\vdddv.exe172⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe173⤵
-
\??\c:\fffrffx.exec:\fffrffx.exe174⤵
-
\??\c:\hbtntt.exec:\hbtntt.exe175⤵
-
\??\c:\bntbtt.exec:\bntbtt.exe176⤵
-
\??\c:\pvjjj.exec:\pvjjj.exe177⤵
-
\??\c:\frlxlrx.exec:\frlxlrx.exe178⤵
-
\??\c:\rlrllrx.exec:\rlrllrx.exe179⤵
-
\??\c:\hhhhhh.exec:\hhhhhh.exe180⤵
-
\??\c:\vjppj.exec:\vjppj.exe181⤵
-
\??\c:\ddvvj.exec:\ddvvj.exe182⤵
-
\??\c:\lllrllr.exec:\lllrllr.exe183⤵
-
\??\c:\btnhht.exec:\btnhht.exe184⤵
-
\??\c:\pddvv.exec:\pddvv.exe185⤵
-
\??\c:\jvjjj.exec:\jvjjj.exe186⤵
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe187⤵
-
\??\c:\htbtth.exec:\htbtth.exe188⤵
-
\??\c:\bnthbt.exec:\bnthbt.exe189⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe190⤵
-
\??\c:\vpdjp.exec:\vpdjp.exe191⤵
-
\??\c:\fxfrlrl.exec:\fxfrlrl.exe192⤵
-
\??\c:\tthhhn.exec:\tthhhn.exe193⤵
-
\??\c:\nnhthb.exec:\nnhthb.exe194⤵
-
\??\c:\pjddd.exec:\pjddd.exe195⤵
-
\??\c:\lrlflxl.exec:\lrlflxl.exe196⤵
-
\??\c:\frfrfxl.exec:\frfrfxl.exe197⤵
-
\??\c:\tnnhbt.exec:\tnnhbt.exe198⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe199⤵
-
\??\c:\vvvpv.exec:\vvvpv.exe200⤵
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe201⤵
-
\??\c:\xxllffx.exec:\xxllffx.exe202⤵
-
\??\c:\7hbttt.exec:\7hbttt.exe203⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe204⤵
-
\??\c:\pddpj.exec:\pddpj.exe205⤵
-
\??\c:\flrxrxr.exec:\flrxrxr.exe206⤵
-
\??\c:\lxfxllf.exec:\lxfxllf.exe207⤵
-
\??\c:\1bbtnt.exec:\1bbtnt.exe208⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe209⤵
-
\??\c:\5vddv.exec:\5vddv.exe210⤵
-
\??\c:\lxrlxxx.exec:\lxrlxxx.exe211⤵
-
\??\c:\nhnthh.exec:\nhnthh.exe212⤵
-
\??\c:\9bbthh.exec:\9bbthh.exe213⤵
-
\??\c:\ddppj.exec:\ddppj.exe214⤵
-
\??\c:\vpvjj.exec:\vpvjj.exe215⤵
-
\??\c:\fxlrllf.exec:\fxlrllf.exe216⤵
-
\??\c:\thhbtn.exec:\thhbtn.exe217⤵
-
\??\c:\nttnhh.exec:\nttnhh.exe218⤵
-
\??\c:\9jjvd.exec:\9jjvd.exe219⤵
-
\??\c:\jvdpj.exec:\jvdpj.exe220⤵
-
\??\c:\xlrflfr.exec:\xlrflfr.exe221⤵
-
\??\c:\hhtnnh.exec:\hhtnnh.exe222⤵
-
\??\c:\hnbhbb.exec:\hnbhbb.exe223⤵
-
\??\c:\jjvpj.exec:\jjvpj.exe224⤵
-
\??\c:\xxlxfrx.exec:\xxlxfrx.exe225⤵
-
\??\c:\xlxrrxx.exec:\xlxrrxx.exe226⤵
-
\??\c:\hnhbtn.exec:\hnhbtn.exe227⤵
-
\??\c:\ddvpv.exec:\ddvpv.exe228⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe229⤵
-
\??\c:\fffxxrr.exec:\fffxxrr.exe230⤵
-
\??\c:\ntnttn.exec:\ntnttn.exe231⤵
-
\??\c:\nntnhb.exec:\nntnhb.exe232⤵
-
\??\c:\1vddp.exec:\1vddp.exe233⤵
-
\??\c:\7djdv.exec:\7djdv.exe234⤵
-
\??\c:\fxlrlrf.exec:\fxlrlrf.exe235⤵
-
\??\c:\9hbtnh.exec:\9hbtnh.exe236⤵
-
\??\c:\httttn.exec:\httttn.exe237⤵
-
\??\c:\jpdvp.exec:\jpdvp.exe238⤵
-
\??\c:\lfffxrr.exec:\lfffxrr.exe239⤵
-
\??\c:\xllllrx.exec:\xllllrx.exe240⤵
-
\??\c:\nbnbbn.exec:\nbnbbn.exe241⤵