Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-05-2024 10:15
General
-
Target
e5f84a35e927bed93650998a0f6493b0_NeikiAnalytics.exe
-
Size
367KB
-
MD5
e5f84a35e927bed93650998a0f6493b0
-
SHA1
a0cdcff698e00f3648f386227c2d0dfbd933bcf3
-
SHA256
579f2d15b42b6f08fa0464da4ba705eb1415701fefd83f4ef4ab6eb5bb257d98
-
SHA512
085066558b8b0c5e5c120f8daabd932e29758484d9d2d6a1f49ddd86a9dac05521dacda352dcbe248eeec8a86bf853ce54a10cbb3db8a25fdb65a656e521954b
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp9FrHSwh/c/hdTWGIaxJ8TN005pWmjVwdSsyL:n3C9BRo7tvnJ9Fywhk/T7xyTpShZ6
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5f84a35e927bed93650998a0f6493b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e5f84a35e927bed93650998a0f6493b0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdj.exec:\dpjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\040608.exec:\040608.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\i266828.exec:\i266828.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\486800.exec:\486800.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnntt.exec:\ttnntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxlxl.exec:\xrfxlxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\40402.exec:\40402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtntt.exec:\nhtntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u802840.exec:\u802840.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2602846.exec:\2602846.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k26006.exec:\k26006.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\820684.exec:\820684.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\a0406.exec:\a0406.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrrflr.exec:\lxrrflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q22822.exec:\q22822.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\28880.exec:\28880.exe17⤵
- Executes dropped EXE
-
\??\c:\400066.exec:\400066.exe18⤵
- Executes dropped EXE
-
\??\c:\4428402.exec:\4428402.exe19⤵
- Executes dropped EXE
-
\??\c:\xrlrflf.exec:\xrlrflf.exe20⤵
- Executes dropped EXE
-
\??\c:\22600.exec:\22600.exe21⤵
- Executes dropped EXE
-
\??\c:\xxxfxfx.exec:\xxxfxfx.exe22⤵
- Executes dropped EXE
-
\??\c:\6224022.exec:\6224022.exe23⤵
- Executes dropped EXE
-
\??\c:\vpdjv.exec:\vpdjv.exe24⤵
- Executes dropped EXE
-
\??\c:\g6286.exec:\g6286.exe25⤵
- Executes dropped EXE
-
\??\c:\1vddj.exec:\1vddj.exe26⤵
- Executes dropped EXE
-
\??\c:\lxrrfll.exec:\lxrrfll.exe27⤵
- Executes dropped EXE
-
\??\c:\8068620.exec:\8068620.exe28⤵
- Executes dropped EXE
-
\??\c:\6088402.exec:\6088402.exe29⤵
- Executes dropped EXE
-
\??\c:\hhthnb.exec:\hhthnb.exe30⤵
- Executes dropped EXE
-
\??\c:\ntbnnb.exec:\ntbnnb.exe31⤵
- Executes dropped EXE
-
\??\c:\7lfxxxx.exec:\7lfxxxx.exe32⤵
- Executes dropped EXE
-
\??\c:\rrxfxrf.exec:\rrxfxrf.exe33⤵
- Executes dropped EXE
-
\??\c:\k68640.exec:\k68640.exe34⤵
- Executes dropped EXE
-
\??\c:\5nbbtn.exec:\5nbbtn.exe35⤵
- Executes dropped EXE
-
\??\c:\nntbhh.exec:\nntbhh.exe36⤵
-
\??\c:\486802.exec:\486802.exe37⤵
- Executes dropped EXE
-
\??\c:\2844486.exec:\2844486.exe38⤵
- Executes dropped EXE
-
\??\c:\hhbnbn.exec:\hhbnbn.exe39⤵
- Executes dropped EXE
-
\??\c:\262284.exec:\262284.exe40⤵
- Executes dropped EXE
-
\??\c:\06008.exec:\06008.exe41⤵
- Executes dropped EXE
-
\??\c:\htnhbb.exec:\htnhbb.exe42⤵
- Executes dropped EXE
-
\??\c:\vjjdj.exec:\vjjdj.exe43⤵
- Executes dropped EXE
-
\??\c:\g6680.exec:\g6680.exe44⤵
- Executes dropped EXE
-
\??\c:\c802248.exec:\c802248.exe45⤵
- Executes dropped EXE
-
\??\c:\dvpvd.exec:\dvpvd.exe46⤵
- Executes dropped EXE
-
\??\c:\xxlffxx.exec:\xxlffxx.exe47⤵
- Executes dropped EXE
-
\??\c:\628266.exec:\628266.exe48⤵
- Executes dropped EXE
-
\??\c:\vvjjd.exec:\vvjjd.exe49⤵
- Executes dropped EXE
-
\??\c:\826640.exec:\826640.exe50⤵
- Executes dropped EXE
-
\??\c:\o640668.exec:\o640668.exe51⤵
- Executes dropped EXE
-
\??\c:\k60684.exec:\k60684.exe52⤵
- Executes dropped EXE
-
\??\c:\fxlrflf.exec:\fxlrflf.exe53⤵
- Executes dropped EXE
-
\??\c:\ntthnb.exec:\ntthnb.exe54⤵
- Executes dropped EXE
-
\??\c:\88248.exec:\88248.exe55⤵
- Executes dropped EXE
-
\??\c:\rrfflrl.exec:\rrfflrl.exe56⤵
- Executes dropped EXE
-
\??\c:\80224.exec:\80224.exe57⤵
- Executes dropped EXE
-
\??\c:\fxrxrrr.exec:\fxrxrrr.exe58⤵
- Executes dropped EXE
-
\??\c:\3rrffrx.exec:\3rrffrx.exe59⤵
- Executes dropped EXE
-
\??\c:\5tnhbn.exec:\5tnhbn.exe60⤵
- Executes dropped EXE
-
\??\c:\s2626.exec:\s2626.exe61⤵
- Executes dropped EXE
-
\??\c:\g8006.exec:\g8006.exe62⤵
- Executes dropped EXE
-
\??\c:\9htntt.exec:\9htntt.exe63⤵
- Executes dropped EXE
-
\??\c:\886264.exec:\886264.exe64⤵
- Executes dropped EXE
-
\??\c:\480240.exec:\480240.exe65⤵
- Executes dropped EXE
-
\??\c:\7xlfflr.exec:\7xlfflr.exe66⤵
- Executes dropped EXE
-
\??\c:\08068.exec:\08068.exe67⤵
-
\??\c:\044406.exec:\044406.exe68⤵
-
\??\c:\1rrfllr.exec:\1rrfllr.exe69⤵
-
\??\c:\tbtthh.exec:\tbtthh.exe70⤵
-
\??\c:\a6424.exec:\a6424.exe71⤵
-
\??\c:\2424620.exec:\2424620.exe72⤵
-
\??\c:\a2242.exec:\a2242.exe73⤵
-
\??\c:\frrfrfl.exec:\frrfrfl.exe74⤵
-
\??\c:\nhbnbn.exec:\nhbnbn.exe75⤵
-
\??\c:\e64684.exec:\e64684.exe76⤵
-
\??\c:\602862.exec:\602862.exe77⤵
-
\??\c:\66666.exec:\66666.exe78⤵
-
\??\c:\0044006.exec:\0044006.exe79⤵
-
\??\c:\ffxfrrf.exec:\ffxfrrf.exe80⤵
-
\??\c:\q82062.exec:\q82062.exe81⤵
-
\??\c:\5pdjj.exec:\5pdjj.exe82⤵
-
\??\c:\1fxfxxf.exec:\1fxfxxf.exe83⤵
-
\??\c:\446424.exec:\446424.exe84⤵
-
\??\c:\5pvpp.exec:\5pvpp.exe85⤵
-
\??\c:\7xxxffl.exec:\7xxxffl.exe86⤵
-
\??\c:\8684662.exec:\8684662.exe87⤵
-
\??\c:\4800842.exec:\4800842.exe88⤵
-
\??\c:\2040620.exec:\2040620.exe89⤵
-
\??\c:\jpjjv.exec:\jpjjv.exe90⤵
-
\??\c:\lfrfxlr.exec:\lfrfxlr.exe91⤵
-
\??\c:\5ffflrf.exec:\5ffflrf.exe92⤵
-
\??\c:\dddvp.exec:\dddvp.exe93⤵
-
\??\c:\20402.exec:\20402.exe94⤵
-
\??\c:\xfrfxfx.exec:\xfrfxfx.exe95⤵
-
\??\c:\3vvvp.exec:\3vvvp.exe96⤵
-
\??\c:\20286.exec:\20286.exe97⤵
-
\??\c:\2606284.exec:\2606284.exe98⤵
-
\??\c:\tbtbht.exec:\tbtbht.exe99⤵
-
\??\c:\66446.exec:\66446.exe100⤵
-
\??\c:\tnhntb.exec:\tnhntb.exe101⤵
-
\??\c:\8880228.exec:\8880228.exe102⤵
-
\??\c:\2028446.exec:\2028446.exe103⤵
-
\??\c:\hnnbhh.exec:\hnnbhh.exe104⤵
-
\??\c:\nnbnth.exec:\nnbnth.exe105⤵
-
\??\c:\88868.exec:\88868.exe106⤵
-
\??\c:\60280.exec:\60280.exe107⤵
-
\??\c:\4804600.exec:\4804600.exe108⤵
-
\??\c:\4206880.exec:\4206880.exe109⤵
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe110⤵
-
\??\c:\2628000.exec:\2628000.exe111⤵
-
\??\c:\866644.exec:\866644.exe112⤵
-
\??\c:\lfxfrfl.exec:\lfxfrfl.exe113⤵
-
\??\c:\i680662.exec:\i680662.exe114⤵
-
\??\c:\08202.exec:\08202.exe115⤵
-
\??\c:\6468840.exec:\6468840.exe116⤵
-
\??\c:\2208220.exec:\2208220.exe117⤵
-
\??\c:\5jddd.exec:\5jddd.exe118⤵
-
\??\c:\e02802.exec:\e02802.exe119⤵
-
\??\c:\028282.exec:\028282.exe120⤵
-
\??\c:\hnhnbh.exec:\hnhnbh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-