Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 21:37
General
-
Target
41cf6d3d5ae3f3911c585899d83c11a0_NeikiAnalytics.exe
-
Size
95KB
-
MD5
41cf6d3d5ae3f3911c585899d83c11a0
-
SHA1
3bb81b588658334f4946e1ee7379171f18af1ed8
-
SHA256
d48b612702ea376f482c86d9bf9929074298d3accf5e9ae493f084ea52e169aa
-
SHA512
d58d848f6ade83620ab5b1de3e013eb1f0ec1caed9421251896f2b000b251cf4b8e631a2a0b193e46c6d36de07fd7a442bb912ce14c8f7dd38c14b91f900c188
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIS7/b9EUeWpEC3alBlwtn8BLnna:ymb3NkkiQ3mdBjFIi/REUZnKlbnvy
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41cf6d3d5ae3f3911c585899d83c11a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\41cf6d3d5ae3f3911c585899d83c11a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\40868.exec:\40868.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\424866.exec:\424866.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvpd.exec:\7vvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvvv.exec:\ppvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480622.exec:\480622.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m4280.exec:\m4280.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24068.exec:\24068.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvdd.exec:\djvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24664.exec:\24664.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlfxfx.exec:\lrlfxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\46666.exec:\46666.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdvpj.exec:\vdvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjjv.exec:\vjjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxlfxfx.exec:\lxlfxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\826600.exec:\826600.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20042.exec:\20042.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\684822.exec:\684822.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g0448.exec:\g0448.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjd.exec:\dvpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtbbh.exec:\nhtbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k04868.exec:\k04868.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6200000.exec:\6200000.exe23⤵
- Executes dropped EXE
-
\??\c:\rfffffx.exec:\rfffffx.exe24⤵
- Executes dropped EXE
-
\??\c:\rxfffrx.exec:\rxfffrx.exe25⤵
- Executes dropped EXE
-
\??\c:\bhntnn.exec:\bhntnn.exe26⤵
- Executes dropped EXE
-
\??\c:\84888.exec:\84888.exe27⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe28⤵
- Executes dropped EXE
-
\??\c:\028260.exec:\028260.exe29⤵
- Executes dropped EXE
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe30⤵
- Executes dropped EXE
-
\??\c:\thtnth.exec:\thtnth.exe31⤵
- Executes dropped EXE
-
\??\c:\028422.exec:\028422.exe32⤵
- Executes dropped EXE
-
\??\c:\2600488.exec:\2600488.exe33⤵
- Executes dropped EXE
-
\??\c:\lllfxrl.exec:\lllfxrl.exe34⤵
- Executes dropped EXE
-
\??\c:\nnnbth.exec:\nnnbth.exe35⤵
- Executes dropped EXE
-
\??\c:\llrrrff.exec:\llrrrff.exe36⤵
- Executes dropped EXE
-
\??\c:\a0600.exec:\a0600.exe37⤵
- Executes dropped EXE
-
\??\c:\jddvp.exec:\jddvp.exe38⤵
- Executes dropped EXE
-
\??\c:\4288844.exec:\4288844.exe39⤵
- Executes dropped EXE
-
\??\c:\vdvvp.exec:\vdvvp.exe40⤵
- Executes dropped EXE
-
\??\c:\s2888.exec:\s2888.exe41⤵
- Executes dropped EXE
-
\??\c:\642882.exec:\642882.exe42⤵
- Executes dropped EXE
-
\??\c:\444628.exec:\444628.exe43⤵
- Executes dropped EXE
-
\??\c:\pjpvv.exec:\pjpvv.exe44⤵
- Executes dropped EXE
-
\??\c:\0684444.exec:\0684444.exe45⤵
- Executes dropped EXE
-
\??\c:\4028882.exec:\4028882.exe46⤵
- Executes dropped EXE
-
\??\c:\ppvvd.exec:\ppvvd.exe47⤵
- Executes dropped EXE
-
\??\c:\llxxrrr.exec:\llxxrrr.exe48⤵
- Executes dropped EXE
-
\??\c:\828880.exec:\828880.exe49⤵
- Executes dropped EXE
-
\??\c:\u628666.exec:\u628666.exe50⤵
- Executes dropped EXE
-
\??\c:\88440.exec:\88440.exe51⤵
- Executes dropped EXE
-
\??\c:\c066444.exec:\c066444.exe52⤵
- Executes dropped EXE
-
\??\c:\xrrlfff.exec:\xrrlfff.exe53⤵
- Executes dropped EXE
-
\??\c:\2662288.exec:\2662288.exe54⤵
- Executes dropped EXE
-
\??\c:\0444888.exec:\0444888.exe55⤵
- Executes dropped EXE
-
\??\c:\jdjpp.exec:\jdjpp.exe56⤵
- Executes dropped EXE
-
\??\c:\8404440.exec:\8404440.exe57⤵
- Executes dropped EXE
-
\??\c:\frlfrfx.exec:\frlfrfx.exe58⤵
- Executes dropped EXE
-
\??\c:\thhhhb.exec:\thhhhb.exe59⤵
- Executes dropped EXE
-
\??\c:\lxxrllf.exec:\lxxrllf.exe60⤵
- Executes dropped EXE
-
\??\c:\bnthbt.exec:\bnthbt.exe61⤵
- Executes dropped EXE
-
\??\c:\4000488.exec:\4000488.exe62⤵
- Executes dropped EXE
-
\??\c:\vvjvp.exec:\vvjvp.exe63⤵
- Executes dropped EXE
-
\??\c:\lllfxrr.exec:\lllfxrr.exe64⤵
- Executes dropped EXE
-
\??\c:\86826.exec:\86826.exe65⤵
- Executes dropped EXE
-
\??\c:\pdpjp.exec:\pdpjp.exe66⤵
-
\??\c:\k44266.exec:\k44266.exe67⤵
-
\??\c:\1jpjj.exec:\1jpjj.exe68⤵
-
\??\c:\bnnhnh.exec:\bnnhnh.exe69⤵
-
\??\c:\284804.exec:\284804.exe70⤵
-
\??\c:\88260.exec:\88260.exe71⤵
-
\??\c:\vjdvv.exec:\vjdvv.exe72⤵
-
\??\c:\006040.exec:\006040.exe73⤵
-
\??\c:\40048.exec:\40048.exe74⤵
-
\??\c:\26420.exec:\26420.exe75⤵
-
\??\c:\u288222.exec:\u288222.exe76⤵
-
\??\c:\8048262.exec:\8048262.exe77⤵
-
\??\c:\62444.exec:\62444.exe78⤵
-
\??\c:\pjddj.exec:\pjddj.exe79⤵
-
\??\c:\46204.exec:\46204.exe80⤵
-
\??\c:\86608.exec:\86608.exe81⤵
-
\??\c:\0404820.exec:\0404820.exe82⤵
-
\??\c:\lxrxlxx.exec:\lxrxlxx.exe83⤵
-
\??\c:\bnnnhn.exec:\bnnnhn.exe84⤵
-
\??\c:\3djdj.exec:\3djdj.exe85⤵
-
\??\c:\fxlflfx.exec:\fxlflfx.exe86⤵
-
\??\c:\04008.exec:\04008.exe87⤵
-
\??\c:\vvvvj.exec:\vvvvj.exe88⤵
-
\??\c:\hthbbt.exec:\hthbbt.exe89⤵
-
\??\c:\g8482.exec:\g8482.exe90⤵
-
\??\c:\9pvpv.exec:\9pvpv.exe91⤵
-
\??\c:\6066482.exec:\6066482.exe92⤵
-
\??\c:\4066660.exec:\4066660.exe93⤵
-
\??\c:\0622268.exec:\0622268.exe94⤵
-
\??\c:\60220.exec:\60220.exe95⤵
-
\??\c:\a2866.exec:\a2866.exe96⤵
-
\??\c:\84044.exec:\84044.exe97⤵
-
\??\c:\0006024.exec:\0006024.exe98⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe99⤵
-
\??\c:\02288.exec:\02288.exe100⤵
-
\??\c:\2682600.exec:\2682600.exe101⤵
-
\??\c:\llllflf.exec:\llllflf.exe102⤵
-
\??\c:\e04666.exec:\e04666.exe103⤵
-
\??\c:\i248226.exec:\i248226.exe104⤵
-
\??\c:\22228.exec:\22228.exe105⤵
-
\??\c:\3ttnbb.exec:\3ttnbb.exe106⤵
-
\??\c:\ffffrlr.exec:\ffffrlr.exe107⤵
-
\??\c:\006420.exec:\006420.exe108⤵
-
\??\c:\jdvjd.exec:\jdvjd.exe109⤵
-
\??\c:\fffrlrx.exec:\fffrlrx.exe110⤵
-
\??\c:\bhtnbh.exec:\bhtnbh.exe111⤵
-
\??\c:\606448.exec:\606448.exe112⤵
-
\??\c:\vdjdd.exec:\vdjdd.exe113⤵
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe114⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe115⤵
-
\??\c:\vpjdp.exec:\vpjdp.exe116⤵
-
\??\c:\44086.exec:\44086.exe117⤵
-
\??\c:\jpdvv.exec:\jpdvv.exe118⤵
-
\??\c:\8268202.exec:\8268202.exe119⤵
-
\??\c:\jdddv.exec:\jdddv.exe120⤵
-
\??\c:\0028222.exec:\0028222.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-