Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-05-2024 22:48
General
-
Target
50554607449ff34b4b86f175e7957b10_NeikiAnalytics.exe
-
Size
75KB
-
MD5
50554607449ff34b4b86f175e7957b10
-
SHA1
ebb2421c8ce837557d339506f176ddf7bea63b42
-
SHA256
cfbea9a7a4248531844fdfd45a341220d3dc942f40f901469d8b53d59066e8b5
-
SHA512
0b24048161cf685d37144060a294a449352a9b109926014e205bb5db230b4ce8c2237e1fa5c06c5c20ce74c13d759588de12879141a2890b1889829a63759c47
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5Mf:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCa
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\50554607449ff34b4b86f175e7957b10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\50554607449ff34b4b86f175e7957b10_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvp.exec:\pjvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\480280.exec:\480280.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlxlrf.exec:\xrlxlrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhnbh.exec:\nbhnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbttth.exec:\nbttth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\608224.exec:\608224.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvv.exec:\pppvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2484044.exec:\2484044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lxxffl.exec:\3lxxffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6648480.exec:\6648480.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppd.exec:\jdppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42264.exec:\42264.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3jvvd.exec:\3jvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5dpvj.exec:\5dpvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jvvd.exec:\7jvvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvd.exec:\pvvvd.exe17⤵
- Executes dropped EXE
-
\??\c:\4266880.exec:\4266880.exe18⤵
- Executes dropped EXE
-
\??\c:\5xllrxf.exec:\5xllrxf.exe19⤵
- Executes dropped EXE
-
\??\c:\202866.exec:\202866.exe20⤵
- Executes dropped EXE
-
\??\c:\vpdjd.exec:\vpdjd.exe21⤵
- Executes dropped EXE
-
\??\c:\424628.exec:\424628.exe22⤵
- Executes dropped EXE
-
\??\c:\6084680.exec:\6084680.exe23⤵
- Executes dropped EXE
-
\??\c:\22024.exec:\22024.exe24⤵
- Executes dropped EXE
-
\??\c:\404882.exec:\404882.exe25⤵
- Executes dropped EXE
-
\??\c:\c800840.exec:\c800840.exe26⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe27⤵
- Executes dropped EXE
-
\??\c:\bnntht.exec:\bnntht.exe28⤵
- Executes dropped EXE
-
\??\c:\fxrrxfx.exec:\fxrrxfx.exe29⤵
- Executes dropped EXE
-
\??\c:\0446220.exec:\0446220.exe30⤵
- Executes dropped EXE
-
\??\c:\vvppj.exec:\vvppj.exe31⤵
- Executes dropped EXE
-
\??\c:\xrlfxll.exec:\xrlfxll.exe32⤵
- Executes dropped EXE
-
\??\c:\200640.exec:\200640.exe33⤵
- Executes dropped EXE
-
\??\c:\1nhhtt.exec:\1nhhtt.exe34⤵
- Executes dropped EXE
-
\??\c:\xfffllr.exec:\xfffllr.exe35⤵
- Executes dropped EXE
-
\??\c:\802424.exec:\802424.exe36⤵
- Executes dropped EXE
-
\??\c:\dvjjd.exec:\dvjjd.exe37⤵
- Executes dropped EXE
-
\??\c:\64684.exec:\64684.exe38⤵
- Executes dropped EXE
-
\??\c:\s0884.exec:\s0884.exe39⤵
- Executes dropped EXE
-
\??\c:\pjvjp.exec:\pjvjp.exe40⤵
- Executes dropped EXE
-
\??\c:\0868224.exec:\0868224.exe41⤵
- Executes dropped EXE
-
\??\c:\04240.exec:\04240.exe42⤵
- Executes dropped EXE
-
\??\c:\08268.exec:\08268.exe43⤵
- Executes dropped EXE
-
\??\c:\5btbnt.exec:\5btbnt.exe44⤵
- Executes dropped EXE
-
\??\c:\vpvdv.exec:\vpvdv.exe45⤵
- Executes dropped EXE
-
\??\c:\vvvdd.exec:\vvvdd.exe46⤵
- Executes dropped EXE
-
\??\c:\6248408.exec:\6248408.exe47⤵
- Executes dropped EXE
-
\??\c:\q24462.exec:\q24462.exe48⤵
- Executes dropped EXE
-
\??\c:\1frrxfl.exec:\1frrxfl.exe49⤵
- Executes dropped EXE
-
\??\c:\ddvdj.exec:\ddvdj.exe50⤵
- Executes dropped EXE
-
\??\c:\82002.exec:\82002.exe51⤵
- Executes dropped EXE
-
\??\c:\3xfrllx.exec:\3xfrllx.exe52⤵
- Executes dropped EXE
-
\??\c:\m2068.exec:\m2068.exe53⤵
- Executes dropped EXE
-
\??\c:\bnnhbt.exec:\bnnhbt.exe54⤵
- Executes dropped EXE
-
\??\c:\22204.exec:\22204.exe55⤵
- Executes dropped EXE
-
\??\c:\0628442.exec:\0628442.exe56⤵
- Executes dropped EXE
-
\??\c:\hthnnn.exec:\hthnnn.exe57⤵
- Executes dropped EXE
-
\??\c:\0884040.exec:\0884040.exe58⤵
- Executes dropped EXE
-
\??\c:\0664826.exec:\0664826.exe59⤵
- Executes dropped EXE
-
\??\c:\nnnnnn.exec:\nnnnnn.exe60⤵
- Executes dropped EXE
-
\??\c:\jdppp.exec:\jdppp.exe61⤵
- Executes dropped EXE
-
\??\c:\264022.exec:\264022.exe62⤵
- Executes dropped EXE
-
\??\c:\3hbnhn.exec:\3hbnhn.exe63⤵
- Executes dropped EXE
-
\??\c:\xlrrrxr.exec:\xlrrrxr.exe64⤵
- Executes dropped EXE
-
\??\c:\fxflrrx.exec:\fxflrrx.exe65⤵
- Executes dropped EXE
-
\??\c:\xlxlxxx.exec:\xlxlxxx.exe66⤵
-
\??\c:\hbhtbh.exec:\hbhtbh.exe67⤵
-
\??\c:\86246.exec:\86246.exe68⤵
-
\??\c:\04224.exec:\04224.exe69⤵
-
\??\c:\3tnttb.exec:\3tnttb.exe70⤵
-
\??\c:\u806884.exec:\u806884.exe71⤵
-
\??\c:\3rlrxxf.exec:\3rlrxxf.exe72⤵
-
\??\c:\htbhnn.exec:\htbhnn.exe73⤵
-
\??\c:\7xrlrxl.exec:\7xrlrxl.exe74⤵
-
\??\c:\c640280.exec:\c640280.exe75⤵
-
\??\c:\7tntnn.exec:\7tntnn.exe76⤵
-
\??\c:\rrlxllr.exec:\rrlxllr.exe77⤵
-
\??\c:\2640460.exec:\2640460.exe78⤵
-
\??\c:\4802666.exec:\4802666.exe79⤵
-
\??\c:\86402.exec:\86402.exe80⤵
-
\??\c:\442806.exec:\442806.exe81⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe82⤵
-
\??\c:\6848288.exec:\6848288.exe83⤵
-
\??\c:\82002.exec:\82002.exe84⤵
-
\??\c:\thtnnh.exec:\thtnnh.exe85⤵
-
\??\c:\888844.exec:\888844.exe86⤵
-
\??\c:\e08860.exec:\e08860.exe87⤵
-
\??\c:\tnhnhh.exec:\tnhnhh.exe88⤵
-
\??\c:\7dvdp.exec:\7dvdp.exe89⤵
-
\??\c:\xlxxfxx.exec:\xlxxfxx.exe90⤵
-
\??\c:\8264268.exec:\8264268.exe91⤵
-
\??\c:\0022684.exec:\0022684.exe92⤵
-
\??\c:\w64684.exec:\w64684.exe93⤵
-
\??\c:\8684446.exec:\8684446.exe94⤵
-
\??\c:\2808822.exec:\2808822.exe95⤵
-
\??\c:\480644.exec:\480644.exe96⤵
-
\??\c:\5lflxxf.exec:\5lflxxf.exe97⤵
-
\??\c:\m4880.exec:\m4880.exe98⤵
-
\??\c:\jdjjp.exec:\jdjjp.exe99⤵
-
\??\c:\dvdpv.exec:\dvdpv.exe100⤵
-
\??\c:\nnbhnh.exec:\nnbhnh.exe101⤵
-
\??\c:\3btbhn.exec:\3btbhn.exe102⤵
-
\??\c:\rxllfrf.exec:\rxllfrf.exe103⤵
-
\??\c:\7jdpd.exec:\7jdpd.exe104⤵
-
\??\c:\bttnnt.exec:\bttnnt.exe105⤵
-
\??\c:\tttbhn.exec:\tttbhn.exe106⤵
-
\??\c:\7hbhnt.exec:\7hbhnt.exe107⤵
-
\??\c:\o642226.exec:\o642226.exe108⤵
-
\??\c:\0606800.exec:\0606800.exe109⤵
-
\??\c:\4802028.exec:\4802028.exe110⤵
-
\??\c:\82682.exec:\82682.exe111⤵
-
\??\c:\pvdvj.exec:\pvdvj.exe112⤵
-
\??\c:\604468.exec:\604468.exe113⤵
-
\??\c:\ddvvj.exec:\ddvvj.exe114⤵
-
\??\c:\nthbhh.exec:\nthbhh.exe115⤵
-
\??\c:\djvjp.exec:\djvjp.exe116⤵
-
\??\c:\9hbhnt.exec:\9hbhnt.exe117⤵
-
\??\c:\28688.exec:\28688.exe118⤵
-
\??\c:\rfrlxlr.exec:\rfrlxlr.exe119⤵
-
\??\c:\66680.exec:\66680.exe120⤵
-
\??\c:\ppjpj.exec:\ppjpj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-