Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 05:44
General
-
Target
2084f48c2d61d255ce33045398a41ed0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
2084f48c2d61d255ce33045398a41ed0
-
SHA1
2a3ddda528d04d9630a6e2f576e03a18623ba184
-
SHA256
ba2c5e4ddeecd8c6c7aed2488c3068fc953cbaa3a33d2bddf02e3364fc22d637
-
SHA512
e1e42c1f7cccc7385bbaf552d3d94a20135177074f7bb7dfcf258e895b63b3eae4bdea9212b9a1da4e75f949283fc587a7698fcc52e7a05492a67205a70f176f
-
SSDEEP
1536:zvQBeOGtrYS3srx93UBWfwC6Ggnouy8iT4+C2HVM1p6TVqMJ89v:zhOmTsF93UYfwC6GIoutiTU2HVS6cMJC
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 63 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2840231261\zmstage.exeC:\Users\Admin\AppData\Local\Temp\2840231261\zmstage.exe1⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\2084f48c2d61d255ce33045398a41ed0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2084f48c2d61d255ce33045398a41ed0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpdd.exec:\vjpdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\00664.exec:\00664.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04606.exec:\04606.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxlllx.exec:\rxxlllx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvpj.exec:\vvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4026266.exec:\4026266.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\284400.exec:\284400.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhbnbb.exec:\bhbnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\046022.exec:\046022.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxfff.exec:\xrxxfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0040000.exec:\0040000.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddddd.exec:\ddddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8044444.exec:\8044444.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxxrl.exec:\lffxxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxrlfxl.exec:\lxrlfxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\684040.exec:\684040.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\o800006.exec:\o800006.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5djdv.exec:\5djdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\608888.exec:\608888.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8022408.exec:\8022408.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrlfff.exec:\rrrlfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xrrrrl.exec:\3xrrrrl.exe23⤵
- Executes dropped EXE
-
\??\c:\ttbttn.exec:\ttbttn.exe24⤵
- Executes dropped EXE
-
\??\c:\042644.exec:\042644.exe25⤵
- Executes dropped EXE
-
\??\c:\28088.exec:\28088.exe26⤵
- Executes dropped EXE
-
\??\c:\ppjdj.exec:\ppjdj.exe27⤵
- Executes dropped EXE
-
\??\c:\vjddd.exec:\vjddd.exe28⤵
- Executes dropped EXE
-
\??\c:\lfrrrxx.exec:\lfrrrxx.exe29⤵
- Executes dropped EXE
-
\??\c:\frffffl.exec:\frffffl.exe30⤵
- Executes dropped EXE
-
\??\c:\dvjpd.exec:\dvjpd.exe31⤵
- Executes dropped EXE
-
\??\c:\828044.exec:\828044.exe32⤵
- Executes dropped EXE
-
\??\c:\2644662.exec:\2644662.exe33⤵
- Executes dropped EXE
-
\??\c:\hbbttt.exec:\hbbttt.exe34⤵
- Executes dropped EXE
-
\??\c:\00466.exec:\00466.exe35⤵
- Executes dropped EXE
-
\??\c:\802226.exec:\802226.exe36⤵
- Executes dropped EXE
-
\??\c:\htbttn.exec:\htbttn.exe37⤵
- Executes dropped EXE
-
\??\c:\pppvd.exec:\pppvd.exe38⤵
- Executes dropped EXE
-
\??\c:\1hnhhh.exec:\1hnhhh.exe39⤵
- Executes dropped EXE
-
\??\c:\djdjd.exec:\djdjd.exe40⤵
- Executes dropped EXE
-
\??\c:\3lffrrr.exec:\3lffrrr.exe41⤵
- Executes dropped EXE
-
\??\c:\040666.exec:\040666.exe42⤵
- Executes dropped EXE
-
\??\c:\jdjvd.exec:\jdjvd.exe43⤵
- Executes dropped EXE
-
\??\c:\488866.exec:\488866.exe44⤵
- Executes dropped EXE
-
\??\c:\00220.exec:\00220.exe45⤵
- Executes dropped EXE
-
\??\c:\82888.exec:\82888.exe46⤵
- Executes dropped EXE
-
\??\c:\nbhhhh.exec:\nbhhhh.exe47⤵
- Executes dropped EXE
-
\??\c:\9ppdv.exec:\9ppdv.exe48⤵
- Executes dropped EXE
-
\??\c:\dpvvv.exec:\dpvvv.exe49⤵
- Executes dropped EXE
-
\??\c:\6060000.exec:\6060000.exe50⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe51⤵
- Executes dropped EXE
-
\??\c:\8200440.exec:\8200440.exe52⤵
- Executes dropped EXE
-
\??\c:\24484.exec:\24484.exe53⤵
- Executes dropped EXE
-
\??\c:\62840.exec:\62840.exe54⤵
- Executes dropped EXE
-
\??\c:\824444.exec:\824444.exe55⤵
- Executes dropped EXE
-
\??\c:\lfxrllf.exec:\lfxrllf.exe56⤵
- Executes dropped EXE
-
\??\c:\4088822.exec:\4088822.exe57⤵
- Executes dropped EXE
-
\??\c:\vjpjj.exec:\vjpjj.exe58⤵
- Executes dropped EXE
-
\??\c:\hnnhbt.exec:\hnnhbt.exe59⤵
- Executes dropped EXE
-
\??\c:\6406840.exec:\6406840.exe60⤵
- Executes dropped EXE
-
\??\c:\lfflxxf.exec:\lfflxxf.exe61⤵
- Executes dropped EXE
-
\??\c:\3bhhbb.exec:\3bhhbb.exe62⤵
- Executes dropped EXE
-
\??\c:\a2482.exec:\a2482.exe63⤵
- Executes dropped EXE
-
\??\c:\rflfrrr.exec:\rflfrrr.exe64⤵
- Executes dropped EXE
-
\??\c:\2006626.exec:\2006626.exe65⤵
- Executes dropped EXE
-
\??\c:\3hhbhh.exec:\3hhbhh.exe66⤵
-
\??\c:\xffxxxr.exec:\xffxxxr.exe67⤵
-
\??\c:\hbhbhh.exec:\hbhbhh.exe68⤵
-
\??\c:\i064826.exec:\i064826.exe69⤵
-
\??\c:\26224.exec:\26224.exe70⤵
-
\??\c:\xflrrlf.exec:\xflrrlf.exe71⤵
-
\??\c:\o848488.exec:\o848488.exe72⤵
-
\??\c:\btnhhn.exec:\btnhhn.exe73⤵
-
\??\c:\8866060.exec:\8866060.exe74⤵
-
\??\c:\088284.exec:\088284.exe75⤵
-
\??\c:\jvddd.exec:\jvddd.exe76⤵
-
\??\c:\vvppj.exec:\vvppj.exe77⤵
-
\??\c:\22604.exec:\22604.exe78⤵
-
\??\c:\48040.exec:\48040.exe79⤵
-
\??\c:\640082.exec:\640082.exe80⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe81⤵
-
\??\c:\rllffrr.exec:\rllffrr.exe82⤵
-
\??\c:\000048.exec:\000048.exe83⤵
-
\??\c:\1bbtnh.exec:\1bbtnh.exe84⤵
-
\??\c:\rfrlrll.exec:\rfrlrll.exe85⤵
-
\??\c:\60660.exec:\60660.exe86⤵
-
\??\c:\44048.exec:\44048.exe87⤵
-
\??\c:\064084.exec:\064084.exe88⤵
-
\??\c:\bnhtth.exec:\bnhtth.exe89⤵
-
\??\c:\tnbbtt.exec:\tnbbtt.exe90⤵
-
\??\c:\26882.exec:\26882.exe91⤵
-
\??\c:\062666.exec:\062666.exe92⤵
-
\??\c:\62000.exec:\62000.exe93⤵
-
\??\c:\hnbnhh.exec:\hnbnhh.exe94⤵
-
\??\c:\8066004.exec:\8066004.exe95⤵
-
\??\c:\rfrlfrr.exec:\rfrlfrr.exe96⤵
-
\??\c:\06222.exec:\06222.exe97⤵
-
\??\c:\pjpvv.exec:\pjpvv.exe98⤵
-
\??\c:\60226.exec:\60226.exe99⤵
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe100⤵
-
\??\c:\ppvvj.exec:\ppvvj.exe101⤵
-
\??\c:\5lllrll.exec:\5lllrll.exe102⤵
-
\??\c:\0244884.exec:\0244884.exe103⤵
-
\??\c:\88004.exec:\88004.exe104⤵
-
\??\c:\9lxrxrr.exec:\9lxrxrr.exe105⤵
-
\??\c:\btttnn.exec:\btttnn.exe106⤵
-
\??\c:\vddvj.exec:\vddvj.exe107⤵
-
\??\c:\nbnhtn.exec:\nbnhtn.exe108⤵
-
\??\c:\s8848.exec:\s8848.exe109⤵
-
\??\c:\26682.exec:\26682.exe110⤵
-
\??\c:\64282.exec:\64282.exe111⤵
-
\??\c:\480460.exec:\480460.exe112⤵
-
\??\c:\bbbbbb.exec:\bbbbbb.exe113⤵
-
\??\c:\9tbbbb.exec:\9tbbbb.exe114⤵
-
\??\c:\042600.exec:\042600.exe115⤵
-
\??\c:\frxrfff.exec:\frxrfff.exe116⤵
-
\??\c:\04228.exec:\04228.exe117⤵
-
\??\c:\e22600.exec:\e22600.exe118⤵
-
\??\c:\8000044.exec:\8000044.exe119⤵
-
\??\c:\468282.exec:\468282.exe120⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-