Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
22-05-2024 20:43
General
-
Target
370f737a254c94fdb1a72175e0a36610_NeikiAnalytics.exe
-
Size
169KB
-
MD5
370f737a254c94fdb1a72175e0a36610
-
SHA1
f0f3abc88d55243d4f335d099cffbd86fe62386f
-
SHA256
51a6a8ed7a57f71d1578876e4d3451eff9d3dfe9e283a2843ea836ae46b7acd4
-
SHA512
effb3194f60ef932c4f7af82ed7f71ac8ec67ff63ee931db867525468fc741787fad174a91f6b913fb00e0e39cfc545ca931e724afa43cbc500d28ae42d13c36
-
SSDEEP
1536:HvQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FK4O8A1o4XEc3YtxD8/Ai2R:HhOmTsF93UYfwC6GIoutX8Ki3c3YT8Vc
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 43 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\370f737a254c94fdb1a72175e0a36610_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\370f737a254c94fdb1a72175e0a36610_NeikiAnalytics.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\370f737a254c94fdb1a72175e0a36610_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\370f737a254c94fdb1a72175e0a36610_NeikiAnalytics.exe"3⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvv.exec:\vvpvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxxrfr.exec:\frxxrfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfrxxf.exec:\xxfrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnhnn.exec:\nbnhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9dpvj.exec:\9dpvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxllxxx.exec:\xxllxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnthn.exec:\bbnthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpvv.exec:\vjpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppd.exec:\dvppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxlrfx.exec:\llxlrfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bhtbh.exec:\5bhtbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btntbn.exec:\btntbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppvp.exec:\vppvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlflrrx.exec:\rlflrrx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttnbh.exec:\tttnbh.exe18⤵
- Executes dropped EXE
-
\??\c:\jjpdj.exec:\jjpdj.exe19⤵
- Executes dropped EXE
-
\??\c:\pjpjp.exec:\pjpjp.exe20⤵
- Executes dropped EXE
-
\??\c:\llrxxxf.exec:\llrxxxf.exe21⤵
- Executes dropped EXE
-
\??\c:\tnbnhn.exec:\tnbnhn.exe22⤵
- Executes dropped EXE
-
\??\c:\3jvdd.exec:\3jvdd.exe23⤵
- Executes dropped EXE
-
\??\c:\jvdpv.exec:\jvdpv.exe24⤵
- Executes dropped EXE
-
\??\c:\lxllrxf.exec:\lxllrxf.exe25⤵
- Executes dropped EXE
-
\??\c:\lflrlrl.exec:\lflrlrl.exe26⤵
- Executes dropped EXE
-
\??\c:\dpddj.exec:\dpddj.exe27⤵
- Executes dropped EXE
-
\??\c:\xlrxxff.exec:\xlrxxff.exe28⤵
- Executes dropped EXE
-
\??\c:\lxxxxxf.exec:\lxxxxxf.exe29⤵
- Executes dropped EXE
-
\??\c:\btthbh.exec:\btthbh.exe30⤵
- Executes dropped EXE
-
\??\c:\5dvvv.exec:\5dvvv.exe31⤵
- Executes dropped EXE
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe32⤵
- Executes dropped EXE
-
\??\c:\hbtbnt.exec:\hbtbnt.exe33⤵
- Executes dropped EXE
-
\??\c:\bbthth.exec:\bbthth.exe34⤵
- Executes dropped EXE
-
\??\c:\llrfxrx.exec:\llrfxrx.exe35⤵
- Executes dropped EXE
-
\??\c:\rrflrlx.exec:\rrflrlx.exe36⤵
- Executes dropped EXE
-
\??\c:\nnhntb.exec:\nnhntb.exe37⤵
- Executes dropped EXE
-
\??\c:\tnhtnn.exec:\tnhtnn.exe38⤵
- Executes dropped EXE
-
\??\c:\djdpj.exec:\djdpj.exe39⤵
- Executes dropped EXE
-
\??\c:\lxrrfxl.exec:\lxrrfxl.exe40⤵
- Executes dropped EXE
-
\??\c:\xrlrflx.exec:\xrlrflx.exe41⤵
- Executes dropped EXE
-
\??\c:\tnttnn.exec:\tnttnn.exe42⤵
- Executes dropped EXE
-
\??\c:\vvdvj.exec:\vvdvj.exe43⤵
- Executes dropped EXE
-
\??\c:\vpjvd.exec:\vpjvd.exe44⤵
- Executes dropped EXE
-
\??\c:\1rffrrf.exec:\1rffrrf.exe45⤵
- Executes dropped EXE
-
\??\c:\xxrxflr.exec:\xxrxflr.exe46⤵
- Executes dropped EXE
-
\??\c:\bthhhh.exec:\bthhhh.exe47⤵
- Executes dropped EXE
-
\??\c:\nhbnbb.exec:\nhbnbb.exe48⤵
- Executes dropped EXE
-
\??\c:\ppdjp.exec:\ppdjp.exe49⤵
- Executes dropped EXE
-
\??\c:\rrflffr.exec:\rrflffr.exe50⤵
- Executes dropped EXE
-
\??\c:\9bnbht.exec:\9bnbht.exe51⤵
- Executes dropped EXE
-
\??\c:\vpdvp.exec:\vpdvp.exe52⤵
- Executes dropped EXE
-
\??\c:\vvpdj.exec:\vvpdj.exe53⤵
- Executes dropped EXE
-
\??\c:\5xrfxxl.exec:\5xrfxxl.exe54⤵
- Executes dropped EXE
-
\??\c:\hhntbh.exec:\hhntbh.exe55⤵
- Executes dropped EXE
-
\??\c:\tbnbbt.exec:\tbnbbt.exe56⤵
- Executes dropped EXE
-
\??\c:\vjjpd.exec:\vjjpd.exe57⤵
- Executes dropped EXE
-
\??\c:\5dppv.exec:\5dppv.exe58⤵
- Executes dropped EXE
-
\??\c:\5lfrflx.exec:\5lfrflx.exe59⤵
- Executes dropped EXE
-
\??\c:\bnnnnn.exec:\bnnnnn.exe60⤵
- Executes dropped EXE
-
\??\c:\thnhnh.exec:\thnhnh.exe61⤵
- Executes dropped EXE
-
\??\c:\pdpvj.exec:\pdpvj.exe62⤵
- Executes dropped EXE
-
\??\c:\7pdjp.exec:\7pdjp.exe63⤵
- Executes dropped EXE
-
\??\c:\fxxxlfl.exec:\fxxxlfl.exe64⤵
- Executes dropped EXE
-
\??\c:\9tntbb.exec:\9tntbb.exe65⤵
- Executes dropped EXE
-
\??\c:\7nhbnt.exec:\7nhbnt.exe66⤵
- Executes dropped EXE
-
\??\c:\vjdvd.exec:\vjdvd.exe67⤵
- Executes dropped EXE
-
\??\c:\7vvdp.exec:\7vvdp.exe68⤵
-
\??\c:\xlxfrlf.exec:\xlxfrlf.exe69⤵
-
\??\c:\rflrxff.exec:\rflrxff.exe70⤵
-
\??\c:\bnhhtt.exec:\bnhhtt.exe71⤵
-
\??\c:\pvddj.exec:\pvddj.exe72⤵
-
\??\c:\pjvvp.exec:\pjvvp.exe73⤵
-
\??\c:\xrflxrx.exec:\xrflxrx.exe74⤵
-
\??\c:\xxrlflx.exec:\xxrlflx.exe75⤵
-
\??\c:\btbbnn.exec:\btbbnn.exe76⤵
-
\??\c:\dpvpv.exec:\dpvpv.exe77⤵
-
\??\c:\jddjp.exec:\jddjp.exe78⤵
-
\??\c:\rlrxfll.exec:\rlrxfll.exe79⤵
-
\??\c:\nnnnnt.exec:\nnnnnt.exe80⤵
-
\??\c:\9djjj.exec:\9djjj.exe81⤵
-
\??\c:\7pjdv.exec:\7pjdv.exe82⤵
-
\??\c:\lflflfl.exec:\lflflfl.exe83⤵
-
\??\c:\rfxlxlr.exec:\rfxlxlr.exe84⤵
-
\??\c:\tnhnbn.exec:\tnhnbn.exe85⤵
-
\??\c:\vpjvj.exec:\vpjvj.exe86⤵
-
\??\c:\llfrxfl.exec:\llfrxfl.exe87⤵
-
\??\c:\7xxfxxl.exec:\7xxfxxl.exe88⤵
-
\??\c:\hbnthh.exec:\hbnthh.exe89⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe90⤵
-
\??\c:\xrfflrx.exec:\xrfflrx.exe91⤵
-
\??\c:\lfxfflx.exec:\lfxfflx.exe92⤵
-
\??\c:\thnhbb.exec:\thnhbb.exe93⤵
-
\??\c:\5vvjv.exec:\5vvjv.exe94⤵
-
\??\c:\vjvvp.exec:\vjvvp.exe95⤵
-
\??\c:\xrxfllr.exec:\xrxfllr.exe96⤵
-
\??\c:\rxflxxl.exec:\rxflxxl.exe97⤵
-
\??\c:\hbtbtb.exec:\hbtbtb.exe98⤵
-
\??\c:\jpvvv.exec:\jpvvv.exe99⤵
-
\??\c:\jjvdv.exec:\jjvdv.exe100⤵
-
\??\c:\vvvjp.exec:\vvvjp.exe101⤵
-
\??\c:\xxxxlrl.exec:\xxxxlrl.exe102⤵
-
\??\c:\tnbnth.exec:\tnbnth.exe103⤵
-
\??\c:\9bnhht.exec:\9bnhht.exe104⤵
-
\??\c:\1pdpp.exec:\1pdpp.exe105⤵
-
\??\c:\ddppf.exec:\ddppf.exe106⤵
-
\??\c:\9hthnt.exec:\9hthnt.exe107⤵
-
\??\c:\1xxflfl.exec:\1xxflfl.exe108⤵
-
\??\c:\bnbhtt.exec:\bnbhtt.exe109⤵
-
\??\c:\5vjjp.exec:\5vjjp.exe110⤵
-
\??\c:\vjddj.exec:\vjddj.exe111⤵
-
\??\c:\rflfllf.exec:\rflfllf.exe112⤵
-
\??\c:\bhnnbb.exec:\bhnnbb.exe113⤵
-
\??\c:\vdppv.exec:\vdppv.exe114⤵
-
\??\c:\rxrlrrx.exec:\rxrlrrx.exe115⤵
-
\??\c:\5jvvj.exec:\5jvvj.exe116⤵
-
\??\c:\dppvd.exec:\dppvd.exe117⤵
-
\??\c:\3xflrxf.exec:\3xflrxf.exe118⤵
-
\??\c:\btnthh.exec:\btnthh.exe119⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe120⤵
-
\??\c:\rfrxfff.exec:\rfrxfff.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-