Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
25/05/2024, 20:14
General
-
Target
190a1474af89729a306e773f782feb00_NeikiAnalytics.exe
-
Size
655KB
-
MD5
190a1474af89729a306e773f782feb00
-
SHA1
1a82d81c38809ada2ea36862fd503084d1494c68
-
SHA256
398c30e69449cd9ce77be84dddf3842977789d0eb06a41c4e4258f992be54bf9
-
SHA512
fbb12b630f35ba37eb70be66107df02b8aae0149e96719173fc1bc8711af00ce64ebf73df0c8108b19861c6732be5ed6060811025c202a9a6881bd7afd0533fb
-
SSDEEP
12288:n3C9yMo+S0L9xRnoq7H9xqYL5oeEF5rna9sUxg7udOxPJVSjYg8lcmJ1MZxEkTsU:SgD4bhoqLDqYLS7wv
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\190a1474af89729a306e773f782feb00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\190a1474af89729a306e773f782feb00_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\frrrxxx.exec:\frrrxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntbhb.exec:\hntbhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdvp.exec:\dpdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllrlrr.exec:\fllrlrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ththbh.exec:\ththbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdd.exec:\pvjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpjj.exec:\vdpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbtb.exec:\bhhbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflfxxr.exec:\lflfxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dpjd.exec:\3dpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrlffx.exec:\xxrlffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhhn.exec:\bbhhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvvp.exec:\jdvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxlrll.exec:\rlxlrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvp.exec:\pvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxxxxx.exec:\lxxxxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhhn.exec:\tnnhhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvp.exec:\pvvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvp.exec:\dvvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhhh.exec:\bthhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1flllff.exec:\1flllff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtthh.exec:\bbtthh.exe23⤵
- Executes dropped EXE
-
\??\c:\5jppj.exec:\5jppj.exe24⤵
- Executes dropped EXE
-
\??\c:\lfxxfff.exec:\lfxxfff.exe25⤵
- Executes dropped EXE
-
\??\c:\htbtbb.exec:\htbtbb.exe26⤵
- Executes dropped EXE
-
\??\c:\3dvpj.exec:\3dvpj.exe27⤵
- Executes dropped EXE
-
\??\c:\tnhbtt.exec:\tnhbtt.exe28⤵
- Executes dropped EXE
-
\??\c:\jpppv.exec:\jpppv.exe29⤵
- Executes dropped EXE
-
\??\c:\lrxlllf.exec:\lrxlllf.exe30⤵
- Executes dropped EXE
-
\??\c:\hthhnh.exec:\hthhnh.exe31⤵
- Executes dropped EXE
-
\??\c:\9xxxrrr.exec:\9xxxrrr.exe32⤵
- Executes dropped EXE
-
\??\c:\ntnhbb.exec:\ntnhbb.exe33⤵
- Executes dropped EXE
-
\??\c:\7pjjp.exec:\7pjjp.exe34⤵
- Executes dropped EXE
-
\??\c:\3ntnhh.exec:\3ntnhh.exe35⤵
- Executes dropped EXE
-
\??\c:\7jjjj.exec:\7jjjj.exe36⤵
- Executes dropped EXE
-
\??\c:\vvvpj.exec:\vvvpj.exe37⤵
- Executes dropped EXE
-
\??\c:\lrllxxr.exec:\lrllxxr.exe38⤵
- Executes dropped EXE
-
\??\c:\3bhhtt.exec:\3bhhtt.exe39⤵
- Executes dropped EXE
-
\??\c:\xrffllr.exec:\xrffllr.exe40⤵
- Executes dropped EXE
-
\??\c:\hbbthb.exec:\hbbthb.exe41⤵
- Executes dropped EXE
-
\??\c:\jjvjj.exec:\jjvjj.exe42⤵
- Executes dropped EXE
-
\??\c:\vjjpj.exec:\vjjpj.exe43⤵
- Executes dropped EXE
-
\??\c:\7llfxrx.exec:\7llfxrx.exe44⤵
- Executes dropped EXE
-
\??\c:\hthtnh.exec:\hthtnh.exe45⤵
- Executes dropped EXE
-
\??\c:\pvjdd.exec:\pvjdd.exe46⤵
- Executes dropped EXE
-
\??\c:\xxfxllf.exec:\xxfxllf.exe47⤵
- Executes dropped EXE
-
\??\c:\5ttnhb.exec:\5ttnhb.exe48⤵
- Executes dropped EXE
-
\??\c:\ppvpv.exec:\ppvpv.exe49⤵
- Executes dropped EXE
-
\??\c:\xrxxfff.exec:\xrxxfff.exe50⤵
- Executes dropped EXE
-
\??\c:\thnhhh.exec:\thnhhh.exe51⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe52⤵
- Executes dropped EXE
-
\??\c:\lxrxxxx.exec:\lxrxxxx.exe53⤵
- Executes dropped EXE
-
\??\c:\nnntnn.exec:\nnntnn.exe54⤵
- Executes dropped EXE
-
\??\c:\xlrrlxl.exec:\xlrrlxl.exe55⤵
- Executes dropped EXE
-
\??\c:\rrxxrfx.exec:\rrxxrfx.exe56⤵
- Executes dropped EXE
-
\??\c:\5jdvd.exec:\5jdvd.exe57⤵
- Executes dropped EXE
-
\??\c:\rrxrrlf.exec:\rrxrrlf.exe58⤵
- Executes dropped EXE
-
\??\c:\1tnnbb.exec:\1tnnbb.exe59⤵
- Executes dropped EXE
-
\??\c:\ddppp.exec:\ddppp.exe60⤵
- Executes dropped EXE
-
\??\c:\fxrlllx.exec:\fxrlllx.exe61⤵
- Executes dropped EXE
-
\??\c:\ttbbtb.exec:\ttbbtb.exe62⤵
- Executes dropped EXE
-
\??\c:\7pjdv.exec:\7pjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\jddvp.exec:\jddvp.exe64⤵
- Executes dropped EXE
-
\??\c:\hhbbtt.exec:\hhbbtt.exe65⤵
- Executes dropped EXE
-
\??\c:\jdddj.exec:\jdddj.exe66⤵
-
\??\c:\9pjvp.exec:\9pjvp.exe67⤵
-
\??\c:\lflfllr.exec:\lflfllr.exe68⤵
-
\??\c:\hhnhbh.exec:\hhnhbh.exe69⤵
-
\??\c:\dpvjv.exec:\dpvjv.exe70⤵
-
\??\c:\5rlfxxf.exec:\5rlfxxf.exe71⤵
-
\??\c:\hthbnt.exec:\hthbnt.exe72⤵
-
\??\c:\ppdvv.exec:\ppdvv.exe73⤵
-
\??\c:\9lrrlrr.exec:\9lrrlrr.exe74⤵
-
\??\c:\nbnnhh.exec:\nbnnhh.exe75⤵
-
\??\c:\pdpjp.exec:\pdpjp.exe76⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe77⤵
-
\??\c:\ffxrllf.exec:\ffxrllf.exe78⤵
-
\??\c:\hhttnn.exec:\hhttnn.exe79⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe80⤵
-
\??\c:\lxrllrx.exec:\lxrllrx.exe81⤵
-
\??\c:\rrrlflf.exec:\rrrlflf.exe82⤵
-
\??\c:\thtntt.exec:\thtntt.exe83⤵
-
\??\c:\pjvvp.exec:\pjvvp.exe84⤵
-
\??\c:\fxxlxfx.exec:\fxxlxfx.exe85⤵
-
\??\c:\pvvpv.exec:\pvvpv.exe86⤵
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe87⤵
-
\??\c:\xrrlffx.exec:\xrrlffx.exe88⤵
-
\??\c:\bbbbtn.exec:\bbbbtn.exe89⤵
-
\??\c:\pdvvv.exec:\pdvvv.exe90⤵
-
\??\c:\xfxrfxr.exec:\xfxrfxr.exe91⤵
-
\??\c:\3pvpp.exec:\3pvpp.exe92⤵
-
\??\c:\xflfrrl.exec:\xflfrrl.exe93⤵
-
\??\c:\fffllrr.exec:\fffllrr.exe94⤵
-
\??\c:\bntnnt.exec:\bntnnt.exe95⤵
-
\??\c:\djdjd.exec:\djdjd.exe96⤵
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe97⤵
-
\??\c:\hnbhnt.exec:\hnbhnt.exe98⤵
-
\??\c:\vjppj.exec:\vjppj.exe99⤵
-
\??\c:\5rxrrxx.exec:\5rxrrxx.exe100⤵
-
\??\c:\xfllfff.exec:\xfllfff.exe101⤵
-
\??\c:\bttnhh.exec:\bttnhh.exe102⤵
-
\??\c:\flrlfxr.exec:\flrlfxr.exe103⤵
-
\??\c:\rxflflf.exec:\rxflflf.exe104⤵
-
\??\c:\bthbhh.exec:\bthbhh.exe105⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe106⤵
-
\??\c:\xxrrllf.exec:\xxrrllf.exe107⤵
-
\??\c:\1bnhhh.exec:\1bnhhh.exe108⤵
-
\??\c:\5jppp.exec:\5jppp.exe109⤵
-
\??\c:\frrlllf.exec:\frrlllf.exe110⤵
-
\??\c:\nttnnn.exec:\nttnnn.exe111⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe112⤵
-
\??\c:\pjpvp.exec:\pjpvp.exe113⤵
-
\??\c:\lfffllr.exec:\lfffllr.exe114⤵
-
\??\c:\hhhhbb.exec:\hhhhbb.exe115⤵
-
\??\c:\vpjjj.exec:\vpjjj.exe116⤵
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe117⤵
-
\??\c:\bbhhhh.exec:\bbhhhh.exe118⤵
-
\??\c:\bbhbtt.exec:\bbhbtt.exe119⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe120⤵
-
\??\c:\7rrlffx.exec:\7rrlffx.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-