Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
28/05/2024, 02:03
General
-
Target
2ced4349ede0a5881688ceb1ff3c1d80_NeikiAnalytics.exe
-
Size
76KB
-
MD5
2ced4349ede0a5881688ceb1ff3c1d80
-
SHA1
f093ab03f40bf9ade4e91e2c6bd7eac55a1ef845
-
SHA256
d390b731bea6a550236ef1c365a3e68a6dd08acbb68259ff2918e9e94f2b2e08
-
SHA512
4c079eceeab8304c46d5b8823f3eef001d1e8a4b12bb540f0074d427aae9754d9e4fdb5c5f2fd9718c73b069fd72157657f392914621ce38c9e78c7fbf2ed721
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIIpIo60L9QrrAY:ymb3NkkiQ3mdBjFIIp9L9QrrAY
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ced4349ede0a5881688ceb1ff3c1d80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2ced4349ede0a5881688ceb1ff3c1d80_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xrllfff.exec:\xrllfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bnbbb.exec:\7bnbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdjj.exec:\vjdjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlllffx.exec:\xlllffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlrfrr.exec:\frlrfrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3nnnhh.exec:\3nnnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrllffx.exec:\xrllffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxrlf.exec:\lffxrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjj.exec:\dppjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjp.exec:\jjjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfffxfx.exec:\xfffxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tbnnt.exec:\3tbnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnhhb.exec:\ttnhhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdvv.exec:\dpdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrlll.exec:\lrxrlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhhbt.exec:\nbhhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhhn.exec:\bthhhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppp.exec:\ppppp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpp.exec:\pdvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flffrxx.exec:\flffrxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnhnn.exec:\thnhnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbtt.exec:\htbbtt.exe23⤵
- Executes dropped EXE
-
\??\c:\5ppjd.exec:\5ppjd.exe24⤵
- Executes dropped EXE
-
\??\c:\rlllffx.exec:\rlllffx.exe25⤵
- Executes dropped EXE
-
\??\c:\lrlrrxx.exec:\lrlrrxx.exe26⤵
- Executes dropped EXE
-
\??\c:\tbhthb.exec:\tbhthb.exe27⤵
- Executes dropped EXE
-
\??\c:\jdvvj.exec:\jdvvj.exe28⤵
- Executes dropped EXE
-
\??\c:\jdjvj.exec:\jdjvj.exe29⤵
- Executes dropped EXE
-
\??\c:\lfllllr.exec:\lfllllr.exe30⤵
- Executes dropped EXE
-
\??\c:\hhthbn.exec:\hhthbn.exe31⤵
- Executes dropped EXE
-
\??\c:\5pjjd.exec:\5pjjd.exe32⤵
- Executes dropped EXE
-
\??\c:\fxrlxxf.exec:\fxrlxxf.exe33⤵
- Executes dropped EXE
-
\??\c:\bnhbbt.exec:\bnhbbt.exe34⤵
- Executes dropped EXE
-
\??\c:\pjvpd.exec:\pjvpd.exe35⤵
- Executes dropped EXE
-
\??\c:\jddvp.exec:\jddvp.exe36⤵
- Executes dropped EXE
-
\??\c:\ffxfxxx.exec:\ffxfxxx.exe37⤵
- Executes dropped EXE
-
\??\c:\hntnhb.exec:\hntnhb.exe38⤵
- Executes dropped EXE
-
\??\c:\djpdv.exec:\djpdv.exe39⤵
- Executes dropped EXE
-
\??\c:\xrxrllr.exec:\xrxrllr.exe40⤵
- Executes dropped EXE
-
\??\c:\fxrlfff.exec:\fxrlfff.exe41⤵
- Executes dropped EXE
-
\??\c:\btnnnb.exec:\btnnnb.exe42⤵
- Executes dropped EXE
-
\??\c:\pjjdd.exec:\pjjdd.exe43⤵
- Executes dropped EXE
-
\??\c:\1jvvv.exec:\1jvvv.exe44⤵
- Executes dropped EXE
-
\??\c:\rxflxxr.exec:\rxflxxr.exe45⤵
- Executes dropped EXE
-
\??\c:\fxxxrrx.exec:\fxxxrrx.exe46⤵
- Executes dropped EXE
-
\??\c:\nhttnh.exec:\nhttnh.exe47⤵
- Executes dropped EXE
-
\??\c:\3nhthb.exec:\3nhthb.exe48⤵
- Executes dropped EXE
-
\??\c:\pjdvj.exec:\pjdvj.exe49⤵
- Executes dropped EXE
-
\??\c:\lffxrlf.exec:\lffxrlf.exe50⤵
- Executes dropped EXE
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe51⤵
- Executes dropped EXE
-
\??\c:\9bthbt.exec:\9bthbt.exe52⤵
- Executes dropped EXE
-
\??\c:\btnhtn.exec:\btnhtn.exe53⤵
- Executes dropped EXE
-
\??\c:\djdvj.exec:\djdvj.exe54⤵
- Executes dropped EXE
-
\??\c:\lfrlrrf.exec:\lfrlrrf.exe55⤵
- Executes dropped EXE
-
\??\c:\rflflfx.exec:\rflflfx.exe56⤵
- Executes dropped EXE
-
\??\c:\tnbbtn.exec:\tnbbtn.exe57⤵
- Executes dropped EXE
-
\??\c:\bnnhtb.exec:\bnnhtb.exe58⤵
- Executes dropped EXE
-
\??\c:\5pjjv.exec:\5pjjv.exe59⤵
- Executes dropped EXE
-
\??\c:\vpjdv.exec:\vpjdv.exe60⤵
- Executes dropped EXE
-
\??\c:\lrfxfxr.exec:\lrfxfxr.exe61⤵
- Executes dropped EXE
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe62⤵
- Executes dropped EXE
-
\??\c:\nthnbh.exec:\nthnbh.exe63⤵
- Executes dropped EXE
-
\??\c:\jjjjv.exec:\jjjjv.exe64⤵
- Executes dropped EXE
-
\??\c:\dvpjv.exec:\dvpjv.exe65⤵
- Executes dropped EXE
-
\??\c:\llfrllf.exec:\llfrllf.exe66⤵
-
\??\c:\lffxfll.exec:\lffxfll.exe67⤵
-
\??\c:\9ttbtn.exec:\9ttbtn.exe68⤵
-
\??\c:\hbnhtn.exec:\hbnhtn.exe69⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe70⤵
-
\??\c:\7ffrxxx.exec:\7ffrxxx.exe71⤵
-
\??\c:\1hnbbt.exec:\1hnbbt.exe72⤵
-
\??\c:\vpvjv.exec:\vpvjv.exe73⤵
-
\??\c:\lllfrlf.exec:\lllfrlf.exe74⤵
-
\??\c:\9nnbnh.exec:\9nnbnh.exe75⤵
-
\??\c:\ttttth.exec:\ttttth.exe76⤵
-
\??\c:\rrffffl.exec:\rrffffl.exe77⤵
-
\??\c:\xxfxllr.exec:\xxfxllr.exe78⤵
-
\??\c:\nttbbn.exec:\nttbbn.exe79⤵
-
\??\c:\htbhnb.exec:\htbhnb.exe80⤵
-
\??\c:\lllfrrl.exec:\lllfrrl.exe81⤵
-
\??\c:\xlrrfrf.exec:\xlrrfrf.exe82⤵
-
\??\c:\nhntnh.exec:\nhntnh.exe83⤵
-
\??\c:\nhtntn.exec:\nhtntn.exe84⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe85⤵
-
\??\c:\dddvd.exec:\dddvd.exe86⤵
-
\??\c:\frlxlfr.exec:\frlxlfr.exe87⤵
-
\??\c:\hhbtth.exec:\hhbtth.exe88⤵
-
\??\c:\9jjdp.exec:\9jjdp.exe89⤵
-
\??\c:\frlxxrr.exec:\frlxxrr.exe90⤵
-
\??\c:\5flfffx.exec:\5flfffx.exe91⤵
-
\??\c:\hbbthb.exec:\hbbthb.exe92⤵
-
\??\c:\jvpjd.exec:\jvpjd.exe93⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe94⤵
-
\??\c:\fxffxrr.exec:\fxffxrr.exe95⤵
-
\??\c:\fxrlffr.exec:\fxrlffr.exe96⤵
-
\??\c:\btnbtt.exec:\btnbtt.exe97⤵
-
\??\c:\hhnbnh.exec:\hhnbnh.exe98⤵
-
\??\c:\djjdp.exec:\djjdp.exe99⤵
-
\??\c:\djddp.exec:\djddp.exe100⤵
-
\??\c:\fflxfxf.exec:\fflxfxf.exe101⤵
-
\??\c:\9xrrrlr.exec:\9xrrrlr.exe102⤵
-
\??\c:\1hbbbb.exec:\1hbbbb.exe103⤵
-
\??\c:\1nhthb.exec:\1nhthb.exe104⤵
-
\??\c:\1jdpd.exec:\1jdpd.exe105⤵
-
\??\c:\jdddd.exec:\jdddd.exe106⤵
-
\??\c:\1lfxffx.exec:\1lfxffx.exe107⤵
-
\??\c:\fxxfxff.exec:\fxxfxff.exe108⤵
-
\??\c:\bntntt.exec:\bntntt.exe109⤵
-
\??\c:\nhhbtb.exec:\nhhbtb.exe110⤵
-
\??\c:\jddpj.exec:\jddpj.exe111⤵
-
\??\c:\3pjdv.exec:\3pjdv.exe112⤵
-
\??\c:\lflrfrx.exec:\lflrfrx.exe113⤵
-
\??\c:\ffrffff.exec:\ffrffff.exe114⤵
-
\??\c:\nntbnb.exec:\nntbnb.exe115⤵
-
\??\c:\7bbbnn.exec:\7bbbnn.exe116⤵
-
\??\c:\jpdvd.exec:\jpdvd.exe117⤵
-
\??\c:\1vpdp.exec:\1vpdp.exe118⤵
-
\??\c:\fxfxxrl.exec:\fxfxxrl.exe119⤵
-
\??\c:\9xrlrlr.exec:\9xrlrlr.exe120⤵
-
\??\c:\bbnhbt.exec:\bbnhbt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-