Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
28/05/2024, 06:45
General
-
Target
373ed25d65526bbe332b74369ec52940_NeikiAnalytics.exe
-
Size
313KB
-
MD5
373ed25d65526bbe332b74369ec52940
-
SHA1
38afa388712e1fa8c322856525add9b3367e70f3
-
SHA256
b74316955e4d9e73a364fc0d2779573a2831dc935895206e1fcf243346b930a2
-
SHA512
c58177fd9835fe46c4d52d8fc51b2eb81f17bb755abe13ce1058e02ad500627bc0b467075202d9307eb1208ca074212a535ca1113edb014dc9883205dc26b859
-
SSDEEP
6144:n3C9BRo/AIX2h97aUzpbBj3+b2ziJC39QS8hDJd+Q7ZLbjwmm:n3C9uDC97aUFbZ42ziM39QS8hDJd+Q7y
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 31 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\373ed25d65526bbe332b74369ec52940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\373ed25d65526bbe332b74369ec52940_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\3lrfxxr.exec:\3lrfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxlxxl.exec:\frxlxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnhbb.exec:\btnhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjd.exec:\pjpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3ffxrlf.exec:\3ffxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnhbb.exec:\thnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnbb.exec:\bntnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjjd.exec:\vjjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflfrrl.exec:\fflfrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfllxxl.exec:\xfllxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttnnnn.exec:\ttnnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvv.exec:\jddvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjj.exec:\vjpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlffxff.exec:\rlffxff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xxrffx.exec:\9xxrffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnnnn.exec:\bhnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbttn.exec:\ttbttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpj.exec:\pdvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxfff.exec:\rfrxfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lrrlll.exec:\9lrrlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbtnh.exec:\ntbtnh.exe23⤵
- Executes dropped EXE
-
\??\c:\btnnhn.exec:\btnnhn.exe24⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe25⤵
- Executes dropped EXE
-
\??\c:\fxxrfll.exec:\fxxrfll.exe26⤵
- Executes dropped EXE
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe27⤵
- Executes dropped EXE
-
\??\c:\1hhbtt.exec:\1hhbtt.exe28⤵
- Executes dropped EXE
-
\??\c:\bnnhnh.exec:\bnnhnh.exe29⤵
- Executes dropped EXE
-
\??\c:\pvdvj.exec:\pvdvj.exe30⤵
- Executes dropped EXE
-
\??\c:\vjdvp.exec:\vjdvp.exe31⤵
- Executes dropped EXE
-
\??\c:\lrxrxxr.exec:\lrxrxxr.exe32⤵
- Executes dropped EXE
-
\??\c:\hhnbth.exec:\hhnbth.exe33⤵
- Executes dropped EXE
-
\??\c:\jpjdv.exec:\jpjdv.exe34⤵
- Executes dropped EXE
-
\??\c:\xlxffff.exec:\xlxffff.exe35⤵
- Executes dropped EXE
-
\??\c:\xxrrfff.exec:\xxrrfff.exe36⤵
- Executes dropped EXE
-
\??\c:\thnhbb.exec:\thnhbb.exe37⤵
- Executes dropped EXE
-
\??\c:\jdjdv.exec:\jdjdv.exe38⤵
- Executes dropped EXE
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe39⤵
- Executes dropped EXE
-
\??\c:\flfxxxx.exec:\flfxxxx.exe40⤵
- Executes dropped EXE
-
\??\c:\bhnnhh.exec:\bhnnhh.exe41⤵
- Executes dropped EXE
-
\??\c:\nhhbnn.exec:\nhhbnn.exe42⤵
- Executes dropped EXE
-
\??\c:\3djvp.exec:\3djvp.exe43⤵
- Executes dropped EXE
-
\??\c:\jvjdp.exec:\jvjdp.exe44⤵
- Executes dropped EXE
-
\??\c:\flxlffx.exec:\flxlffx.exe45⤵
- Executes dropped EXE
-
\??\c:\rllfrff.exec:\rllfrff.exe46⤵
- Executes dropped EXE
-
\??\c:\bhthbb.exec:\bhthbb.exe47⤵
- Executes dropped EXE
-
\??\c:\dpppj.exec:\dpppj.exe48⤵
- Executes dropped EXE
-
\??\c:\dpppj.exec:\dpppj.exe49⤵
- Executes dropped EXE
-
\??\c:\rrxrlff.exec:\rrxrlff.exe50⤵
- Executes dropped EXE
-
\??\c:\flrxrlf.exec:\flrxrlf.exe51⤵
- Executes dropped EXE
-
\??\c:\bnnhbt.exec:\bnnhbt.exe52⤵
- Executes dropped EXE
-
\??\c:\thhbnn.exec:\thhbnn.exe53⤵
- Executes dropped EXE
-
\??\c:\jvpjp.exec:\jvpjp.exe54⤵
- Executes dropped EXE
-
\??\c:\dddjd.exec:\dddjd.exe55⤵
- Executes dropped EXE
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe56⤵
- Executes dropped EXE
-
\??\c:\7hhbtn.exec:\7hhbtn.exe57⤵
- Executes dropped EXE
-
\??\c:\tntnhh.exec:\tntnhh.exe58⤵
- Executes dropped EXE
-
\??\c:\vjpjd.exec:\vjpjd.exe59⤵
- Executes dropped EXE
-
\??\c:\jpppj.exec:\jpppj.exe60⤵
- Executes dropped EXE
-
\??\c:\1lfxrlf.exec:\1lfxrlf.exe61⤵
- Executes dropped EXE
-
\??\c:\tnntnt.exec:\tnntnt.exe62⤵
- Executes dropped EXE
-
\??\c:\pjjdd.exec:\pjjdd.exe63⤵
- Executes dropped EXE
-
\??\c:\rrrlllx.exec:\rrrlllx.exe64⤵
- Executes dropped EXE
-
\??\c:\bhbhbb.exec:\bhbhbb.exe65⤵
- Executes dropped EXE
-
\??\c:\hhbbhh.exec:\hhbbhh.exe66⤵
-
\??\c:\pjdvd.exec:\pjdvd.exe67⤵
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe68⤵
-
\??\c:\ffllffx.exec:\ffllffx.exe69⤵
-
\??\c:\tthhbn.exec:\tthhbn.exe70⤵
-
\??\c:\vpvpj.exec:\vpvpj.exe71⤵
-
\??\c:\frrfxxr.exec:\frrfxxr.exe72⤵
-
\??\c:\lxrfxrl.exec:\lxrfxrl.exe73⤵
-
\??\c:\1hnthh.exec:\1hnthh.exe74⤵
-
\??\c:\1djjv.exec:\1djjv.exe75⤵
-
\??\c:\ddvjp.exec:\ddvjp.exe76⤵
-
\??\c:\rlffxrl.exec:\rlffxrl.exe77⤵
-
\??\c:\nnhbnh.exec:\nnhbnh.exe78⤵
-
\??\c:\pjvdp.exec:\pjvdp.exe79⤵
-
\??\c:\pvdpj.exec:\pvdpj.exe80⤵
-
\??\c:\rflffxr.exec:\rflffxr.exe81⤵
-
\??\c:\hhtttb.exec:\hhtttb.exe82⤵
-
\??\c:\ntnbtb.exec:\ntnbtb.exe83⤵
-
\??\c:\vjjjv.exec:\vjjjv.exe84⤵
-
\??\c:\dppjd.exec:\dppjd.exe85⤵
-
\??\c:\frrlffr.exec:\frrlffr.exe86⤵
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe87⤵
-
\??\c:\tnhbtn.exec:\tnhbtn.exe88⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe89⤵
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe90⤵
-
\??\c:\rllrxfx.exec:\rllrxfx.exe91⤵
-
\??\c:\htnbtn.exec:\htnbtn.exe92⤵
-
\??\c:\rrllfxr.exec:\rrllfxr.exe93⤵
-
\??\c:\tbbttt.exec:\tbbttt.exe94⤵
-
\??\c:\thtnhh.exec:\thtnhh.exe95⤵
-
\??\c:\djppj.exec:\djppj.exe96⤵
-
\??\c:\ppdvd.exec:\ppdvd.exe97⤵
-
\??\c:\fllxfxl.exec:\fllxfxl.exe98⤵
-
\??\c:\nhhbbt.exec:\nhhbbt.exe99⤵
-
\??\c:\vvjpp.exec:\vvjpp.exe100⤵
-
\??\c:\jvvvp.exec:\jvvvp.exe101⤵
-
\??\c:\xrxfrrx.exec:\xrxfrrx.exe102⤵
-
\??\c:\htnhbt.exec:\htnhbt.exe103⤵
-
\??\c:\nhhbtn.exec:\nhhbtn.exe104⤵
-
\??\c:\3ppjd.exec:\3ppjd.exe105⤵
-
\??\c:\dvjjd.exec:\dvjjd.exe106⤵
-
\??\c:\llxrffl.exec:\llxrffl.exe107⤵
-
\??\c:\bbntbt.exec:\bbntbt.exe108⤵
-
\??\c:\jvjjj.exec:\jvjjj.exe109⤵
-
\??\c:\5vppd.exec:\5vppd.exe110⤵
-
\??\c:\llfxrll.exec:\llfxrll.exe111⤵
-
\??\c:\lllfxrl.exec:\lllfxrl.exe112⤵
-
\??\c:\nhnhhn.exec:\nhnhhn.exe113⤵
-
\??\c:\jpppj.exec:\jpppj.exe114⤵
-
\??\c:\jdjjj.exec:\jdjjj.exe115⤵
-
\??\c:\rlfllxl.exec:\rlfllxl.exe116⤵
-
\??\c:\frllflf.exec:\frllflf.exe117⤵
-
\??\c:\3bbtnn.exec:\3bbtnn.exe118⤵
-
\??\c:\nhbtnh.exec:\nhbtnh.exe119⤵
-
\??\c:\7dvvp.exec:\7dvvp.exe120⤵
-
\??\c:\ffxrrrr.exec:\ffxrrrr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-