Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
30/05/2024, 22:57
General
-
Target
6be826529daad59455168e12fb86bbf0_NeikiAnalytics.exe
-
Size
59KB
-
MD5
6be826529daad59455168e12fb86bbf0
-
SHA1
48ec0d4d2c7f7c3564a3006d4948b327c00d3bbf
-
SHA256
0170eb96e3b819c1bd6490e8baa518d635d2548a28398b1282e262cd76c0089c
-
SHA512
bb8d3b46298792672f160bae05f83f58c35707ed938692a7a1be0a2abf1e81f96a9a5ce4bfacf4c5cee582087c2f2e6b56fc2380c60a91ec2d55fd23031970a7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsImshz:ymb3NkkiQ3mdBjFIsIFhz
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6be826529daad59455168e12fb86bbf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6be826529daad59455168e12fb86bbf0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\frlxlff.exec:\frlxlff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnht.exec:\nnnnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdd.exec:\ddjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrxflr.exec:\rfrxflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nhbtt.exec:\7nhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjdvp.exec:\pjdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrxxx.exec:\xlxrxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbtb.exec:\bhhbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjjd.exec:\pvjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrflxxr.exec:\rrflxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nnbnb.exec:\9nnbnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbbn.exec:\hbbbbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjjd.exec:\vvjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1lrxffl.exec:\1lrxffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbtth.exec:\hbbtth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjpj.exec:\pvjpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xfrrll.exec:\1xfrrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtbht.exec:\hbtbht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpjd.exec:\vjpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrfxxl.exec:\frrfxxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hbthb.exec:\1hbthb.exe23⤵
- Executes dropped EXE
-
\??\c:\bbttnn.exec:\bbttnn.exe24⤵
- Executes dropped EXE
-
\??\c:\vjvpp.exec:\vjvpp.exe25⤵
- Executes dropped EXE
-
\??\c:\5ffxrxx.exec:\5ffxrxx.exe26⤵
- Executes dropped EXE
-
\??\c:\xllllrx.exec:\xllllrx.exe27⤵
- Executes dropped EXE
-
\??\c:\nnnhtb.exec:\nnnhtb.exe28⤵
- Executes dropped EXE
-
\??\c:\jjpdd.exec:\jjpdd.exe29⤵
- Executes dropped EXE
-
\??\c:\7jdvj.exec:\7jdvj.exe30⤵
- Executes dropped EXE
-
\??\c:\rlllfff.exec:\rlllfff.exe31⤵
- Executes dropped EXE
-
\??\c:\nbbtnh.exec:\nbbtnh.exe32⤵
- Executes dropped EXE
-
\??\c:\3tnhtt.exec:\3tnhtt.exe33⤵
- Executes dropped EXE
-
\??\c:\pdpjj.exec:\pdpjj.exe34⤵
- Executes dropped EXE
-
\??\c:\fxllxfr.exec:\fxllxfr.exe35⤵
- Executes dropped EXE
-
\??\c:\7flfrlf.exec:\7flfrlf.exe36⤵
- Executes dropped EXE
-
\??\c:\ththbt.exec:\ththbt.exe37⤵
- Executes dropped EXE
-
\??\c:\dpjjp.exec:\dpjjp.exe38⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe39⤵
- Executes dropped EXE
-
\??\c:\xffrlfx.exec:\xffrlfx.exe40⤵
- Executes dropped EXE
-
\??\c:\tbtnhn.exec:\tbtnhn.exe41⤵
- Executes dropped EXE
-
\??\c:\tnbtnt.exec:\tnbtnt.exe42⤵
- Executes dropped EXE
-
\??\c:\ppvjp.exec:\ppvjp.exe43⤵
- Executes dropped EXE
-
\??\c:\xlffxrr.exec:\xlffxrr.exe44⤵
- Executes dropped EXE
-
\??\c:\ffxflfx.exec:\ffxflfx.exe45⤵
- Executes dropped EXE
-
\??\c:\hnbnht.exec:\hnbnht.exe46⤵
- Executes dropped EXE
-
\??\c:\htbntn.exec:\htbntn.exe47⤵
- Executes dropped EXE
-
\??\c:\pdvdv.exec:\pdvdv.exe48⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe49⤵
- Executes dropped EXE
-
\??\c:\frfrlff.exec:\frfrlff.exe50⤵
- Executes dropped EXE
-
\??\c:\lrlxrlx.exec:\lrlxrlx.exe51⤵
- Executes dropped EXE
-
\??\c:\tthhhh.exec:\tthhhh.exe52⤵
- Executes dropped EXE
-
\??\c:\thnhbb.exec:\thnhbb.exe53⤵
- Executes dropped EXE
-
\??\c:\htnntt.exec:\htnntt.exe54⤵
- Executes dropped EXE
-
\??\c:\pddvp.exec:\pddvp.exe55⤵
- Executes dropped EXE
-
\??\c:\vvpjj.exec:\vvpjj.exe56⤵
- Executes dropped EXE
-
\??\c:\frxrrxr.exec:\frxrrxr.exe57⤵
- Executes dropped EXE
-
\??\c:\ttttnh.exec:\ttttnh.exe58⤵
- Executes dropped EXE
-
\??\c:\7tnhtt.exec:\7tnhtt.exe59⤵
- Executes dropped EXE
-
\??\c:\tnbbht.exec:\tnbbht.exe60⤵
- Executes dropped EXE
-
\??\c:\pvdvv.exec:\pvdvv.exe61⤵
- Executes dropped EXE
-
\??\c:\5xlfxxr.exec:\5xlfxxr.exe62⤵
- Executes dropped EXE
-
\??\c:\xlrllff.exec:\xlrllff.exe63⤵
- Executes dropped EXE
-
\??\c:\nhnbnn.exec:\nhnbnn.exe64⤵
- Executes dropped EXE
-
\??\c:\jddvd.exec:\jddvd.exe65⤵
- Executes dropped EXE
-
\??\c:\vjvpj.exec:\vjvpj.exe66⤵
-
\??\c:\ffflflx.exec:\ffflflx.exe67⤵
-
\??\c:\xxllxrf.exec:\xxllxrf.exe68⤵
-
\??\c:\tntnhb.exec:\tntnhb.exe69⤵
-
\??\c:\dvddv.exec:\dvddv.exe70⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe71⤵
-
\??\c:\rxrfrrx.exec:\rxrfrrx.exe72⤵
-
\??\c:\5rrlllf.exec:\5rrlllf.exe73⤵
-
\??\c:\htttnt.exec:\htttnt.exe74⤵
-
\??\c:\7btthb.exec:\7btthb.exe75⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe76⤵
-
\??\c:\xfrxfll.exec:\xfrxfll.exe77⤵
-
\??\c:\3bnbbh.exec:\3bnbbh.exe78⤵
-
\??\c:\9ppvp.exec:\9ppvp.exe79⤵
-
\??\c:\rfrffrf.exec:\rfrffrf.exe80⤵
-
\??\c:\fxrfrlr.exec:\fxrfrlr.exe81⤵
-
\??\c:\1hntnh.exec:\1hntnh.exe82⤵
-
\??\c:\tnnhhb.exec:\tnnhhb.exe83⤵
-
\??\c:\vjvpj.exec:\vjvpj.exe84⤵
-
\??\c:\lxlfllr.exec:\lxlfllr.exe85⤵
-
\??\c:\xxrffxl.exec:\xxrffxl.exe86⤵
-
\??\c:\lrxrrfx.exec:\lrxrrfx.exe87⤵
-
\??\c:\ntbhnb.exec:\ntbhnb.exe88⤵
-
\??\c:\djjjj.exec:\djjjj.exe89⤵
-
\??\c:\pvjpd.exec:\pvjpd.exe90⤵
-
\??\c:\rffxlll.exec:\rffxlll.exe91⤵
-
\??\c:\xffxrrl.exec:\xffxrrl.exe92⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe93⤵
-
\??\c:\bhbtnh.exec:\bhbtnh.exe94⤵
-
\??\c:\jvvjd.exec:\jvvjd.exe95⤵
-
\??\c:\djjjp.exec:\djjjp.exe96⤵
-
\??\c:\rlflrrl.exec:\rlflrrl.exe97⤵
-
\??\c:\lxrfxxx.exec:\lxrfxxx.exe98⤵
-
\??\c:\tnttbn.exec:\tnttbn.exe99⤵
-
\??\c:\tbnnhh.exec:\tbnnhh.exe100⤵
-
\??\c:\1vddj.exec:\1vddj.exe101⤵
-
\??\c:\1vdvd.exec:\1vdvd.exe102⤵
-
\??\c:\7xxrfxx.exec:\7xxrfxx.exe103⤵
-
\??\c:\7rfxxxr.exec:\7rfxxxr.exe104⤵
-
\??\c:\xllxrrx.exec:\xllxrrx.exe105⤵
-
\??\c:\5ttnnt.exec:\5ttnnt.exe106⤵
-
\??\c:\bttbtt.exec:\bttbtt.exe107⤵
-
\??\c:\1jppj.exec:\1jppj.exe108⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe109⤵
-
\??\c:\llxfxrr.exec:\llxfxrr.exe110⤵
-
\??\c:\3xrlffr.exec:\3xrlffr.exe111⤵
-
\??\c:\7hbtnn.exec:\7hbtnn.exe112⤵
-
\??\c:\bbtnnh.exec:\bbtnnh.exe113⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe114⤵
-
\??\c:\jvpvj.exec:\jvpvj.exe115⤵
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe116⤵
-
\??\c:\1ffxlfx.exec:\1ffxlfx.exe117⤵
-
\??\c:\nbthbb.exec:\nbthbb.exe118⤵
-
\??\c:\9nthtb.exec:\9nthtb.exe119⤵
-
\??\c:\vpddd.exec:\vpddd.exe120⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-