Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
01/06/2024, 09:57
General
-
Target
b11991e13c7b7b28ed3b568d318014f0_NeikiAnalytics.exe
-
Size
232KB
-
MD5
b11991e13c7b7b28ed3b568d318014f0
-
SHA1
d37bd1564bc1d29b1fe683972e9be87ba369553e
-
SHA256
3a299c4f7b9693a6560484d21875b532071e1a37aab920d6841c747ea33b1a7e
-
SHA512
9ac71d08031f70338c949fcceb663933fb126c8f7cf54279f40a88ce3c6e7af3080e49dc5f0f07c6217b3e158e3745cda8b97eb593138e60fed611d3c83e7abc
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo7LAIRUohTF/SjSrbzLAuBjfwFOmoFzMvUpGqC5n+H:n3C9BRo/AIuuFSjA8uBjwI7FjpjC5+H
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b11991e13c7b7b28ed3b568d318014f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b11991e13c7b7b28ed3b568d318014f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1ppjp.exec:\1ppjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xllffr.exec:\1xllffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbbhn.exec:\nhbbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfllrrr.exec:\rfllrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrfxr.exec:\frxrfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvd.exec:\jjjvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjjv.exec:\vjjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhnht.exec:\hhhnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djdpv.exec:\djdpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rlrflx.exec:\7rlrflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thnhtt.exec:\thnhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vdjv.exec:\9vdjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxfxrl.exec:\lfxfxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtbnt.exec:\bbtbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpvj.exec:\vvpvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1fxlrrf.exec:\1fxlrrf.exe17⤵
- Executes dropped EXE
-
\??\c:\bthhth.exec:\bthhth.exe18⤵
- Executes dropped EXE
-
\??\c:\jvjpv.exec:\jvjpv.exe19⤵
- Executes dropped EXE
-
\??\c:\3xlrffl.exec:\3xlrffl.exe20⤵
- Executes dropped EXE
-
\??\c:\bhhhtt.exec:\bhhhtt.exe21⤵
- Executes dropped EXE
-
\??\c:\ppvpv.exec:\ppvpv.exe22⤵
- Executes dropped EXE
-
\??\c:\xxflxfr.exec:\xxflxfr.exe23⤵
- Executes dropped EXE
-
\??\c:\hhtbhn.exec:\hhtbhn.exe24⤵
- Executes dropped EXE
-
\??\c:\vvjpd.exec:\vvjpd.exe25⤵
- Executes dropped EXE
-
\??\c:\jvvdp.exec:\jvvdp.exe26⤵
- Executes dropped EXE
-
\??\c:\xrfrffx.exec:\xrfrffx.exe27⤵
- Executes dropped EXE
-
\??\c:\jvpjj.exec:\jvpjj.exe28⤵
- Executes dropped EXE
-
\??\c:\9lffrrx.exec:\9lffrrx.exe29⤵
- Executes dropped EXE
-
\??\c:\xxxlxfr.exec:\xxxlxfr.exe30⤵
- Executes dropped EXE
-
\??\c:\bbtnnb.exec:\bbtnnb.exe31⤵
- Executes dropped EXE
-
\??\c:\bthtnt.exec:\bthtnt.exe32⤵
- Executes dropped EXE
-
\??\c:\ddjvp.exec:\ddjvp.exe33⤵
- Executes dropped EXE
-
\??\c:\llfxrxl.exec:\llfxrxl.exe34⤵
- Executes dropped EXE
-
\??\c:\9fflxfx.exec:\9fflxfx.exe35⤵
- Executes dropped EXE
-
\??\c:\nnbhnb.exec:\nnbhnb.exe36⤵
- Executes dropped EXE
-
\??\c:\jjvjv.exec:\jjvjv.exe37⤵
- Executes dropped EXE
-
\??\c:\dvjpp.exec:\dvjpp.exe38⤵
- Executes dropped EXE
-
\??\c:\rrllxlx.exec:\rrllxlx.exe39⤵
- Executes dropped EXE
-
\??\c:\hthntt.exec:\hthntt.exe40⤵
- Executes dropped EXE
-
\??\c:\nnttnt.exec:\nnttnt.exe41⤵
- Executes dropped EXE
-
\??\c:\dvpdj.exec:\dvpdj.exe42⤵
- Executes dropped EXE
-
\??\c:\frffffr.exec:\frffffr.exe43⤵
- Executes dropped EXE
-
\??\c:\lrfxrfl.exec:\lrfxrfl.exe44⤵
- Executes dropped EXE
-
\??\c:\nbhnbb.exec:\nbhnbb.exe45⤵
- Executes dropped EXE
-
\??\c:\vvjdp.exec:\vvjdp.exe46⤵
- Executes dropped EXE
-
\??\c:\3fxfrfr.exec:\3fxfrfr.exe47⤵
- Executes dropped EXE
-
\??\c:\fxffrxf.exec:\fxffrxf.exe48⤵
- Executes dropped EXE
-
\??\c:\btbnhn.exec:\btbnhn.exe49⤵
- Executes dropped EXE
-
\??\c:\7nnbnt.exec:\7nnbnt.exe50⤵
- Executes dropped EXE
-
\??\c:\ddjvd.exec:\ddjvd.exe51⤵
- Executes dropped EXE
-
\??\c:\lfrfllr.exec:\lfrfllr.exe52⤵
- Executes dropped EXE
-
\??\c:\3rlxlrx.exec:\3rlxlrx.exe53⤵
- Executes dropped EXE
-
\??\c:\nhtntb.exec:\nhtntb.exe54⤵
- Executes dropped EXE
-
\??\c:\dpjpp.exec:\dpjpp.exe55⤵
- Executes dropped EXE
-
\??\c:\rrlrflx.exec:\rrlrflx.exe56⤵
- Executes dropped EXE
-
\??\c:\7fxlffl.exec:\7fxlffl.exe57⤵
- Executes dropped EXE
-
\??\c:\5nbbnt.exec:\5nbbnt.exe58⤵
- Executes dropped EXE
-
\??\c:\htnttn.exec:\htnttn.exe59⤵
- Executes dropped EXE
-
\??\c:\ddpdp.exec:\ddpdp.exe60⤵
- Executes dropped EXE
-
\??\c:\1xflrrf.exec:\1xflrrf.exe61⤵
- Executes dropped EXE
-
\??\c:\flxlxlr.exec:\flxlxlr.exe62⤵
- Executes dropped EXE
-
\??\c:\hbtntn.exec:\hbtntn.exe63⤵
- Executes dropped EXE
-
\??\c:\jvdjd.exec:\jvdjd.exe64⤵
- Executes dropped EXE
-
\??\c:\1jddj.exec:\1jddj.exe65⤵
- Executes dropped EXE
-
\??\c:\rrlxfxr.exec:\rrlxfxr.exe66⤵
-
\??\c:\fxxxfxf.exec:\fxxxfxf.exe67⤵
-
\??\c:\7tntbh.exec:\7tntbh.exe68⤵
-
\??\c:\3vpdj.exec:\3vpdj.exe69⤵
-
\??\c:\rlflfll.exec:\rlflfll.exe70⤵
-
\??\c:\rxlffxr.exec:\rxlffxr.exe71⤵
-
\??\c:\hbnnhb.exec:\hbnnhb.exe72⤵
-
\??\c:\dddvj.exec:\dddvj.exe73⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe74⤵
-
\??\c:\fflxfxf.exec:\fflxfxf.exe75⤵
-
\??\c:\rfrrxxx.exec:\rfrrxxx.exe76⤵
-
\??\c:\bntbhh.exec:\bntbhh.exe77⤵
-
\??\c:\tntbnh.exec:\tntbnh.exe78⤵
-
\??\c:\jdpvv.exec:\jdpvv.exe79⤵
-
\??\c:\1rfxlfr.exec:\1rfxlfr.exe80⤵
-
\??\c:\rrflfrf.exec:\rrflfrf.exe81⤵
-
\??\c:\nhnbbn.exec:\nhnbbn.exe82⤵
-
\??\c:\tnhnbh.exec:\tnhnbh.exe83⤵
-
\??\c:\ddpvd.exec:\ddpvd.exe84⤵
-
\??\c:\1rllxxr.exec:\1rllxxr.exe85⤵
-
\??\c:\xlrrfxf.exec:\xlrrfxf.exe86⤵
-
\??\c:\nbhhhb.exec:\nbhhhb.exe87⤵
-
\??\c:\jdpvj.exec:\jdpvj.exe88⤵
-
\??\c:\1vjpd.exec:\1vjpd.exe89⤵
-
\??\c:\xxfflxl.exec:\xxfflxl.exe90⤵
-
\??\c:\rrfrffr.exec:\rrfrffr.exe91⤵
-
\??\c:\tntbbb.exec:\tntbbb.exe92⤵
-
\??\c:\btbhhn.exec:\btbhhn.exe93⤵
-
\??\c:\jdpvd.exec:\jdpvd.exe94⤵
-
\??\c:\xlxlrxx.exec:\xlxlrxx.exe95⤵
-
\??\c:\llxffrr.exec:\llxffrr.exe96⤵
-
\??\c:\3nbthn.exec:\3nbthn.exe97⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe98⤵
-
\??\c:\pddpv.exec:\pddpv.exe99⤵
-
\??\c:\rlllxxx.exec:\rlllxxx.exe100⤵
-
\??\c:\3hnbbb.exec:\3hnbbb.exe101⤵
-
\??\c:\3nhnbb.exec:\3nhnbb.exe102⤵
-
\??\c:\dpvvv.exec:\dpvvv.exe103⤵
-
\??\c:\vpvvj.exec:\vpvvj.exe104⤵
-
\??\c:\xrxflrx.exec:\xrxflrx.exe105⤵
-
\??\c:\9tbhnh.exec:\9tbhnh.exe106⤵
-
\??\c:\thntbt.exec:\thntbt.exe107⤵
-
\??\c:\vppvj.exec:\vppvj.exe108⤵
-
\??\c:\xxfxxrx.exec:\xxfxxrx.exe109⤵
-
\??\c:\fxrxlxf.exec:\fxrxlxf.exe110⤵
-
\??\c:\btbhnh.exec:\btbhnh.exe111⤵
-
\??\c:\9vpvj.exec:\9vpvj.exe112⤵
-
\??\c:\3vjdv.exec:\3vjdv.exe113⤵
-
\??\c:\fxrrxxr.exec:\fxrrxxr.exe114⤵
-
\??\c:\xlrrlfl.exec:\xlrrlfl.exe115⤵
-
\??\c:\htbhtt.exec:\htbhtt.exe116⤵
-
\??\c:\5tbnhh.exec:\5tbnhh.exe117⤵
-
\??\c:\5dppp.exec:\5dppp.exe118⤵
-
\??\c:\1rxrlll.exec:\1rxrlll.exe119⤵
-
\??\c:\xlrxlrr.exec:\xlrxlrr.exe120⤵
-
\??\c:\bntntn.exec:\bntntn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-