Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
02-06-2024 05:22
General
-
Target
3e8c3c536d1fb5ef4d506c5acc8b8420_NeikiAnalytics.exe
-
Size
95KB
-
MD5
3e8c3c536d1fb5ef4d506c5acc8b8420
-
SHA1
b347039daa84ead5787f3d4d85e5bbc33416d2ad
-
SHA256
296b1b0a81575db2b7277b23ad109a16330e30c52aeddf10c274c9ab093c6644
-
SHA512
7b0924a3c1a1b865f7bc8ff76552270b3e2077a9a212ac871dc786a12c9835c72b4afe36fa33bff5714c403efa79de3ca042adf0bc34c3e3517ccd25b6519bed
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73XH/YP1HFrJximAAxEPOfPrAW:ymb3NkkiQ3mdBjFo73PYP1lri3KuOnrR
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e8c3c536d1fb5ef4d506c5acc8b8420_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e8c3c536d1fb5ef4d506c5acc8b8420_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfrrff.exec:\rrfrrff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnntt.exec:\hbnntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvd.exec:\pvdvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fflllll.exec:\fflllll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhnt.exec:\bbhhnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjvpj.exec:\vjvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvj.exec:\vpdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrflrr.exec:\rrrflrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3xllfff.exec:\3xllfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvpp.exec:\9vvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rxrllf.exec:\9rxrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnttbb.exec:\hnttbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddd.exec:\jdddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrlrl.exec:\lxxrlrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrlffx.exec:\llrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nbbhh.exec:\9nbbhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7flfxxx.exec:\7flfxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrrlxf.exec:\rxrrlxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbbbb.exec:\htbbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdp.exec:\ddjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppj.exec:\vpppj.exe23⤵
- Executes dropped EXE
-
\??\c:\rfrrlrf.exec:\rfrrlrf.exe24⤵
- Executes dropped EXE
-
\??\c:\nnbbtt.exec:\nnbbtt.exe25⤵
- Executes dropped EXE
-
\??\c:\7pjdp.exec:\7pjdp.exe26⤵
- Executes dropped EXE
-
\??\c:\9vdvp.exec:\9vdvp.exe27⤵
- Executes dropped EXE
-
\??\c:\1hbtnh.exec:\1hbtnh.exe28⤵
- Executes dropped EXE
-
\??\c:\hbhnnn.exec:\hbhnnn.exe29⤵
- Executes dropped EXE
-
\??\c:\ddpjd.exec:\ddpjd.exe30⤵
- Executes dropped EXE
-
\??\c:\1lrllll.exec:\1lrllll.exe31⤵
- Executes dropped EXE
-
\??\c:\bbnhhh.exec:\bbnhhh.exe32⤵
- Executes dropped EXE
-
\??\c:\pdddv.exec:\pdddv.exe33⤵
- Executes dropped EXE
-
\??\c:\5djvj.exec:\5djvj.exe34⤵
- Executes dropped EXE
-
\??\c:\rxffxxx.exec:\rxffxxx.exe35⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe36⤵
- Executes dropped EXE
-
\??\c:\nhhbtn.exec:\nhhbtn.exe37⤵
- Executes dropped EXE
-
\??\c:\3vdjj.exec:\3vdjj.exe38⤵
- Executes dropped EXE
-
\??\c:\pjvvd.exec:\pjvvd.exe39⤵
- Executes dropped EXE
-
\??\c:\lfffxxx.exec:\lfffxxx.exe40⤵
- Executes dropped EXE
-
\??\c:\tnntbh.exec:\tnntbh.exe41⤵
- Executes dropped EXE
-
\??\c:\bbhtnh.exec:\bbhtnh.exe42⤵
- Executes dropped EXE
-
\??\c:\7pppj.exec:\7pppj.exe43⤵
- Executes dropped EXE
-
\??\c:\rlffrrr.exec:\rlffrrr.exe44⤵
- Executes dropped EXE
-
\??\c:\bhbbtt.exec:\bhbbtt.exe45⤵
- Executes dropped EXE
-
\??\c:\btbbtt.exec:\btbbtt.exe46⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe47⤵
- Executes dropped EXE
-
\??\c:\5lrrrrr.exec:\5lrrrrr.exe48⤵
- Executes dropped EXE
-
\??\c:\3bbhth.exec:\3bbhth.exe49⤵
- Executes dropped EXE
-
\??\c:\bbhhtt.exec:\bbhhtt.exe50⤵
- Executes dropped EXE
-
\??\c:\pvppp.exec:\pvppp.exe51⤵
- Executes dropped EXE
-
\??\c:\lflfxxx.exec:\lflfxxx.exe52⤵
- Executes dropped EXE
-
\??\c:\fxffxrl.exec:\fxffxrl.exe53⤵
- Executes dropped EXE
-
\??\c:\5ttttt.exec:\5ttttt.exe54⤵
- Executes dropped EXE
-
\??\c:\hnttnn.exec:\hnttnn.exe55⤵
- Executes dropped EXE
-
\??\c:\vvjjj.exec:\vvjjj.exe56⤵
- Executes dropped EXE
-
\??\c:\rlxxrrf.exec:\rlxxrrf.exe57⤵
- Executes dropped EXE
-
\??\c:\llfxrrl.exec:\llfxrrl.exe58⤵
- Executes dropped EXE
-
\??\c:\3ttttb.exec:\3ttttb.exe59⤵
- Executes dropped EXE
-
\??\c:\thtnhh.exec:\thtnhh.exe60⤵
- Executes dropped EXE
-
\??\c:\jppjj.exec:\jppjj.exe61⤵
- Executes dropped EXE
-
\??\c:\pvvpj.exec:\pvvpj.exe62⤵
- Executes dropped EXE
-
\??\c:\rrlfxff.exec:\rrlfxff.exe63⤵
- Executes dropped EXE
-
\??\c:\flllfff.exec:\flllfff.exe64⤵
- Executes dropped EXE
-
\??\c:\thnnhn.exec:\thnnhn.exe65⤵
- Executes dropped EXE
-
\??\c:\hthhbb.exec:\hthhbb.exe66⤵
-
\??\c:\vppjd.exec:\vppjd.exe67⤵
-
\??\c:\9ppjd.exec:\9ppjd.exe68⤵
-
\??\c:\rlrrfff.exec:\rlrrfff.exe69⤵
-
\??\c:\lfxxffl.exec:\lfxxffl.exe70⤵
-
\??\c:\hbtthh.exec:\hbtthh.exe71⤵
-
\??\c:\7tnnhh.exec:\7tnnhh.exe72⤵
-
\??\c:\vjvvp.exec:\vjvvp.exe73⤵
-
\??\c:\dpvjd.exec:\dpvjd.exe74⤵
-
\??\c:\5llfxxx.exec:\5llfxxx.exe75⤵
-
\??\c:\lxffffl.exec:\lxffffl.exe76⤵
-
\??\c:\btnhbb.exec:\btnhbb.exe77⤵
-
\??\c:\ddppv.exec:\ddppv.exe78⤵
-
\??\c:\pdjdj.exec:\pdjdj.exe79⤵
-
\??\c:\rrflxff.exec:\rrflxff.exe80⤵
-
\??\c:\ffxxxxl.exec:\ffxxxxl.exe81⤵
-
\??\c:\9nnhtt.exec:\9nnhtt.exe82⤵
-
\??\c:\jpvpd.exec:\jpvpd.exe83⤵
-
\??\c:\5xfxrll.exec:\5xfxrll.exe84⤵
-
\??\c:\nhhtnh.exec:\nhhtnh.exe85⤵
-
\??\c:\9dpjd.exec:\9dpjd.exe86⤵
-
\??\c:\llxxxxl.exec:\llxxxxl.exe87⤵
-
\??\c:\ffffxrr.exec:\ffffxrr.exe88⤵
-
\??\c:\bnttnn.exec:\bnttnn.exe89⤵
-
\??\c:\3jdvd.exec:\3jdvd.exe90⤵
-
\??\c:\fffxrrr.exec:\fffxrrr.exe91⤵
-
\??\c:\ffllfff.exec:\ffllfff.exe92⤵
-
\??\c:\nhhhbh.exec:\nhhhbh.exe93⤵
-
\??\c:\1ttttt.exec:\1ttttt.exe94⤵
-
\??\c:\vjppp.exec:\vjppp.exe95⤵
-
\??\c:\jjppj.exec:\jjppj.exe96⤵
-
\??\c:\rfrlxxx.exec:\rfrlxxx.exe97⤵
-
\??\c:\lrllffx.exec:\lrllffx.exe98⤵
-
\??\c:\tthhtt.exec:\tthhtt.exe99⤵
-
\??\c:\hhnhbb.exec:\hhnhbb.exe100⤵
-
\??\c:\7jjdv.exec:\7jjdv.exe101⤵
-
\??\c:\pppjd.exec:\pppjd.exe102⤵
-
\??\c:\lrxrlll.exec:\lrxrlll.exe103⤵
-
\??\c:\rxlffff.exec:\rxlffff.exe104⤵
-
\??\c:\hbbbth.exec:\hbbbth.exe105⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe106⤵
-
\??\c:\1djdv.exec:\1djdv.exe107⤵
-
\??\c:\dpppj.exec:\dpppj.exe108⤵
-
\??\c:\fxffffl.exec:\fxffffl.exe109⤵
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe110⤵
-
\??\c:\bttbtb.exec:\bttbtb.exe111⤵
-
\??\c:\9tbbhh.exec:\9tbbhh.exe112⤵
-
\??\c:\dpjjd.exec:\dpjjd.exe113⤵
-
\??\c:\jjddp.exec:\jjddp.exe114⤵
-
\??\c:\rrfxrrl.exec:\rrfxrrl.exe115⤵
-
\??\c:\lfrrrrl.exec:\lfrrrrl.exe116⤵
-
\??\c:\htbhhh.exec:\htbhhh.exe117⤵
-
\??\c:\htthtn.exec:\htthtn.exe118⤵
-
\??\c:\jjvpp.exec:\jjvpp.exe119⤵
-
\??\c:\vpvvv.exec:\vpvvv.exe120⤵
-
\??\c:\xxxrffl.exec:\xxxrffl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-