Malware Analysis Report

2024-11-16 13:59

Sample ID 240621-chmlpawame
Target 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe
SHA256 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d
Tags
blackmoon banker trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d

Threat Level: Known bad

The file 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon banker trojan upx

Blackmoon family

Blackmoon, KrBanker

Detect Blackmoon payload

UPX packed file

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 02:04

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 02:04

Reported

2024-06-21 02:07

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\xrlxflr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\xrlxflr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\friendl.dll \??\c:\xrlxflr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"

\??\c:\xrlxflr.exe

c:\xrlxflr.exe

Network

N/A

Files

memory/1936-2-0x0000000000400000-0x0000000000429000-memory.dmp

C:\xrlxflr.exe

MD5 aa0e1972ce4015a0337ca497556f53c4
SHA1 3e8475adf24a98a87310ff2646df11b1b02e4e88
SHA256 a9e0d5b1b97fb108dd601fd275a97f52c8e9a0fdb97d2abf552d219e24041c86
SHA512 b6b3f697dbf7a5990fcf2e790d567de9082babe95bade21b258d3295b17be8b615ccb69d49ee92f3205dbf5c6a70f6683ce429044b4c68b26d76f973cef97a68

memory/2184-8-0x0000000000400000-0x0000000000429000-memory.dmp

\??\c:\jl

MD5 d1938c17479074c33223b90600e740c9
SHA1 f670690453fde8464ce1a982f3490860efae8058
SHA256 3d83b2d0d506139087de7fa5894a090e66f53cc33f932c4c6e565e083c0a0edf
SHA512 f2b12ab2c995cafd24c20d833e56bedea5abab33b9aa003c29c9bcf092e51206688a2a185cf7bca598c05a4d31287b79d65bb0b289f1287419dca561f1ddb560

memory/2184-11-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 02:04

Reported

2024-06-21 02:07

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\7rflffx.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\friendl.dll \??\c:\7rflffx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"

\??\c:\7rflffx.exe

c:\7rflffx.exe

Network

Files

memory/3784-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\7rflffx.exe

MD5 f531c74b28b26466055dfd0959271d77
SHA1 fe5d7e91ed76a9fb2a1f4d8b1eaccb53d1b49dcd
SHA256 de64284fa41dd1b57746029c4b5db924b8fdd6811f59f100996648c929f29b69
SHA512 7b771e0eb011bbcc6e5a6a69584c8f48b09dd0e7d0d0939261a818a24410d2d6e060333737fbd5c59d89b5785e4cadf91ba6684bc525d7496adbb8fb748e63c2

memory/3784-6-0x0000000000400000-0x0000000000429000-memory.dmp

\??\c:\jl

MD5 d1938c17479074c33223b90600e740c9
SHA1 f670690453fde8464ce1a982f3490860efae8058
SHA256 3d83b2d0d506139087de7fa5894a090e66f53cc33f932c4c6e565e083c0a0edf
SHA512 f2b12ab2c995cafd24c20d833e56bedea5abab33b9aa003c29c9bcf092e51206688a2a185cf7bca598c05a4d31287b79d65bb0b289f1287419dca561f1ddb560

memory/3148-9-0x0000000000400000-0x0000000000429000-memory.dmp