Overview

overview

10

Static

static

8

176996c48c...8f.exe

windows7-x64

10

176996c48c...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    174s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2022 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe

  • Size

    4.0MB

  • MD5

    6481509a5d3a32abdef685297980f7d8

  • SHA1

    b9abfb0457909be6ff5ba2facddfd2c185f862c0

  • SHA256

    176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f

  • SHA512

    2bb86030b6e832d0c2627029f4d9d42d40efdafba4452a1420b88fa888c8472d42bba07d87f2c22a45980da51e9bd1062a0c826a31ac7eff12d14b88f2747d0f

  • SSDEEP

    98304:GczGF9E+wSReWIjp3tcb9YI/LsoayFPVdBOxt1bDkMBE:GczGPERuQjdtc5vzsoaMPVdMt1bDkMBE

Score
10/10
blackmoonjokerbankerinfostealertrojan

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 5 IoCs
  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe
    "C:\Users\Admin\AppData\Local\Temp\176996c48c2f4dbe5dc4a20628d6c8dd728be5eef22f9abf205b0696ecfae78f.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.htuzi.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1544 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    3dcf580a93972319e82cafbc047d34d5

    SHA1

    8528d2a1363e5de77dc3b1142850e51ead0f4b6b

    SHA256

    40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

    SHA512

    98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0A17BC17FF10008872A7205D0D43E2_608DEF97DFACECDA8E97C6F270153A4F
    Filesize

    471B

    MD5

    6bc53d1b58d3ccc275dcaba9903c40d8

    SHA1

    6a85754c77df04415a10ad39f46b18da70f92208

    SHA256

    7b88cfc849ba2b2ccd5f4666b29d2701eda5014796b1a4be7a7d316c19060f8c

    SHA512

    35bdc644cb73a726cc0955af88bcabf0465e7a4e9734476f63bac73974781f9514999b52d6c03d1b2c694d412955457f69cd8539fecd725aff3ada687289070a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    6748435832b5ba1f2d9d5cb5222fdd36

    SHA1

    aa0dfa622427a599972d3747b5b771c8f53835e3

    SHA256

    7331cebdc634d5f3c1a8b5fe16591095dd530b0dc0a4855c1f94b05f8c43c58e

    SHA512

    bc1625fac97aef15a878f40590b20acc31d6b3e5c5262cb188cf2aed56035e33fe704367985c254d60669c8cc975b6ed2bbb91331efc98b6199c7a00e4bb0ebf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0f9ed7ad6291a0bc569ce42fa6a9d92e

    SHA1

    64624f5baad50e4930b8c3b10ac5c646a8ce8ecf

    SHA256

    5dd6ca2519449e3299bb69a0234fb64539955aa0544258f573e186b918088098

    SHA512

    ca46dbc4731463f0c626d95e9caf562620b4bb0fda142e9afebd306c408c14e2d74fd8e37466335a959b8bb24599b489c826e1b5c1cd33ce93f6bc9bb40968db

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0A17BC17FF10008872A7205D0D43E2_608DEF97DFACECDA8E97C6F270153A4F
    Filesize

    424B

    MD5

    c2442a2335fcf5ae7f4f6833b5da88d2

    SHA1

    331ce683bbbeffebdfd003b2a5b8c8693907a19f

    SHA256

    fe161ce7a1f13c068d2a273db9ab0c7298a64b24781388e6d65729f52325a75c

    SHA512

    de37fc830cbf8d31f94d19171505a105e2d45957c46153a37c849ad7357ea5890fbd7f836155982a72c9e69c1d176bf60d662fe7b84696fb677ca28fa826aa18

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
    Filesize

    38KB

    MD5

    104dce06b70c072199490f0c3c2de6a4

    SHA1

    bc81368d2b966fa35f46a690d022615691892cef

    SHA256

    5af5cdd945d2ad669b2009e32598184ee9706fd117f571605428f7b68a7e3297

    SHA512

    0a32b986510d06f0c9f45f68ad185fe58226e7b00bb67a659b18cdfde4d94551685bd3faf6c4dbb3ed5ac7a2ede6c50d647db560db438439c2ea50fe941fa65a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T89IRP7R.txt
    Filesize

    608B

    MD5

    83701d9249a93a10f6daee9d8ca91364

    SHA1

    70fffddd6028104e1eadf5654d40fc7a1cb556ca

    SHA256

    14009120ed3df70dc4cc3d163a4eb1f21392aaf1b1f3fbb525d7019a77a144be

    SHA512

    e05de9678a8070c75abad94e88abbe40b89f3203e8c448fb84326342d4d2a92dfd9629079691c89bf83d92b3d8180b6554c90e48261b54bd15e20df1723f9ed5

    Download Submit

  • memory/1152-57-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1152-61-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1152-60-0x000000001006C000-0x00000000100AC000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1152-59-0x000000001006C000-0x00000000100AC000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1152-58-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1152-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1152-56-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1152-55-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download