Overview

overview

10

Static

static

8

d6db09cf67...1f.exe

windows7-x64

10

d6db09cf67...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2022 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe

  • Size

    4.0MB

  • MD5

    24fb820f2eea7cb91deb3ddfe49af1a8

  • SHA1

    281ba24c6a65dae9e206b6713c783ac37425a369

  • SHA256

    d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f

  • SHA512

    b387d5643f49d022be3f3e7f8c547d438b2278273b74179ccd2a09b02b56a062f5d618ee1394f5a03c5f12595f40cd7919b23794553ed91dfeb9c1f0c2e31e42

  • SSDEEP

    98304:GczGF9E+wSReWIjp3tcb9YI/LsoayFPVdBOxt1bDkMBW:GczGPERuQjdtc5vzsoaMPVdMt1bDkMBW

Score
10/10
blackmoonjokerbankerinfostealertrojan

Malware Config

Extracted

Family

joker

C2

https://htuzi.oss-cn-shanghai.aliyuncs.com

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 5 IoCs
  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
    "C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.htuzi.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1416

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    057ffed45719f1bac328142ba1dd17f3

    SHA1

    cc3210366aae2b97007182f63404dd4c3b39e2b8

    SHA256

    bd8a18e49f3643190507433b5a6a2813fa0d5d9f9c8f47adfcd725a797e0b695

    SHA512

    99aac20354da966817029e14ab771852adc41c35b7d0353a1362247e9b9b50e2f926e6168f63dfe1c87aa05396302863f3e66eeb4e686fe7410cb0f5d05016dc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ed1287c73284bc4411f68303f9bdd877

    SHA1

    e0c2d4f3ff8950817827631ade9daa9828d362fe

    SHA256

    4cda93962ea5ee3566f82b0ac57fefbba2ee1dda49bf4ea064af9f40d9094f99

    SHA512

    fffcd536cba1f716b552e1c4541c89dfe41da273e4b9bfea18c618fe35cd3ec53595f3bf9d83b15cbaf34cf3a29f68e23db5edea2c80d26f75fb4b3aa9b2451b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat
    Filesize

    34KB

    MD5

    62166b418a0e12321acdeffb5cd8feda

    SHA1

    f765c50eaa692d18f3be172d4e8c977e80ef2ba6

    SHA256

    af61977e29c192c59af24e42d9bfda543e1d6e34b30fc8df0071fc86dcf7b6aa

    SHA512

    faf44782d3f483c3cfb7fdfaa22cbc424ddf192e7c85e3f84b918e35480647613ca941881093553819e76d6e2bb896b17aaeac4d8cda880033abb49a02a23c88

    Download Submit

  • memory/1284-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1284-55-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1284-56-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1284-57-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1284-58-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1284-59-0x000000001006C000-0x00000000100AC000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1284-60-0x0000000000400000-0x00000000010A2000-memory.dmp

    Filesize

    12.6MB

    Download