Resubmissions

16-04-2023 17:34

230416-v5hkcsce3x 10

16-04-2023 17:26

230416-vzvbzaag27 10

Analysis

  • max time kernel
    131s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2023 17:34

General

  • Target

    大航全球实体卡-虚拟卡接码电脑端口/大航全球实体卡-虚拟卡接码电脑端口.exe

  • Size

    2.6MB

  • MD5

    9f339063dbe562051732472b0f73c12d

  • SHA1

    2ac2940992ad9cee88092e18566c82f6b6c114b1

  • SHA256

    7955c98c1bd693e24c92833f2186d58dd0c5fad231a8f27572bac5aeb2793674

  • SHA512

    06d44b0cdc4b62536a61d4cae7e9b96a435e13907890b1b423d64e9b2c68cf6dd342eefa3af1601018508353c837d35d2a28f1d29306f990b32367f63e09c7ab

  • SSDEEP

    49152:MC8ie3CGb7SCEns4SdqyTZ0Z3dMZG0+RQnwyiAKP1HrlF0OS20wlR+BkpT:e3+P2wyiAA0OSylRMkp

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Detects any file with a triage score of 10 2 IoCs

    This file has been assigned a triage score of 10, indicating a high likelihood of malicious behavior.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\大航全球实体卡-虚拟卡接码电脑端口\大航全球实体卡-虚拟卡接码电脑端口.exe
    "C:\Users\Admin\AppData\Local\Temp\大航全球实体卡-虚拟卡接码电脑端口\大航全球实体卡-虚拟卡接码电脑端口.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
      C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1568
    • C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
      C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe
      C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe -Ho9LN
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe

    Filesize

    1.9MB

    MD5

    a0acc3b2c25d5a9d6994f013142159e7

    SHA1

    6d992746c197976b9df65a5ac8fbe74a4401d9bd

    SHA256

    0a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0

    SHA512

    bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1bin.exe

    Filesize

    1.9MB

    MD5

    a0acc3b2c25d5a9d6994f013142159e7

    SHA1

    6d992746c197976b9df65a5ac8fbe74a4401d9bd

    SHA256

    0a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0

    SHA512

    bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\HPSocket4C.dll

    Filesize

    2.1MB

    MD5

    c83247fac0840125db662eb3e27ac6a3

    SHA1

    6d7a24b3d1c10516232a6f3ac4aed8d69da56568

    SHA256

    2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

    SHA512

    f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\Plugins\qvlnk.dll

    Filesize

    492KB

    MD5

    001db37c243710301a862d8dd8a025e0

    SHA1

    7e4fc33b58dae290861712e4194e855923ebde1a

    SHA256

    5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

    SHA512

    7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\VCRUNTIME140.dll

    Filesize

    82KB

    MD5

    d0520569180accd7e17ed9697711d6ec

    SHA1

    46cb7e2db7efda70b9a5b75b2fe0bb6038499008

    SHA256

    13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

    SHA512

    86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\config.ini

    Filesize

    124B

    MD5

    8a1a8ae15f4ec0bc6f3b5d967e828346

    SHA1

    c3182656ef1f319c73126ef37610b55d9c174896

    SHA256

    3d3a471675b4cd22c9ce33e699194ca32910943df2d50d9b2addfdac6578aa59

    SHA512

    1300286b47eda29bde6398067752652326539f37ab5da4178bbb204666736f5c3156106243431de3bbdcc292503da2ff377a754a740817ddc9a95ea971fca7eb

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\config.ini

    Filesize

    124B

    MD5

    8a1a8ae15f4ec0bc6f3b5d967e828346

    SHA1

    c3182656ef1f319c73126ef37610b55d9c174896

    SHA256

    3d3a471675b4cd22c9ce33e699194ca32910943df2d50d9b2addfdac6578aa59

    SHA512

    1300286b47eda29bde6398067752652326539f37ab5da4178bbb204666736f5c3156106243431de3bbdcc292503da2ff377a754a740817ddc9a95ea971fca7eb

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll

    Filesize

    421KB

    MD5

    8e5dc64def28aee0032ed0c878127c39

    SHA1

    ad9685100b71f0fd4f2b3d65f62894beba1937de

    SHA256

    c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

    SHA512

    a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\encode.dat

    Filesize

    3.9MB

    MD5

    013d85cf626e32fbc89daa124e10f7f0

    SHA1

    b3722239f268ee9a6d3408193081633daac6b05b

    SHA256

    74a5437c4f76f6d88628afc8dfbe7bbd6c2fd6f846cf957ea6262156eb76163c

    SHA512

    952c317ee5e54c2f55ec646cd1d7241f7a4270eccb8d53fdc6cd99963486bcedb9d66f46c099086de12872e95a515922f4bfc47294e6d58e202a425ef42c538a

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe

    Filesize

    314KB

    MD5

    dfee4c679663ffb566a7150bbc1768c7

    SHA1

    8f8144d26b141d097df742e4ef4d5c85bba685a3

    SHA256

    f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

    SHA512

    23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe

    Filesize

    314KB

    MD5

    dfee4c679663ffb566a7150bbc1768c7

    SHA1

    8f8144d26b141d097df742e4ef4d5c85bba685a3

    SHA256

    f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a

    SHA512

    23ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52

  • C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe

    Filesize

    792KB

    MD5

    5ce000758e1b8fb5d2cab78003245ac1

    SHA1

    4ff5a6bbee58e63c100bac6130ee22eb740bed09

    SHA256

    483a0c0f6dfc0f54f972aefc4a6c9d7345b795be913f98283fecfeb3dda9126e

    SHA512

    228625ef8692c8be41294de551dc6fd38afb5d2f68860762984ea78bd2a3df43ceea32966a827173118abb507c9e0ffe4689c992b216bcf60d6f774b0d4a4748

  • \Users\Admin\AppData\Roaming\D1Softwaredata\HPSocket4C.dll

    Filesize

    2.1MB

    MD5

    c83247fac0840125db662eb3e27ac6a3

    SHA1

    6d7a24b3d1c10516232a6f3ac4aed8d69da56568

    SHA256

    2dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2

    SHA512

    f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f

  • \Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll

    Filesize

    421KB

    MD5

    8e5dc64def28aee0032ed0c878127c39

    SHA1

    ad9685100b71f0fd4f2b3d65f62894beba1937de

    SHA256

    c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a

    SHA512

    a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8

  • \Users\Admin\AppData\Roaming\D1Softwaredata\plugins\qvlnk.dll

    Filesize

    492KB

    MD5

    001db37c243710301a862d8dd8a025e0

    SHA1

    7e4fc33b58dae290861712e4194e855923ebde1a

    SHA256

    5e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb

    SHA512

    7edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16

  • \Users\Admin\AppData\Roaming\D1Softwaredata\vcruntime140.dll

    Filesize

    82KB

    MD5

    d0520569180accd7e17ed9697711d6ec

    SHA1

    46cb7e2db7efda70b9a5b75b2fe0bb6038499008

    SHA256

    13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

    SHA512

    86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

  • memory/468-84-0x0000000000DB0000-0x0000000000F92000-memory.dmp

    Filesize

    1.9MB

  • memory/468-96-0x0000000000A80000-0x0000000000B00000-memory.dmp

    Filesize

    512KB

  • memory/468-97-0x0000000000A80000-0x0000000000B00000-memory.dmp

    Filesize

    512KB

  • memory/468-100-0x0000000000A80000-0x0000000000B00000-memory.dmp

    Filesize

    512KB

  • memory/468-101-0x0000000000A80000-0x0000000000B00000-memory.dmp

    Filesize

    512KB

  • memory/1568-83-0x00000000024D0000-0x0000000002635000-memory.dmp

    Filesize

    1.4MB

  • memory/1568-95-0x0000000004150000-0x0000000004655000-memory.dmp

    Filesize

    5.0MB

  • memory/1568-98-0x00000000024D0000-0x0000000002635000-memory.dmp

    Filesize

    1.4MB