Overview

overview

10

Static

static

7

oreki.exe

windows7-x64

10

oreki.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    oreki.exe

  • Size

    673KB

  • Sample

    230701-l58bcagf54

  • MD5

    2284c315e2528e666ade79b75a0371cd

  • SHA1

    47e5af85d7ee5f3742837fbfe7f088f954e4ccac

  • SHA256

    ec36faf4a4d8329b10ac75b3b6c815cd041c62918eb1c9efb7adeea8e88e8744

  • SHA512

    cc0b76f20e36fe8425742715f87a0364c371ca6b4557ad754a9b802cbaa556f59fa8d3adabdba0081f8ae64cdfe402104fa56822c5e76d06517c58fce28426a0

  • SSDEEP

    12288:w4cVWcj9yXy13MiG6UvbZ61pccDFT0iqgsI8em8O+1qI:w4apyCOZuCc9LHm8O+

Score
10/10
blackmoonbankertrojanupxvmprotect

Malware Config

Targets

    • Target

      oreki.exe

    • Size

      673KB

    • MD5

      2284c315e2528e666ade79b75a0371cd

    • SHA1

      47e5af85d7ee5f3742837fbfe7f088f954e4ccac

    • SHA256

      ec36faf4a4d8329b10ac75b3b6c815cd041c62918eb1c9efb7adeea8e88e8744

    • SHA512

      cc0b76f20e36fe8425742715f87a0364c371ca6b4557ad754a9b802cbaa556f59fa8d3adabdba0081f8ae64cdfe402104fa56822c5e76d06517c58fce28426a0

    • SSDEEP

      12288:w4cVWcj9yXy13MiG6UvbZ61pccDFT0iqgsI8em8O+1qI:w4apyCOZuCc9LHm8O+

    Score
    10/10
    blackmoonbankertrojanupxvmprotect

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Modifies RDP port number used by Windows

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks