Analysis
-
max time kernel
30s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
-
submitted
01-07-2023 10:10
General
-
Target
oreki.exe
-
Size
673KB
-
MD5
2284c315e2528e666ade79b75a0371cd
-
SHA1
47e5af85d7ee5f3742837fbfe7f088f954e4ccac
-
SHA256
ec36faf4a4d8329b10ac75b3b6c815cd041c62918eb1c9efb7adeea8e88e8744
-
SHA512
cc0b76f20e36fe8425742715f87a0364c371ca6b4557ad754a9b802cbaa556f59fa8d3adabdba0081f8ae64cdfe402104fa56822c5e76d06517c58fce28426a0
-
SSDEEP
12288:w4cVWcj9yXy13MiG6UvbZ61pccDFT0iqgsI8em8O+1qI:w4apyCOZuCc9LHm8O+
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 2 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\oreki.exe"C:\Users\Admin\AppData\Local\Temp\oreki.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Videos\VSTelem\vihiz\srqcjC:\Users\Public\Videos\VSTelem\vihiz\srqcj2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5f2756d32dec5f018dcef55d8b7b5662e
SHA1cbde904b5a8a6da3df2e83ea3112c0e0aa8ebed8
SHA256a3c23667f4801304183cd4c328d49cd0e4dedd552cf61c2a7be313403eddb189
SHA5127f2978d94d316894a3de4e7e482adbfee18ef4691128536a27673927ab5a773dd54ba66e5e5bbb7da87b6a38b0040f65e52b048d85971d4427a6c97b159bbe49
-
Filesize
212KB
MD517114379bd336feaea221c091973516a
SHA11db8bc886e793b84ee6bd9d354c3253938c46b56
SHA25663d5ff25d23bef01bd9717a6e5d203d59385d32e2518999ae4e20f9b7b283044
SHA512ccf84b331ec713e6391407a17fb48a5e1cbc568840dccb0754dbd48997f911343bd0924ada844753c6787ec65271b00549c3e4e89d93c101677e18dfd40a79ee
-
Filesize
183KB
MD57c8270f9d0106ffaf862790f527737ce
SHA1beab49677deb4ef1188294ef13b91f0b571f83c0
SHA2560b87153beed1a7ac3f743f5117eea3f6c594774d77e7e0e36d82d9cc41dd9c87
SHA51264da62c8ae3783349f85e27389f5596e925f5485b02f4290e85fae38bbb4aab4ee593dcb44738050bb7cfa43c5df70b65bb93a3aafc498c15ca163e03896c605
-
Filesize
212KB
MD517114379bd336feaea221c091973516a
SHA11db8bc886e793b84ee6bd9d354c3253938c46b56
SHA25663d5ff25d23bef01bd9717a6e5d203d59385d32e2518999ae4e20f9b7b283044
SHA512ccf84b331ec713e6391407a17fb48a5e1cbc568840dccb0754dbd48997f911343bd0924ada844753c6787ec65271b00549c3e4e89d93c101677e18dfd40a79ee
-
Filesize
183KB
MD57c8270f9d0106ffaf862790f527737ce
SHA1beab49677deb4ef1188294ef13b91f0b571f83c0
SHA2560b87153beed1a7ac3f743f5117eea3f6c594774d77e7e0e36d82d9cc41dd9c87
SHA51264da62c8ae3783349f85e27389f5596e925f5485b02f4290e85fae38bbb4aab4ee593dcb44738050bb7cfa43c5df70b65bb93a3aafc498c15ca163e03896c605
-
Filesize
380KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
380KB
-
Filesize
408KB
-
Filesize
10.0MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB