Overview

overview

10

Static

static

10

096a6fcb21...6d.exe

windows7-x64

10

096a6fcb21...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 19:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    096a6fcb215086bc3b8b3dd9a13e2fca84a51658d7b6815a19b0b21066827a6d.exe

  • Size

    320KB

  • MD5

    c80040ba82ca50d848427d5a643441ee

  • SHA1

    9f14ba8601223091a5bfe20dd3367aa83379bcfa

  • SHA256

    096a6fcb215086bc3b8b3dd9a13e2fca84a51658d7b6815a19b0b21066827a6d

  • SHA512

    b5dcd16db37c79c9614b4301ffce3274667e345a39325ae2ea65c696ea8ba81216dac4bcf59b6babd43869a8b845d7ed4c66fca0a7aed6109c369fe0f5aaf3b3

  • SSDEEP

    3072:m4gQvLzOEFqxNpIKPM6Oqdb2mCXhH02xoX0uL+9N21bjz7pr2OhEtDoYTGSHJty1:m4gQvLzxqLpIKk6l2mX0KNT8xGSRt3E

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\096a6fcb215086bc3b8b3dd9a13e2fca84a51658d7b6815a19b0b21066827a6d.exe
    "C:\Users\Admin\AppData\Local\Temp\096a6fcb215086bc3b8b3dd9a13e2fca84a51658d7b6815a19b0b21066827a6d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\YY.exe
      C:\Users\Admin\AppData\Local\Temp\YY.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:876

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\096a6fcb215086bc3b8b3dd9a13e2fca84a51658d7b6815a19b0b21066827a6d.exe{2012C39F-61A0-49f5-9764-543C6FCB60E7}
          Filesize

          320KB

          MD5

          d5f07ad5f9d558b0f5fa7f6c612852db

          SHA1

          e5d2f099e647bbb0401f5e441e77399ca90afd18

          SHA256

          7b63a2860b9cd5fbb10e0aeb5f5e0d4f705679f6a07304233ea3f6d1e9e9942c

          SHA512

          3614f8bc93457a094d2be8720da44b79d738195a3ea5852996141fa963687a3d5725deec59d7a4c5b1f6ba94c9b454ed1e9f9743d5160286eac53fa6ce1d855f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\YY.exe
          Filesize

          14KB

          MD5

          e31fb4f13f5949b868c117714bb44375

          SHA1

          18930fd524b3fdfaca1c0e6a81524f5a282b3009

          SHA256

          2bbc91b888ce64f5de28f76dcf1047f5d324a099fe6a6f1500c53c7943b91499

          SHA512

          f46358cdfaed1338a16c6df992fc9367adca1a8dcd7c57ee8c853bef8522d9026a5e2355e181c8523ba4ee76ace0240acb24e09f2a6affe9087a675107b754ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\YY.exe
          Filesize

          14KB

          MD5

          e31fb4f13f5949b868c117714bb44375

          SHA1

          18930fd524b3fdfaca1c0e6a81524f5a282b3009

          SHA256

          2bbc91b888ce64f5de28f76dcf1047f5d324a099fe6a6f1500c53c7943b91499

          SHA512

          f46358cdfaed1338a16c6df992fc9367adca1a8dcd7c57ee8c853bef8522d9026a5e2355e181c8523ba4ee76ace0240acb24e09f2a6affe9087a675107b754ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\YY.exe
          Filesize

          14KB

          MD5

          e31fb4f13f5949b868c117714bb44375

          SHA1

          18930fd524b3fdfaca1c0e6a81524f5a282b3009

          SHA256

          2bbc91b888ce64f5de28f76dcf1047f5d324a099fe6a6f1500c53c7943b91499

          SHA512

          f46358cdfaed1338a16c6df992fc9367adca1a8dcd7c57ee8c853bef8522d9026a5e2355e181c8523ba4ee76ace0240acb24e09f2a6affe9087a675107b754ab

          Download Submit

        • memory/876-13-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download

        • memory/876-15-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download

        • memory/876-14-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download

        • memory/876-16-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download

        • memory/876-20-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download

        • memory/876-21-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download

        • memory/876-24-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download

        • memory/876-29-0x0000000000400000-0x0000000000463000-memory.dmp

          Filesize

          396KB

          Download