Overview

overview

10

Static

static

3

3C1EF3BD5C...21.exe

windows7-x64

10

3C1EF3BD5C...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2024 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3C1EF3BD5CDB2F48F81450A8D66B4521.exe

  • Size

    1.0MB

  • MD5

    3c1ef3bd5cdb2f48f81450a8d66b4521

  • SHA1

    52852cfdb69a11e9380fc9e001213982db3ba7af

  • SHA256

    435a12ab59bb78ad797f1f9b4b2fad50799bc217e93669bf543540b358a5dcdc

  • SHA512

    34f990d15be83b476e1684c6c6467fdc92e6117692803cf50e33821ac1ebdb3d9d81e13fab8f04bfc78d26fe2d476d8b87cc27a60b27988ec9a5e0a5ae0312c1

  • SSDEEP

    24576:DlR3W+VUl+iJyv4cNENUkGIO3kaCkspl2L56:Dl0+Vi+iAhKNmVC1GL

Score
10/10
blackmoonbankerpersistencetrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3C1EF3BD5CDB2F48F81450A8D66B4521.exe
    "C:\Users\Admin\AppData\Local\Temp\3C1EF3BD5CDB2F48F81450A8D66B4521.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2644
  • C:\Windows\helppane.exe
    C:\Windows\helppane.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\iyozxf\Agghosts.exe
      "C:\iyozxf\Agghosts.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Videos\study71\2.dll
    Filesize

    512KB

    MD5

    27409998a5047ed2ddbb99e6676ef7ec

    SHA1

    17e510effffeef9a1556cd28ea3ccde39ec06599

    SHA256

    d2966e08d8f1077cb9c2bcdb570f1136b5173f8c42f01cfd240b51f69ae7bcf8

    SHA512

    3f4807689ef5dfcc70398fada056917f00551f99053749ea5f886a4d0b75b91556cc4a9d1c1de2058652734cf461e1f85f5d7ef78d3fc1dca36c7f8e87fb38e5

    Download Submit

  • C:\iyozxf\Agghosts.exe
    Filesize

    23KB

    MD5

    5aab297fa8f143bfa67310ad78b76d3f

    SHA1

    5db963c2cca1bc8c8c060c52f7df76ccb477f01a

    SHA256

    8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df

    SHA512

    c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256

    Download Submit

  • C:\iyozxf\Enpud.png
    Filesize

    215KB

    MD5

    0d1e7a90ae0df082e9da031379a4e939

    SHA1

    db5e7d7bb6d8e2290cc7d1650030e0828d2745ba

    SHA256

    1bd3ddf276473fb64192b735b2dc5b9b061a4717643b7ed2d49d3c77bbd4dd6d

    SHA512

    3d303d8bfc9f428e726db281aa82ef383c6172bb5901710f8d9049cc4ed474a02b42bd747196999384a9d4e3788f49e57b18163d670c6e111264e435c84a9cdb

    Download Submit

  • C:\iyozxf\QiDianBrowserMgr.dll
    Filesize

    15KB

    MD5

    035a5066cb9371f56278eb18ad984ab1

    SHA1

    42acd17ecc8b55f0e72d4158f48f829ffb43d5e8

    SHA256

    210e69778c43fa2126ee7b39f1feae0fe58e08ea829781872c07fcc1b39b7566

    SHA512

    f22661577eb834e3b5954fa3420c61b52b20af0f34eb71a43ac35373ab16cc69285d2f7aa5d64f4efe293a39915a7ec3e7924115335f493910a1db867e11eeb9

    Download Submit

  • C:\iyozxf\VCRUNTIME140.dll
    Filesize

    77KB

    MD5

    f107a3c7371c4543bd3908ba729dd2db

    SHA1

    af8e7e8f446de74db2f31d532e46eab8bbf41e0a

    SHA256

    00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

    SHA512

    fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    Download Submit

  • memory/1484-18-0x0000000000F00000-0x0000000000F48000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1484-19-0x0000000000F00000-0x0000000000F48000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1484-21-0x0000000000F00000-0x0000000000F48000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1484-22-0x0000000000F00000-0x0000000000F48000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1484-23-0x0000000000F00000-0x0000000000F48000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1484-25-0x0000000000F00000-0x0000000000F48000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1484-28-0x0000000000F00000-0x0000000000F48000-memory.dmp

    Filesize

    288KB

    Download