Overview

overview

10

Static

static

10

2024-02-01...id.exe

windows7-x64

10

2024-02-01...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-01_c32725215c83f22c9dd1c655ea6ebb51_hacktools_icedid.exe

  • Size

    4.7MB

  • MD5

    c32725215c83f22c9dd1c655ea6ebb51

  • SHA1

    c87bf2c2dc96cf63d454d09c357af3beab15be39

  • SHA256

    c338a1c285f348d9d8c1a1bb4ec38e82d11ca513b97dfd825c2bfb9c598311fe

  • SHA512

    4ff5cd43234a7c7afbeaf1750ef1ce359ca787b97cb157e07d429655db13dd5cff6e2d2fd1397b16efe5f9ccb0e57fba7053268fb5cfcb58ff6200f5f86e95b6

  • SSDEEP

    98304:DwN9V/TKWfxlcswUr+cIJA0QTJfT+E5/uP:C9V/TZlv/+cP0QTtyLP

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • UPX dump on OEP (original entry point) 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-01_c32725215c83f22c9dd1c655ea6ebb51_hacktools_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-01_c32725215c83f22c9dd1c655ea6ebb51_hacktools_icedid.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\TPHelper.exe
      C:\Users\Admin\AppData\Local\Temp\\TPHelper.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2716
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 532
        3⤵
        • Program crash
        PID:1096
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2716 -ip 2716
    1⤵
      PID:936

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RCX513E.tmp
      Filesize

      3.6MB

      MD5

      845e6e5cc4c298dc6ac7b81de8941b8c

      SHA1

      b7ad5204d2f9f098a5640354258e878755a1b9d1

      SHA256

      2fd9dbfdc24a692ee247432989a4d35b87d2d2bab71f465b72e0ce45ffa772af

      SHA512

      0e54e3ebd68d165b423ee23dfb0211990277eccc8d2a2ff93ceb2e17735a5363887e51e1e0b52e04de3783d2ca36e49443b55eb223c8b7ab3a09979b25eb7487

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TPHelper.exe
      Filesize

      640KB

      MD5

      358dfe13522a65905fe409ef09f07bbb

      SHA1

      0e0fa46d4b5f9efab372c2f05b4c994e6c597157

      SHA256

      d2a62c6d096dcc245240e6c490b32d9139ecc5487f0a88dcf63bd4091e518272

      SHA512

      e2464785b7f3847cce555d9afb1364ee14338b791c9dcaba84336dfe5250b07b5ebccafcc220caf4f6b0a9cc9e8acec3847106b1be4ab2525fad36b0ac6c0089

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TPHelper.exe
      Filesize

      534KB

      MD5

      31ab8e9182f5f4a5b142a5b0837da1c9

      SHA1

      b95f5c61cd8f0d77e88ea59f6eb4b33ea9b85533

      SHA256

      51d6833c07512859e6c8590bcc28bc3bc2f9fc1fe79b313e52ff6df4972d24b3

      SHA512

      9c255c79c62018aa3e2530d08bdd974be0637cfd08e6ba661f85f6f5759318c7cdf907a8da9d53093ba69ede6d94d232c8450aef06d845e60f906f44f63ba762

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TPHelperBase.dll
      Filesize

      529KB

      MD5

      9aa535082284692e911f205c938bfd4a

      SHA1

      731c98e4496442c8af7e84be1054235953ca88f8

      SHA256

      a1b28c2b9dc12eb7b5a623ac9b8dfe3fc587968fea5f95c46839d258131185f0

      SHA512

      6554a457adafd5392066ee99cfd92cce20f52ddf2213a8c319e36ee03bef95972f9b117a371d2ca5672911051f72746a8872e816b9e96bddf9288c104139bbbb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TPHelperBase.dll
      Filesize

      611KB

      MD5

      afdb405fcf7ebf5852f15343da85e673

      SHA1

      a0ca7e7bfdc775fef1664fbfec566c63fbe88ba7

      SHA256

      05ea51eb1fdf21de2ef4f3bda1f1152c6d1970709d43e1d721403bdd57a03468

      SHA512

      f7381b0e2fe36a7c5ec646475098d325604750037a21da4fe0c99b7f9c755a8185e4278ff333fe3961e7c28109468055ddb5f3793558c1230aa69fc5a37e7f0d

      Download Submit

    • memory/2716-17-0x0000000000400000-0x0000000000675000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2716-18-0x0000000010000000-0x000000001028D000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/2716-19-0x00000000767E0000-0x00000000769F5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2716-3893-0x0000000010000000-0x000000001028D000-memory.dmp

      Filesize

      2.6MB

      Download