Overview

overview

10

Static

static

10

8fabbda1d7...74.exe

windows7-x64

10

8fabbda1d7...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fabbda1d779a34f2dcdd6bc6e8d4874.exe

  • Size

    247KB

  • MD5

    8fabbda1d779a34f2dcdd6bc6e8d4874

  • SHA1

    6fcceac353b07564108c6e2e7b8415c12bbc8773

  • SHA256

    185487a76e98e7ba79f8b7e59ab55b78a02038f9487542a545c31d7b017c028a

  • SHA512

    c7a3a2f713553c14c4d1ce2844828e4e46236b75e4f8082da085476a9d2104acff3369e3dc7ff9d7c1f272828763016a5f6e8924d06edfb9a21dc7729410646b

  • SSDEEP

    6144:ubDkES+ZLIbb9Bq3mGrvQSud3Sx4RGQOWalAUXnDjmUf:2DkES+CGmGre3SaRDOWalAU3/x

Score
10/10
blackmoongh0stratbankerpersistencerattrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Registers new Print Monitor 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in Windows directory 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fabbda1d779a34f2dcdd6bc6e8d4874.exe
    "C:\Users\Admin\AppData\Local\Temp\8fabbda1d779a34f2dcdd6bc6e8d4874.exe"
    1⤵
    • Registers new Print Monitor
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\8fabbda1d779a34f2dcdd6bc6e8d4874.exe"
      2⤵
        PID:1904
    • C:\Windows\Logs\RunDllExe.exe
      C:\Windows\Logs\RunDllExe.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:1524
      • C:\Windows\Logs\RunDllExe.exe
        C:\Windows\Logs\RunDllExe.exe
        1⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:4664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Logs\RunDllExe
          Filesize

          160KB

          MD5

          40667dbcb5782efe26350cfbec600aa2

          SHA1

          3a1d5d248b9df9a0a110a9c06e8933126286d400

          SHA256

          d0a54429b15c39fdae2e976957a98ac8acb6f6312f300a51374556409accca17

          SHA512

          9116de669d7ba30d301e49c37142d1f483beccc97bfc0c9e7c72d050c872b54a792d683e22c2b2755202c6f7a37367fc99eaff983e9016081b214a0d75a8fc86

          Download Submit

        • C:\Windows\Logs\RunDllExe.dll
          Filesize

          89KB

          MD5

          b2097b2e2c2b1afad072533f0e210862

          SHA1

          4009fc7efac9a637fb80aa0033b9d2301ffcfb9a

          SHA256

          1e1903a7a4373eb80d58537036ef80d04fd32934b6269d4b80c5004fe99d0c14

          SHA512

          3603858c6a7880c5d84cb742767461b916960b53403650694f59859c79e447199d769898a72b0e76bd5726b74b992d1b185ae7ee0ff8f115733847b783ec3307

          Download Submit

        • C:\Windows\Logs\RunDllExe.dll
          Filesize

          89KB

          MD5

          c02d9300deea8aaa42bf5e9c56ddcf29

          SHA1

          4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

          SHA256

          54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

          SHA512

          c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

          Download Submit

        • C:\Windows\Logs\RunDllExe.exe
          Filesize

          160KB

          MD5

          645564cf1c80e047a6e90ac0f2d6a6b7

          SHA1

          35e4b5e065b90fe5b1713e5a4645875f023b6a18

          SHA256

          6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

          SHA512

          e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

          Download Submit

        • C:\Windows\Logs\RunDllExe_New
          Filesize

          160KB

          MD5

          5b9da57ccd306eb1774e3d4fe09454e5

          SHA1

          7a87fb2451b5caaa0fbdd49b6f93f39729b38823

          SHA256

          be0c9df3ddd7658f577a4cb25fd8c403c8570c1ef1af4a3940c8c591e30b5c2d

          SHA512

          737574f99f357f5da5c77bbcf326dd35fb431132e75eb1859d1842412b429beddceaed6f4c544d97867e0cad6e471243db98e29444e782c72c37c2197a63da92

          Download Submit

        • C:\Windows\Logs\RunDllExe_New.dll
          Filesize

          89KB

          MD5

          9dc2bf9e4b797e874a1e837d39d84b89

          SHA1

          cfd56ee2be017d4d98314d21834d0007750009ec

          SHA256

          8a796510d161365eeb854c3f38a2b4af6e536479fd9422cde5c1b0455f35e03c

          SHA512

          391826722daed00de5564e5a9dbebf75f33a7bb7b8af12edfff17575a9042e241eda133935030500e807a362f84cf423bbf9bdcc7f652fe66ed5627bf9fd8a74

          Download Submit

        • memory/2936-0-0x0000000000400000-0x00000000004D7000-memory.dmp

          Filesize

          860KB

          Download

        • memory/2936-53-0x0000000000400000-0x00000000004D7000-memory.dmp

          Filesize

          860KB

          Download