Overview

overview

10

Static

static

10

21edbfba77...f6.exe

windows7-x64

10

21edbfba77...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe

  • Size

    436KB

  • MD5

    ebfc92cbe3d9688c1a9963a76fe4f347

  • SHA1

    4ad7b106c65bbed8ed550d10c3dae41e15138284

  • SHA256

    21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6

  • SHA512

    e6ff67524804ae4346de402ea25a8ff29056ba6a0e9289b831992a87a2e4641e283ccb44ff2775acf9678683cc655a36f7ad01460e3f0a9644e529b796052e26

  • SSDEEP

    6144:dGdR+Yk/N8duBmG6t+UnRsRCQ/OJZOg7m:doR+Y4NSG6oUnRsdOJZOg7m

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe
    "C:\Users\Admin\AppData\Local\Temp\21edbfba775813ef7aa513c29630aad6b35d02c99dfc06492f3ebeaf6eedd3f6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Users\Admin\AppData\Local\Temp\Syslemgblao.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemgblao.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemgblao.exe
    Filesize

    436KB

    MD5

    1f60fd379c9f5ea12adb8d3745f7ada8

    SHA1

    e0c5f5cb4b400021b2a6ed41648ed0b68b81fe69

    SHA256

    79668b01da74626243e380eadf1fcf69b98b1ce61f6dc676a7c466289265c8e5

    SHA512

    b46771ec56d2568d6742a17db108e886f920c388864d5ed3f5a315cf2241cd3ae0007568f2f4c97784206b00001c870306471c8d51759262e8aa8a3bd05d2fd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    252b86dbaa70286204bf56b6304b5bb3

    SHA1

    15d79f00e75da87e4fd6ca69e8cb70c2046b89fa

    SHA256

    77ae67ea7fdf6de1fff2620104fe543d9451e6f9ee5263b1f05913a1dff5d887

    SHA512

    c2705dff19a29d2b8b237b1c8a5f4964b25728ca7665aaea213c49019d81f69b9e21cc37e04a7045beb39122de5150f1d272f5b5abda1e3e6c37ebbac7f26945

    Download Submit