Overview

overview

10

Static

static

3

9d9961770e...a0.exe

windows7-x64

10

9d9961770e...a0.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06-04-2024 00:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d9961770ec49cd827541c17d730178cc22471848ff75b946b58225570ab39a0.exe

  • Size

    1016KB

  • MD5

    77b6361879cd2095663baa717c5a33ed

  • SHA1

    af5ca68dacc2df0d1868b3a4ca83a1228a7014eb

  • SHA256

    9d9961770ec49cd827541c17d730178cc22471848ff75b946b58225570ab39a0

  • SHA512

    b951f065bb2b2d7bcf0337d1fb4cfc314c7cceecc184e9cc221a5abdf735662e555f62411523526eb5c203de46ebcf47415ec7cc4ef436a1f0201e7990eb71ba

  • SSDEEP

    24576:HEeG1Gv/aSmbdppcBz6z6rgdzDUsQWe0:HEvGnaScZ8fUNAsQW

Score
10/10
blackmoonfatalratbankerinfostealerpersistencerattrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Detects executables calling ClearMyTracksByProcess 2 IoCs
  • Fatal Rat payload 2 IoCs
    ratinfostealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d9961770ec49cd827541c17d730178cc22471848ff75b946b58225570ab39a0.exe
    "C:\Users\Admin\AppData\Local\Temp\9d9961770ec49cd827541c17d730178cc22471848ff75b946b58225570ab39a0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2900
  • C:\Windows\helppane.exe
    C:\Windows\helppane.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\ddeebl\Agghosts.exe
      "C:\ddeebl\Agghosts.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ddeebl\Agghosts.exe
    Filesize

    23KB

    MD5

    5aab297fa8f143bfa67310ad78b76d3f

    SHA1

    5db963c2cca1bc8c8c060c52f7df76ccb477f01a

    SHA256

    8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df

    SHA512

    c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256

    Download Submit

  • C:\ddeebl\Enpud.png
    Filesize

    157KB

    MD5

    6d4775f18b2ee05bb4763d3080d36bbe

    SHA1

    cdf9525b39409515b350d02b91bff61aac3cd55f

    SHA256

    23bb3a8e6cd6be562f57e98441888782f8f0d8d8ce456a9a40bf711a68a34c97

    SHA512

    45368d3468e45324362eded3905d16850136318acf88c9d8d9590f77fb912d423fe52f24ab3b0b4d001605692e2d0627ba1463de533b96724cd25a8548cf9e82

    Download Submit

  • \Users\Public\Videos\study45\2.dll
    Filesize

    496KB

    MD5

    48e5090cd753cfe7adf3fd52897921e4

    SHA1

    41e40686fd744b42589dfc42f5740316cec6f94e

    SHA256

    87d27360ddd3176904e8aaf49f779aa9e566ad738de8b29ed61818730f99c9a5

    SHA512

    e15c64ee11a0d5f9eff0677d8fafb7ff73f2db0d5d66dfaa0d1994b02096f97793925c25409e4ad6f87f2a0db8b7050b2ffcce38e686b89e61798b90122ff194

    Download Submit

  • \ddeebl\QiDianBrowserMgr.dll
    Filesize

    123KB

    MD5

    daa799b7defab6d9867c5d519b36611f

    SHA1

    4020d8587c28df934bd460b4dc953561be61e4ff

    SHA256

    6cec316645c5abc4f31eb25f3f09f462f843fc73b9c1db79c5f580c6773e8d00

    SHA512

    52979cb556129d2efd2615001cfd5dab74066c9ed45d46746c02d71f6418b92a61fc5dc4c182089d2bc66d7d1a5e461b8fa60702f872d63194412bc4fa699777

    Download Submit

  • \ddeebl\vcruntime140.dll
    Filesize

    77KB

    MD5

    f107a3c7371c4543bd3908ba729dd2db

    SHA1

    af8e7e8f446de74db2f31d532e46eab8bbf41e0a

    SHA256

    00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

    SHA512

    fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    Download Submit

  • memory/2456-10-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-18-0x0000000000170000-0x00000000001A0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2596-19-0x0000000010000000-0x0000000010029000-memory.dmp

    Filesize

    164KB

    Download