Overview

overview

10

Static

static

10

e76f9b6958...28.exe

windows7-x64

10

e76f9b6958...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe

  • Size

    366KB

  • MD5

    a0307df6eb0b3cce819ad6a5894c08ee

  • SHA1

    13725598a9d292256bc6321bf8abeb2220e479c7

  • SHA256

    e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428

  • SHA512

    ba9a10f71653d4a5365db9168a4e2939d10b4e6ec9ef4fd908a288561d20297c819b1bdb4b673113099b07c522fe8d0637a91a160034bdd392e2f666e8bd6a3a

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1p:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1p

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
    "C:\Users\Admin\AppData\Local\Temp\e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Local\Temp\Syslemkpide.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemkpide.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemkpide.exe
    Filesize

    366KB

    MD5

    0a316597b56cfddc45f3a8568c8da0ca

    SHA1

    4a38f4b9e6b39dfd2efc5687f12da804ef1f4934

    SHA256

    956100ec032fe6477f26beb4054d6068d5a11b5351ff961c131bd7c57dda51c6

    SHA512

    89bd1f8c045dbe0eaad23e7d4eccf069e86c5cb391f2984e38a1378061e57640bf043f243804b8c8a9f016d78b4031900bb2f5231d4628ca5fa1a1212b55d535

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    1226e6a47fdbfd78df76bdd45cb0564c

    SHA1

    8a08de365b4413c6d7882bfd8a3775d26d367712

    SHA256

    2280de56f43d6a590c031f896069615a7aec2a7f749bc20b323eb67a253da6d3

    SHA512

    bd620b7b953abc34714ee711d6b77cac9c81dd195884cb8e37937822cd2884a0775bf7413c92f17784e7f1e500f18951f95e7918f5a6fecfee546a2d34a4f029

    Download Submit