Overview

overview

10

Static

static

10

2a94bef55d...67.exe

windows7-x64

10

2a94bef55d...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe

  • Size

    113KB

  • MD5

    7f1724a7f154d9be81887ef065dce1b1

  • SHA1

    0a060d513d209075c4d914b94ef1bbe6285b995d

  • SHA256

    2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67

  • SHA512

    ff170925ff666c5558d4619c4ee133ec4a5ac5b2b23c188f280fea9b8d32bf7e81f584a5a445226e7ccdc62f7cd0fbb406a711173b0b48d7ef5a35de15350a46

  • SSDEEP

    1536:bViMsvI+AQX1OdBaKpVllHG/fdt+fV3JbB5OPnDE5+QDJ4rX27qTrf:bav9OdPx8wJ4rm7qn

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe
    "C:\Users\Admin\AppData\Local\Temp\2a94bef55dd9fa7692bb27739a510e434c8a87d4c0661c8a70854bacdcf4ea67.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Windows\system32\svhost.exe -k RPC
      2⤵
      • Executes dropped EXE
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~pidtemp.TMP
    Filesize

    102B

    MD5

    a31557fe968d2762b715ba204f748a2a

    SHA1

    e9cfe2011cf6f454e05b07eda648d62af35ad173

    SHA256

    8085f108970ed0120c23e425d383f11e4ab9e549ae212ac7046d653d175b671c

    SHA512

    cff2212c3f75d73aab32cbcb61923294f6fd934d19142f507d244cd94e2bfc21d73c88ff102824e44714d4417c0dce79ac9d48a8d8524acbe92a231494647b4e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    113KB

    MD5

    dc420d7ce75bac9e2ad9d6e4e8342d47

    SHA1

    632ed27a136fd9d32eafa435fd1cc73df60e778a

    SHA256

    faaec52d558ce8bb7b12bd890957fc8ad8751c7b0a77e52b81e02475b160b55e

    SHA512

    180762a10f677573ac60049d0624b2f59dfec2bc6686075330796450f29ae3f4fe363df30c628fdfee900bbc1cfc348e01d6498556ff79dcaaa4cfd4b843dedb

    Download Submit

  • memory/2132-11-0x0000000000380000-0x000000000038A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2132-12-0x0000000000380000-0x000000000038A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2132-13-0x0000000000380000-0x000000000038A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2132-14-0x0000000000380000-0x000000000038A000-memory.dmp

    Filesize

    40KB

    Download