Overview

overview

10

Static

static

10

8857edf7b5...3f.exe

windows7-x64

10

8857edf7b5...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 23:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe

  • Size

    92KB

  • MD5

    e5428d1eca263dcb05b8858eefb9f81c

  • SHA1

    dbbed6c49e5d7c8614d52b9eaf742242e5bfb2ef

  • SHA256

    8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f

  • SHA512

    29d64ac45cc0f6c5bfeddc540bec0b895a288e2492712cb38a0cf9514de584c810ab8b4fb94c5529c94cd1dfebec57d3b240039d9ed625525a9fa6d7426fdf4c

  • SSDEEP

    1536:Q/vTGudTe5k4Lo8KI2Z4yNcR5Mpk7WO9f2zXGYxTIx9JL8IoQ6CqZphkC:Q/bhOrBKIq4XR5Mpp+fw2CIx9JLYpkC

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\8857edf7b5ea7dd3dd3a3bcb4bbdaab657a08e5d3bca7b1353e95aa142a85b3f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Users\Admin\AppData\Local\Temp\Syslemotucb.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemotucb.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1172

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Syslemotucb.exe
          Filesize

          92KB

          MD5

          3f8f1fa6fd0c9ec5d195ba0a52b0ee6e

          SHA1

          30f44f067f409cc22527759e67eefaa128e15382

          SHA256

          32f3401ca6348f79813beb183f6ab1bdd9f78570c9862cdab9cea695a1f84a0e

          SHA512

          58fe154cd9590f7652d5ad7c55396fb1399411d7ee124e50f159e0c36887d523796a278c2b9517dec3423f4b432b1d5b9e284ed1a40ecfae734a2a3fc12a4043

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lpath.ini
          Filesize

          102B

          MD5

          43ca01e5abbe6045773e285a7eb0d220

          SHA1

          367ca173934f15508fb300b8ebff8b04dac9d955

          SHA256

          9c8475607b73673ac6a07f9dfc077fa8332415cfbbb8ee1f81f683fbf09a757c

          SHA512

          f0c61397cff937c93d968e60d972edc4650be7fa3e757dbd80848ffd1978320d9ba5a5e3b8e692c6bbd9cd37a912a3da941ea48dbc8d01489e887274a2ef7247

          Download Submit

        • memory/1172-16-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/3264-0-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/3264-14-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download