Overview

overview

10

Static

static

10

bf924b598e...84.exe

windows7-x64

10

bf924b598e...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe

  • Size

    87KB

  • MD5

    63173cc80d964d6d908e0899bf489086

  • SHA1

    5a8b7d20531ed7925177604720ffd190b61edd98

  • SHA256

    bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84

  • SHA512

    3e9f60e85d9f68389225c21b5e70260c6b123f05c35fc7a8500e52634b3d9535bcb71a996e0f59ac09b360e24bb01bf9a538242cb53c21a436be603c64dfb42c

  • SSDEEP

    1536:Lxos1lS77S/87BJM2pThWf9DcqZmR8/bMxnONDjYseXPmo06/i/XdVw/iA:jjfbcRkbMVu7EqQ/j

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • UPX dump on OEP (original entry point) 5 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe
    "C:\Users\Admin\AppData\Local\Temp\bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\Systemzdruk.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemzdruk.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemzdruk.exe
    Filesize

    87KB

    MD5

    8155425ddbe32854af49dfaf446b3dbf

    SHA1

    bc6db73a89969a8dc6c614872215bf3abdce9f82

    SHA256

    67a345b6a827eccaf71ba631ca9b2a261ca07cc4f967006780ae48c554691067

    SHA512

    0d0fabfbe0352a24bfd488b257d230fffdc13e9327dd0b1225e0302cc4042bf704b6cfc5835b1f402acc2c8cad654cfbdbdcecbb4ea470d27a935dd21d106ffa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\path.ini
    Filesize

    102B

    MD5

    d574e68bb731e343e68ddf05598d9e44

    SHA1

    33e898fc366b554bee461f683fc242f77bd78742

    SHA256

    f643b9be83543526b2bb390330fd84b70ee8e100a4be868c5508ee17385bf622

    SHA512

    14fff900f54f3d2ce419979e7d9a048f53bba9e9a83279c71398cb35f366c08e3a059aa87a7f4a3cef76fa5753728e6c5a8aaee23be6b85c2e7b84e32b29931b

    Download Submit

  • memory/2228-0-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2228-16-0x00000000035D0000-0x000000000364E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2228-15-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2752-17-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2752-21-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download