Overview

overview

10

Static

static

10

bf924b598e...84.exe

windows7-x64

10

bf924b598e...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 03:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe

  • Size

    87KB

  • MD5

    63173cc80d964d6d908e0899bf489086

  • SHA1

    5a8b7d20531ed7925177604720ffd190b61edd98

  • SHA256

    bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84

  • SHA512

    3e9f60e85d9f68389225c21b5e70260c6b123f05c35fc7a8500e52634b3d9535bcb71a996e0f59ac09b360e24bb01bf9a538242cb53c21a436be603c64dfb42c

  • SSDEEP

    1536:Lxos1lS77S/87BJM2pThWf9DcqZmR8/bMxnONDjYseXPmo06/i/XdVw/iA:jjfbcRkbMVu7EqQ/j

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe
    "C:\Users\Admin\AppData\Local\Temp\bf924b598e2dfba94954d1a982bff917d28637f819cae124befdfac8f23a8d84.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\Systemgebrb.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemgebrb.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2712

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\path.ini
          Filesize

          102B

          MD5

          d574e68bb731e343e68ddf05598d9e44

          SHA1

          33e898fc366b554bee461f683fc242f77bd78742

          SHA256

          f643b9be83543526b2bb390330fd84b70ee8e100a4be868c5508ee17385bf622

          SHA512

          14fff900f54f3d2ce419979e7d9a048f53bba9e9a83279c71398cb35f366c08e3a059aa87a7f4a3cef76fa5753728e6c5a8aaee23be6b85c2e7b84e32b29931b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Systemgebrb.exe
          Filesize

          87KB

          MD5

          b3b97387a78fa2a9d55b76ed8accbc8f

          SHA1

          373f21b58c86b7ed1d4b34b95b0523aa45cf3948

          SHA256

          944a337a38c28d17ffe9764476ba29e561388d81b8c91a046dac339833d4a010

          SHA512

          43106b40dae034eaa6007a772feded6bb9881e817c5ceaa883bca634e1de6b2ce559189d8ec4bf5ca7b8302431aee1ac8f0f6159c0c62564b9c07e185c0aa08f

          Download Submit

        • memory/1304-0-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/1304-15-0x0000000003590000-0x000000000360E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/1304-10-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2712-17-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2712-21-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download