Overview

overview

10

Static

static

3

d3a64f10c3...05.exe

windows7-x64

10

d3a64f10c3...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305.exe

  • Size

    4.5MB

  • MD5

    538973fb715f9657d6369b95880d034f

  • SHA1

    0ea309bdf440b33d3e0d718abbf7543a9760c21e

  • SHA256

    d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305

  • SHA512

    736c2fb40eb8b34d3f0a7735fdd06647a432d7c4650b2ad9c3e58e4da9486621a42513198fff2ce9279fb2250a9d79b96232f31d2a06605e0de23c9bd4e48822

  • SSDEEP

    98304:GRsbxSZ5w64GYL/6YEA6CXRZLhsK3oUFrieBQJ4OiZrq1DfPHNADtV6v+pT:GKbgIGhG3oUF+M24O7NADtV6v+p

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305.exe
    "C:\Users\Admin\AppData\Local\Temp\d3a64f10c3ffee75d8871e56b86cfb5addd2bd8c791fffac87c29ac811d05305.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Local\Temp\accelerator.exe
      "C:\Users\Admin\AppData\Local\Temp\accelerator.exe"
      2⤵
      • Executes dropped EXE
      PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\clinkm2.data
    Filesize

    4KB

    MD5

    8ccdb9e7420eeaa9d27b15060844db68

    SHA1

    8231112f977abd79c7dd70da63e07b5705b30002

    SHA256

    66f8174abadecfca6e12ef896663781f395bb0250844174c95acf39df6bc1040

    SHA512

    550045ed0799fdbdf083007b5c19ec92e9b8224610ce658f68a898213230b414a2f45773e35bb1356a2ec7701a20a674cdcdd7b0fd87562bbf56af2189c71d50

    Download Submit
  • \Users\Admin\AppData\Local\Temp\accelerator.exe
    Filesize

    16KB

    MD5

    8b73d9f69feb27823d3be1f2536b72f1

    SHA1

    4aa5b78649debb07d97bf9365277e00f215e3fd0

    SHA256

    01a89adeacbfc39eb0a3e7e207cde872ad5c4f3657ddecc697b13e42dae00c2f

    SHA512

    f78dc47a0c60afd66d74909c90c6edd6e642c4554a65ab78c158a5bfea9bf28ad92902b3710ec1b5eb4980791346fae1181a18e1bb71c21c3574aa97d4ceaf68

    Download Submit
  • memory/2452-23-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download