Overview

overview

10

Static

static

10

9f975a5f43...cs.exe

windows7-x64

10

9f975a5f43...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f975a5f43dfcfe20a12f62bc4052170_NeikiAnalytics.exe

  • Size

    357KB

  • MD5

    9f975a5f43dfcfe20a12f62bc4052170

  • SHA1

    c7bc077fc383b46f27dbc7bc6ede2685b714b24c

  • SHA256

    68a744262f15853f21c5ac107b037102e914832861ae8f9f053b9de9ac048d47

  • SHA512

    978cf07790ede37c70a95885c402fcc2d176d308ed256cfe015a62b5b312b1d104a910824984dfe47d9eb8a30a862666e87c8b8ec8ff1d2daeaedf9b65a2e440

  • SSDEEP

    6144:mvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7o4:mvMQ5ibjnwka3pbRC19Gw/Nso4

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f975a5f43dfcfe20a12f62bc4052170_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9f975a5f43dfcfe20a12f62bc4052170_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Local\Temp\Systemhbtrn.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemhbtrn.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemhbtrn.exe
    Filesize

    357KB

    MD5

    b3f84e87450ef0ac7f1e44e523bc9ef5

    SHA1

    ee3da7df9e494b0826a9cb5fc83a7e0762e4b685

    SHA256

    a049dc82b4f36dbd23c84ded9bf5a8c746995067e6739a9a7f48d66fde390d55

    SHA512

    1afec65079749923cd5c806fd4c87e3554dd44262671e7e07f06a0d4d76c6ed21a1e5b1f29018b8999e6700c764caef6291263ce0355ae9bc93ec05e7dc5e810

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fpath.ini
    Filesize

    85B

    MD5

    831e8c27045177e4cafb79527535406d

    SHA1

    23834d812dd10bcc1f0fc11f3a1d253b6cb87c74

    SHA256

    7676e4b78cdf9df1b69e41f6f75882bfad483bbb4e3c865ade9ae5c26a900446

    SHA512

    ebe0618874a1f6975a61d08fde4a37765baa63447b71834965b624a31014a164973b8f86a70f3bbf3d5fd22f5a2ec7ad59bf06137655cbb0b7c2f255077e446c

    Download Submit