Overview

overview

10

Static

static

10

2024-05-23...ia.exe

windows7-x64

10

2024-05-23...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-23_5fb791968a1460f815e4aba655d4c78d_mafia.exe

  • Size

    1.6MB

  • MD5

    5fb791968a1460f815e4aba655d4c78d

  • SHA1

    38172eadadf048931c71fb511b9fdd7d69f4b818

  • SHA256

    4691daa9c9195dd0e1d7dbae90ba6e30a5d9fd506a118967e4796408a6399d69

  • SHA512

    a15ff5e215dddb9302ebbf5b8027df7dd20d97194ef2911c543e693c56dac73c3855f987b655367208675f487b30dea944109ef5265013f46b97a8e2761d0bf7

  • SSDEEP

    24576:+uOMzTVHxWd7xlr6LbfRRM5OTJ7hIVymFNlMtRVblP9PIjo3rSyp0sUPYud9mj7c:+wod7xULbpf/I07Syp0sUPYu7U2K

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • UPX dump on OEP (original entry point) 5 IoCs
  • Drops startup file 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-23_5fb791968a1460f815e4aba655d4c78d_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-23_5fb791968a1460f815e4aba655d4c78d_mafia.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3088-0-0x0000000010000000-0x0000000010109000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3088-7-0x0000000002D00000-0x0000000002D18000-memory.dmp
    Filesize

    96KB

    Download
  • memory/3088-10-0x0000000000790000-0x0000000000957000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3088-9-0x0000000003560000-0x00000000035B9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3088-8-0x0000000000790000-0x0000000000957000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3088-6-0x00000000007E3000-0x00000000007E4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3088-11-0x0000000000790000-0x0000000000957000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3088-13-0x0000000000790000-0x0000000000957000-memory.dmp
    Filesize

    1.8MB

    Download