Overview

overview

10

Static

static

10

b189137f34...4b.exe

windows7-x64

10

b189137f34...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe

  • Size

    9.5MB

  • MD5

    c1a327f80304feb7842e1f35cbcf131c

  • SHA1

    193bff007356348b1327c100a7a3cf0e30c2967f

  • SHA256

    b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b

  • SHA512

    eca17a38069af074e77c0c52f880ac5b468e8ec453e8705886fa2c4c3ad91e14bbf321bf6ded0ee655db1ad85d0e853019dc3e459f9c2290fbefaf08af365cfd

  • SSDEEP

    196608:J/MJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNg:JUODKlFBqHayOclfhRQIG2g

Score
10/10
blackmoonbankerspywarestealertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
    "C:\Users\Admin\AppData\Local\Temp\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
      "C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\5E0A676E54A8365AFB17FD466BCDF925.exe
        "C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\5E0A676E54A8365AFB17FD466BCDF925.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\ǧÇïħÓò.lnk
    Filesize

    1KB

    MD5

    bf8ea56dabff71511523e3c180757881

    SHA1

    c1af3fb9980f319bddcda25a2e55167cf334b6ec

    SHA256

    2d8ec0690934bfb0d925f91b03e69b5f162f2dd7ca48316413c301739c4ab10f

    SHA512

    08ef26b9e57bf90c76dc264d5488ee485a4c11187ec31f240cf66bb808ab83369e4c7e34723bba7c8d8f01bcb5ed26e91223b35befaeaff73144669899955dfa

    Download Submit
  • \Users\Admin\AppData\Roaming\ǧÇïħÓò\5E0A676E54A8365AFB17FD466BCDF925.exe
    Filesize

    9.0MB

    MD5

    0b00122c4eac3c5c6f1b1c783a7aa94f

    SHA1

    584ef0295c0b1d714dfe9de916a1d69dd2e76646

    SHA256

    923cb3c28f626586174f3768fc49b4146b008a6d5f92ee27f5605ea68ac206bc

    SHA512

    27f867c785598a7fb683d79d5ca7a1a56b799e77742d136b912e7de55f0196a8a25bec69d1417d7448b45bfed8190b5686fcb962dadbb764396689b86d1eea24

    Download Submit
  • \Users\Admin\AppData\Roaming\ǧÇïħÓò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
    Filesize

    9.5MB

    MD5

    c1a327f80304feb7842e1f35cbcf131c

    SHA1

    193bff007356348b1327c100a7a3cf0e30c2967f

    SHA256

    b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b

    SHA512

    eca17a38069af074e77c0c52f880ac5b468e8ec453e8705886fa2c4c3ad91e14bbf321bf6ded0ee655db1ad85d0e853019dc3e459f9c2290fbefaf08af365cfd

    Download Submit