Overview

overview

10

Static

static

10

f18b2d9ca2...76.exe

windows7-x64

10

f18b2d9ca2...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe

  • Size

    431KB

  • MD5

    6f882a62faa48c6722bd0da1b34c26a4

  • SHA1

    e47f36f68f92f6c7e57e92379dd63f84e5f682dd

  • SHA256

    f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76

  • SHA512

    b4c7cd6e25e1a7e909399715bf5a840baf6cfcc2f156d5a1c7a80377f98efb09c646eca9841734afb737ed8182f210fd492899030013c65bb286c45219b8452e

  • SSDEEP

    3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKU4:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+b

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe
    "C:\Users\Admin\AppData\Local\Temp\f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\Systemqmwcw.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemqmwcw.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemqmwcw.exe
    Filesize

    431KB

    MD5

    8eb95320c8b976a0d36ad99ad66baedd

    SHA1

    81a24277aecf7561f32c908cc37efe86ddb152ff

    SHA256

    fed0006cb2927940c40f87668b2e742610123b53e7f5e6fa8ce27862ffc00272

    SHA512

    17185aa31bf0332bd3b878d672a6556716a618d566caf2cd6b45ace0030379ee5463ef9ee87281299c868949c862d7f144a9bbc9fac558a294338f5b0a5feaef

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\path.ini
    Filesize

    102B

    MD5

    7f8645fb30d48c7c334029db7c62e08b

    SHA1

    2564e0f0bbca93551e1e0e90c8c6e1ea0add3dfd

    SHA256

    b9f4bedb94b3cb881f9ffe78611f95e059a2325ef1b0e96f5804593c24bcb762

    SHA512

    c732d508ca4e997308e06971f068c6a82dfcce68766e63fe1ef95a9dc085ae801911aa2e7bb6d3bf42e8460049b5fd39cf5014a3c300f19751304f647a589cff

    Download Submit