Analysis

  • max time kernel
    149s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 03:43

General

  • Target

    af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

  • Size

    9.5MB

  • MD5

    4c4e65fb7303955f343adba2108efe41

  • SHA1

    de0d983e60a012bcb207e946053b994a619058b1

  • SHA256

    af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab

  • SHA512

    ba4cf5655e2d04606aabe28ecc87d3aa213722b7fb207089b75c5f729e9a0f7a081e9e76f63ac3704c13d765c78b90f912149bd63812b7d4c38568b0b417ee35

  • SSDEEP

    196608:JQOJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNN:JZODKlFBqHayOclfhRQIG2N

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
    "C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
      "C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe
        "C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

    Filesize

    1.8MB

    MD5

    fd862833faa4b48eb028edab0da39e84

    SHA1

    ee59134dbb7a4cd01b4aebb4baa1adf00b6a6dbe

    SHA256

    84438cd7423aa910a79be9e1018e35763c17c4715090a23f72503ec800c9fa0e

    SHA512

    6e6480b50559f94823b2d567c2d0e12a1a63ff6b667337107aa27ea26cc27398336c3020cd7327345baa462a4a7c55e61f61fd459717dff7efbb4c703e580067

  • C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe

    Filesize

    3.6MB

    MD5

    e7c82562e9abc48341a48785841553c2

    SHA1

    dbbb824cd9e01411d2bca10c2ce21fab2ace7d9d

    SHA256

    c139a9b15b4d28387f254d613532a191b182e3e953d363673fdbe6028231a046

    SHA512

    dc5b0c5b5ec9600932e74c81edd2792a1e08613f58393cec6c48812a27380241404b673b64205ef9f198682e4f96743c14c64920d5dc59dff9d6ebee4b0329a8

  • C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

    Filesize

    5.9MB

    MD5

    14251ceebcad319d8bee80476beca7cd

    SHA1

    abe50c7c5b46feaa6f6b8728a376000870b4a15d

    SHA256

    856fba7008b3ac184772eb924cfe8ab4187157fdbc94b01f565adb2a1ed7e248

    SHA512

    ff96351c10b924ad3e8e73be5ca0fe1bb2fea13aebc1bb7fb059b620fb60cd7c8145dd70a563ca33869a8473e87d9b402f300c62a83e37ca43e933efd4d4dff7

  • C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

    Filesize

    4.2MB

    MD5

    5ef94ef5517c0afc8a80eaf4c1e5cd66

    SHA1

    b7277b1415d6321f40404557c2167f22799a51db

    SHA256

    297b6f984553c6b98d506c75e1686b261a9af9f999d1ddda1d469705deeb61a0

    SHA512

    33188472ca81e145a0a37a1c3c18ef3ceb1c446566a811be8e74ed7a3371219523c005f8819234d1bb74db185d3115fed4129d9a1ef254452450ef9ea54c0fe1

  • C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe

    Filesize

    6.1MB

    MD5

    a6b72f4ad8a7bf6936fb2017073dd997

    SHA1

    954be16fbe70e17b53a5748ab387b499b574bdf1

    SHA256

    795e315cdaec8416356ab5d9c5f725f1d9922b1cdbfb03524b75c4255cf5692a

    SHA512

    f435fa3b554f3f8a5e6022ec2d37bc35dfd6fd9308593b6c6b47fc008756d882f17490dbdc5dfe8ec04b1b614273fa8f43e1e6834926c6168124450892689aa1

  • C:\Users\Admin\Desktop\Ì츮¼¤Çé.lnk

    Filesize

    1KB

    MD5

    e3eb14a9f69db92238858b0cea65c43b

    SHA1

    c3abb1f352d1b81658aee9ec2df06e1c323f1d42

    SHA256

    7bf70e4c36dbaa390c6162647e9fd90bbeebb4a0719814320580d6ce559a8983

    SHA512

    e6c1ff094289627af0277c3003be60bed46810a3615b26ec572a25ad784e8da86931ac89823c90193592594119bdf16ab1e86bf2b7ec6d48d5c9346d5748a647