Overview

overview

10

Static

static

10

0ed86e53a5...0N.exe

windows7-x64

10

0ed86e53a5...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ed86e53a5261452a70818c743c13fa0N.exe

  • Size

    87KB

  • MD5

    0ed86e53a5261452a70818c743c13fa0

  • SHA1

    28f241d330a83fe4f6a7f182bc9d9d2f89df779c

  • SHA256

    53e651199214c495958d43ddab2745e3d4aff7ad2162d8bd84d7870c20a1d74a

  • SHA512

    26c41feace0f7fffd31e376c33b3de9b088e4096fc09b9ad6c3fc2b88d1e827da9df297019636266a10f82d96372d8c58d7c7f593c83ee8883dfe329fc94b12e

  • SSDEEP

    1536:Lxos1lS77S/87BJM2pThWf9DcqZmR8/bMxnONDjYseXPmo06/i/XdVw/it:jjfbcRkbMVu7EqQ/8

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ed86e53a5261452a70818c743c13fa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0ed86e53a5261452a70818c743c13fa0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\Systemghmdo.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemghmdo.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\path.ini
    Filesize

    71B

    MD5

    9b37c8b3ce07cfb83cb42eb3ae7e9bd2

    SHA1

    7860a804ae5814d9969f79622fc23ee059de20c0

    SHA256

    395b6bd5e56a4928f00922bb301655ea5ba2b1366be1f0d73d9d7fd42be593eb

    SHA512

    2fb6c5d7b65ef330c24a346d29959cbb57eb28e6db2b54352b9bb806722230e29840547f8ccfa91b352737e394b1010b45de06a29346ad30c6439cfe49ecf794

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Systemghmdo.exe
    Filesize

    87KB

    MD5

    ce701b163a70c369de0934c1f4ab3691

    SHA1

    efb4fb5167a72e1686a8600bdbb6d01923445c50

    SHA256

    0dc45c0863b90f2ac06e6220f4ddd35c47c6c13edc9798fd921a1ae75b7ddc93

    SHA512

    271567036095baf1becc8ab6b1563ad54429258069b9d8bfa8ccd1350c7c08515e40b165256d29c689459625b791722565704084e05e473becef877217a0f874

    Download Submit

  • memory/2336-0-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2336-16-0x0000000003690000-0x000000000370E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2336-15-0x0000000003690000-0x000000000370E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2336-10-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2872-18-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2872-22-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download