Overview

overview

10

Static

static

1

2024-07-26...la.exe

windows7-x64

10

2024-07-26...la.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 07:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-26_085bc5aa24694d01427da6f49f95ff3e_magniber_sakula.exe

  • Size

    25.1MB

  • MD5

    085bc5aa24694d01427da6f49f95ff3e

  • SHA1

    2677bc5f6479f40671cdce21a0e78b5804f4553c

  • SHA256

    c15363fa323f12d9e7a7be713d36c6cc34465ad46adb6f3453f46647efe3fa4c

  • SHA512

    345baf4c75911f80721d609bce32d0c8206b3af5a00b7a42a6851b5337d66f2ddba7e56e41e23a8c264cf03d1d4e678d953bdba275139b9900e280e140cf2812

  • SSDEEP

    786432:tFwibZA1wadDE9EkEmoX1MAOmgFH0fVPnxVSOyQcdl7QJsDeNLHxdn2FrmDeLkj:tFwibZApDHiIyX2SO2l7QvNLH3n2FweA

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-26_085bc5aa24694d01427da6f49f95ff3e_magniber_sakula.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-26_085bc5aa24694d01427da6f49f95ff3e_magniber_sakula.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\Documents\Tomcat.exe
      "C:\Users\Admin\Documents\Tomcat.exe"
      2⤵
      • Deletes itself
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Ling\malloc\L_mimalloc.dll
          Filesize

          148KB

          MD5

          051d69a619adca3472e8d7c9b0c0eb5c

          SHA1

          6cc795ac90e43e408919e19ba6f5633863560459

          SHA256

          feefc12464985e2057a4cbd54117e9414f2e00a284106fa38b62d63052a1f7dd

          SHA512

          50daa3344aa4d86cdd22cf5736eec993467e6574c5e341cd0fd95757c739e167b6e76c744b29ae302d08c88d469fea0767640a9257f54f9dec2c5fbb87c23b71

          Download Submit

        • C:\Users\Admin\AppData\Roaming\zlib.dll
          Filesize

          27KB

          MD5

          849e9f3e59daf750db838e885d58c6fa

          SHA1

          733cb105153e4b83160a52bfa2ddd95d750fb806

          SHA256

          f94949a6c121a525f661dd8abd917eb37a5cf582c89e3a258170a15d30cc0cc2

          SHA512

          3feff6db5fc5ae371a4ec60ce13a383668a5accac537a0ae56b9b5b7318a2d5bdb4b79286a519cad3610cb6d1f335a11c09a4d3165c147a00d5a7880ea23e173

          Download Submit

        • C:\Users\Admin\Documents\Tomcat.exe
          Filesize

          1.7MB

          MD5

          d25a10fa1f251f87a1700eb74a83c888

          SHA1

          6f8c01180845db8817a726cb9c356cbe92fcd4a6

          SHA256

          e72f70f26b5e05530c28547e3d22801e36df6f601c737157d3ced5b1aa36a2d5

          SHA512

          f27a17c6b74765e7451b4508f2cddda4baccf34633c9663a5f350d3afabb1a388a27a4160e1db9be1a8a1e188c9ccd52a967d1860f6012ed0cd2f6e56c88cffd

          Download Submit

        • C:\Users\Admin\Documents\conf.ini
          Filesize

          212B

          MD5

          b9b982b26614e29f7819aa01709ab988

          SHA1

          491ae9658a53da0cf72ffee32c03e473cf28d45e

          SHA256

          ba2ba95c8869aff0b8f9611f9d3aadd155ff52481546bf976409906621b9a607

          SHA512

          38432685d01526e1e528346700f6a7b27c1e0fc01ab7a260b520fb6b698ba53181bc91fed8d5320b31534bd93c414276eb2e4abe7a557067bd6479af8099f72d

          Download Submit

        • memory/2416-0-0x0000000000400000-0x0000000001D65000-memory.dmp

          Filesize

          25.4MB

          Download

        • memory/2416-20-0x0000000000400000-0x0000000001D65000-memory.dmp

          Filesize

          25.4MB

          Download

        • memory/2524-16-0x0000000002F60000-0x0000000002F87000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2524-19-0x0000000000AA0000-0x0000000000C86000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2524-33-0x0000000003030000-0x0000000003048000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2524-21-0x0000000010000000-0x0000000010014000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2524-36-0x0000000003160000-0x00000000031B9000-memory.dmp

          Filesize

          356KB

          Download

        • memory/2524-34-0x0000000000AA0000-0x0000000000C86000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2524-18-0x0000000000AF7000-0x0000000000AF8000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2524-22-0x00000000039B0000-0x0000000003AB9000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2524-39-0x0000000000AA0000-0x0000000000C86000-memory.dmp

          Filesize

          1.9MB

          Download