Overview

overview

10

Static

static

3

4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4.exe

  • Size

    111KB

  • MD5

    a9b40e0b76aa5a292cb6052c6c2fd81d

  • SHA1

    e15bba9e662ef45350720218617d563620c76823

  • SHA256

    f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

  • SHA512

    ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

  • SSDEEP

    384:HQQA4mqWJ0P+ik1ND3Q69fl6+CQKnrw41MXDGl7xPxh8E9VF0NyrM1t:Q4mqWyPO193X9CQYrw2MXDGVxPxWENgt

Score
10/10
blackmoonfatalratbankerdiscoveryinfostealerpersistencerattrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4092
  • C:\Windows\helppane.exe
    C:\Windows\helppane.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\midskx\Agghosts.exe
      "C:\midskx\Agghosts.exe"
      2⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\midskx\Agghosts.exe
    Filesize

    111KB

    MD5

    a9b40e0b76aa5a292cb6052c6c2fd81d

    SHA1

    e15bba9e662ef45350720218617d563620c76823

    SHA256

    f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

    SHA512

    ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

    Download Submit

  • C:\midskx\EduWebContainer.dll
    Filesize

    33KB

    MD5

    726832c03e239a3f38e4d6daac1a1d9e

    SHA1

    69547607c2d7619f51c3f5be5cfd6282950d7781

    SHA256

    2b55986710655eeb760bea642221382a026f208ee500d2f73617a042ad149be4

    SHA512

    e7d88b94bf12bdf0a3e5c0c3c6979eb29b2bf6e3afd3ab0f27b5a8932d39d058b10ea07af433bd3dcc1ae21c8b4885e2e3683327577f6779a87a4016eaf3d232

    Download Submit

  • C:\midskx\Ensup.log
    Filesize

    384KB

    MD5

    9eea6cd939e4e291216be86f9a52faae

    SHA1

    44196107ad556935e563001ff7ec1ce84a2b123f

    SHA256

    c4de39025ced36960aecb607de54271f87c36270af0c567ca5578ddacbcc73ac

    SHA512

    811e684428dddc62ef6427e5887ab168d05aa6240c96b7ba07e6f8dcdc997a5ef7564594e6efd5b2e003895f86c3e187459fa931f3dbb3f18c87eeaaf81d5d8f

    Download Submit

  • C:\midskx\MSVCP140.dll
    Filesize

    429KB

    MD5

    cfbdf284c12056347e6773cb3949fbba

    SHA1

    ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8

    SHA256

    bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f

    SHA512

    2f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f

    Download Submit

  • C:\midskx\VCRUNTIME140.dll
    Filesize

    77KB

    MD5

    f107a3c7371c4543bd3908ba729dd2db

    SHA1

    af8e7e8f446de74db2f31d532e46eab8bbf41e0a

    SHA256

    00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

    SHA512

    fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    Download Submit

  • memory/1428-22-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1428-25-0x0000000000FA0000-0x0000000000FC9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4092-0-0x0000000010000000-0x00000000100A7000-memory.dmp

    Filesize

    668KB

    Download