Analysis
-
max time kernel
119s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
01-08-2024 19:17
General
-
Target
4.exe
-
Size
111KB
-
MD5
a9b40e0b76aa5a292cb6052c6c2fd81d
-
SHA1
e15bba9e662ef45350720218617d563620c76823
-
SHA256
f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c
-
SHA512
ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f
-
SSDEEP
384:HQQA4mqWJ0P+ik1ND3Q69fl6+CQKnrw41MXDGl7xPxh8E9VF0NyrM1t:Q4mqWyPO193X9CQYrw2MXDGVxPxWENgt
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 1 IoCs
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\bckwlh\Agghosts.exe"C:\bckwlh\Agghosts.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5a9b40e0b76aa5a292cb6052c6c2fd81d
SHA1e15bba9e662ef45350720218617d563620c76823
SHA256f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c
SHA512ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f
-
Filesize
33KB
MD5726832c03e239a3f38e4d6daac1a1d9e
SHA169547607c2d7619f51c3f5be5cfd6282950d7781
SHA2562b55986710655eeb760bea642221382a026f208ee500d2f73617a042ad149be4
SHA512e7d88b94bf12bdf0a3e5c0c3c6979eb29b2bf6e3afd3ab0f27b5a8932d39d058b10ea07af433bd3dcc1ae21c8b4885e2e3683327577f6779a87a4016eaf3d232
-
Filesize
384KB
MD59eea6cd939e4e291216be86f9a52faae
SHA144196107ad556935e563001ff7ec1ce84a2b123f
SHA256c4de39025ced36960aecb607de54271f87c36270af0c567ca5578ddacbcc73ac
SHA512811e684428dddc62ef6427e5887ab168d05aa6240c96b7ba07e6f8dcdc997a5ef7564594e6efd5b2e003895f86c3e187459fa931f3dbb3f18c87eeaaf81d5d8f
-
Filesize
429KB
MD5cfbdf284c12056347e6773cb3949fbba
SHA1ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8
SHA256bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f
SHA5122f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f
-
Filesize
77KB
MD5f107a3c7371c4543bd3908ba729dd2db
SHA1af8e7e8f446de74db2f31d532e46eab8bbf41e0a
SHA25600df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0
SHA512fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530
-
Filesize
668KB
-
Filesize
192KB
-
Filesize
164KB
-
Filesize
4KB