Overview

overview

10

Static

static

10

57c8953f1c...0N.exe

windows7-x64

10

57c8953f1c...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57c8953f1c2a0bb52182fda6eb105c90N.exe

  • Size

    437KB

  • MD5

    57c8953f1c2a0bb52182fda6eb105c90

  • SHA1

    6282433b51f8f49526a2eafa85df594148301f74

  • SHA256

    ba5414506b0b347beb9ebef6bcdc6c7a82f2dfe6a718d364be0c27675f50e362

  • SHA512

    5d17044a6159d9e51dd008c7c6704b4f160229267c1009a812907d8329e8efeaab5c590331ef979634eb7b722d4709417e433a800a5f9ec23157298482ef4929

  • SSDEEP

    3072:q0mx45LFnq9qDAuSbAXVkQUQ9oPfz0c0uxNUIqTkHoYCDfxj4/0/yjUuMx8kj:q0m2FqgDAuSbAXKfz0c0sUIJHk40/yWX

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57c8953f1c2a0bb52182fda6eb105c90N.exe
    "C:\Users\Admin\AppData\Local\Temp\57c8953f1c2a0bb52182fda6eb105c90N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Users\Admin\AppData\Local\Temp\Syslemazdya.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemazdya.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemazdya.exe
    Filesize

    437KB

    MD5

    51fcfef34f3731a7a3ed09b35d29da06

    SHA1

    0d9d0057e202a7c77e55966e0a7465a3479a1e36

    SHA256

    9f75b5e4c39502df3f0ce79928d7dbe8eebb674392dea3e44305c871e6553f34

    SHA512

    e57661e0e80312a787d6a60ccfa3977bec78733ee67fbe0b887e0d1f74687328116e85a5d6570e5688b255586d188e57af196b89f5a071153c3df68f85657876

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    71B

    MD5

    b770767195c15d18fd437838813d7eb7

    SHA1

    456d3773738fef34f069cb6977153a0d8ef25594

    SHA256

    abf1d854a256e83f0263ee82fdabf080c681dc6417b6a8fdb998d58d3953040b

    SHA512

    50f4dd6790f0132e142ae4b576d70a2accc1fafba429a12182fe47544f6bf148316ed69ab22c71badc51548ef1c523aacb0802e5549da3f61397de479770eb95

    Download Submit