Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
29-09-2024 11:24
General
-
Target
838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e.exe
-
Size
2.8MB
-
MD5
a8fe411c68adcd42d0270b015dd36dfd
-
SHA1
d446c7dc5cd155b66bb7eff4b687cdbb0e5b28f0
-
SHA256
838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e
-
SHA512
e6be91ac4d23f1efaf61b1398ea15a3d252f8df2e4e673d7bb385b667a26e3092a50d35a4e13985f722ad10a916df3e928f1d1bf3e5c2671bfe3c63bf0c1f8dd
-
SSDEEP
49152:nF+P9VgqrzbfDULyOPtjN/lXekpomFsEB7yOrRBST1WjyK:F+PfRELyOhN/lXe4FsNyOWWK
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e.exe"C:\Users\Admin\AppData\Local\Temp\838771a802cff34cdfb9b04c4fa14eb3bd796341696746e3fe8f48b015b10d7e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KMNPEF.ITJ"C:\Users\Admin\AppData\Local\Temp\KMNPEF.ITJ"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh winsock reset3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
2.8MB
MD565a955ee340b63029b1c67d62c79ef95
SHA15c174ee1d2da779e1fa5cd6a5b8a3f68165347df
SHA25633a266467e461946baf890aa1173960ffee69492aa1cf5ce949e0fc63cb7ba1a
SHA5124f7a05df6395a01a0d197076357ad839f0b7d8ff427401877cb55b3ba754caa25ccfa1d6b4e556b17f034bf642eb38f414bf0b7ae5bda0278abccda832184767
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB