Overview

overview

10

Static

static

10

9f8cea1485...3N.exe

windows7-x64

10

9f8cea1485...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f8cea1485e1ef8d538f18d5d72bd62175e754cf8619812b457149178953f363N.exe

  • Size

    366KB

  • MD5

    9b3b6d1b9f2949abc72e55d0556905b0

  • SHA1

    263263ea19b86182ca068ae385fd9e4ba59b45a2

  • SHA256

    9f8cea1485e1ef8d538f18d5d72bd62175e754cf8619812b457149178953f363

  • SHA512

    2db3873955868c959055873bce5d053d6925c9e3750f4b1362d50082d2cf2e13f82caa77af49969b5687a2b60879e3511d23e53e0920498d9346288d162d3b7c

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1W:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1W

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f8cea1485e1ef8d538f18d5d72bd62175e754cf8619812b457149178953f363N.exe
    "C:\Users\Admin\AppData\Local\Temp\9f8cea1485e1ef8d538f18d5d72bd62175e754cf8619812b457149178953f363N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\Syslemyandr.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemyandr.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemyandr.exe
    Filesize

    366KB

    MD5

    6ebc3898aed2458050e0bbac6317ef36

    SHA1

    695b5d5887f6dd7c092a07d66c69d52b328d1b63

    SHA256

    038ff8f8dd1cc502cedd04a09a6489d3509d1f923f1c5ce36dacf4795868e745

    SHA512

    a3f4a355072b3e352fd950cdd19768fb17446badf9bf1a9a266a9c9b8200512fac30ff0d44dde06b59633c413dd235a4e113ee4fdeb8defa2d70a6a64307390f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    103B

    MD5

    3d9619471fbc0a8a84d71f3d6d1193a3

    SHA1

    e7106312a1177bfcf61f542190e18d91c01f0dbd

    SHA256

    89cccc6fbcb897ddfeaf82329bdb5d40c9a2dccc2fa6c1c03be892b53b49dc93

    SHA512

    a619d915b493fa72b972304f5d34851f6aa8a9c8aed5ed670939e48f30770e45508a65eefbfdd237fc352d64b047b8e4a50d99be7080882f6e60ea26e3160702

    Download Submit