Overview

overview

10

Static

static

10

6bffb9be72...8N.exe

windows7-x64

10

6bffb9be72...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bffb9be72d993adffad335bd84d9b77fe3b15ea732e0fa6be8cb22b7167a358N.exe

  • Size

    366KB

  • MD5

    42e9d48c7d070c62f785607676fb63f0

  • SHA1

    e9cbec400904cd7b1df76af08d38f8bf79e871ab

  • SHA256

    6bffb9be72d993adffad335bd84d9b77fe3b15ea732e0fa6be8cb22b7167a358

  • SHA512

    905170b1936150a5a1bc08f34f033fd2dac8aa13e9af4c9bc48eefb4209b84a0d9a7a6bcee653e7e50a168ab45b4ccd2e54b470ee24183f0f7c18da331c317cd

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1t:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1t

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bffb9be72d993adffad335bd84d9b77fe3b15ea732e0fa6be8cb22b7167a358N.exe
    "C:\Users\Admin\AppData\Local\Temp\6bffb9be72d993adffad335bd84d9b77fe3b15ea732e0fa6be8cb22b7167a358N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Temp\Syslemdlooy.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemdlooy.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    103B

    MD5

    cbb728848b85481227eb35ae1ef355bb

    SHA1

    6f1202436788a86151b4a9eee9b40d9b3ea6f616

    SHA256

    a6931730b7b02755d84099a04d4e60b3b36772d31f2d94f5fd9554500f179204

    SHA512

    78fde11f4df6e42ed3a7338a3c48cec1b288821c53dc21e2fc7a669a42e33496b82f54dfa5ab93055e411c7084f360e5af412a831ae03539d6999268cab67af5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Syslemdlooy.exe
    Filesize

    366KB

    MD5

    e0801a02406df9e7ae825f268195ec33

    SHA1

    d02b853b0bd587b64aea1ea0a3dec5e4cbab88a9

    SHA256

    fea86f1fbe9b4797838fdc1b9f9ca5cbcb13d3649f6cffa8bca97da7c269e0d0

    SHA512

    6a2631f61427c76a6bccf7297f9eac2625dd2edf76151177c1044c506e4c22de73b8befdba0b00e15d5607d481ca0a73865eb7d00dcc87621911ea4f543efd27

    Download Submit