Overview

overview

10

Static

static

10

4f5cdff2bf...09.exe

windows7-x64

10

4f5cdff2bf...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f5cdff2bfacee8aca7f3aaaad1b481eab958a365cf276e8e5d78df56ab0b509.exe

  • Size

    1.9MB

  • MD5

    7d300de0e749fbfb62913b29b19e31a3

  • SHA1

    2d1dbf9ff8cff335485908ea561b0200f008f109

  • SHA256

    4f5cdff2bfacee8aca7f3aaaad1b481eab958a365cf276e8e5d78df56ab0b509

  • SHA512

    469a7431de5d4818747d8f2b7843c29731290ede2655ae8add77b2dc7c79599466b2db81f3d4bf2602995eef64b10d687ef8b322ccb36d8b9877c8cb782357f9

  • SSDEEP

    24576:uiutLZi5jXHG/a1VdP+TLkjtU22hNBPIYF3TseQMOx4/YNsxPwkbiVMI/JbTaijB:iLym/cVdsQjtU22hNfGWgf03bwF

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f5cdff2bfacee8aca7f3aaaad1b481eab958a365cf276e8e5d78df56ab0b509.exe
    "C:\Users\Admin\AppData\Local\Temp\4f5cdff2bfacee8aca7f3aaaad1b481eab958a365cf276e8e5d78df56ab0b509.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\windowsPUG.exe
      "C:\Users\Admin\AppData\Local\Temp\windowsPUG.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\windowsPUG.exe
    Filesize

    1.0MB

    MD5

    b493f2b16e6cf806d749d1a7469d2cb8

    SHA1

    a5ecc29a587abe90e772abf7157b6f7542352f8a

    SHA256

    68ea178b58189bd526a07468bd8ca2d99a58f2dbea4182dd45ee8ab938ddca08

    SHA512

    76b1b2d6ec990c95d67a283830baaa8118b8eb8523417fb5cde993e193be21476f170dcc2e8685b507e603a72b695e53fdfd00d36c9611746be42907a27245d3

    Download Submit

  • memory/3432-8-0x00000000008F0000-0x00000000008FB000-memory.dmp

    Filesize

    44KB

    Download