Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 23:55

General

  • Target

    aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe

  • Size

    469KB

  • MD5

    26e3842fd1b8d9392ca3b99c2454c380

  • SHA1

    3d4c780451d786b627d5e22dd561efcae73239fd

  • SHA256

    aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2ab

  • SHA512

    f2b49c2512c8e23edad11c653f83fd274997c70a9d0354ce1715c3400ea725c166a60b8ce656fa502c360d78f25f077440fffaa45327f7339cd4c666edae483a

  • SSDEEP

    6144:hqzOPI16UkWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQG:hqzIIUUvVs+IdMoSzqkR5RWVVWG

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe
    "C:\Users\Admin\AppData\Local\Temp\aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2104
    • \??\c:\xfbrl.exe
      c:\xfbrl.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 96
        3⤵
        • Program crash
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\xfbrl.exe

    Filesize

    469KB

    MD5

    2a965aa6007c9c05aaf53ff416733447

    SHA1

    cb49138903ea33fe91393d3f3507ddd13f96196a

    SHA256

    39a14c59c5d668a915b9a30a5769e7d139de4c74b396c5184eafc4bd3770ca9b

    SHA512

    cb6b6236535f2ee98d00ebde700303dd348fbc70f908948ab44ecc07b7ec490f9fc8521be2da861eddbfde48e03f095983b93b12679769f3cb08123c603da394