Overview

overview

10

Static

static

10

e9bbbb9f58...5e.exe

windows7-x64

10

e9bbbb9f58...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe

  • Size

    436KB

  • MD5

    be57979dcc44b1d0e3d22c7a524c2fda

  • SHA1

    bec2683275447573039d51223ef6f2e3d716f8d5

  • SHA256

    e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e

  • SHA512

    7ab2dde10945e52b511797f43efa12d3067ee3e9084984e9c1842762a236f9dc4c3b280b095770d4a6f156de81f09bfca29cc3a2d3b809e4e5311ebc89722186

  • SSDEEP

    6144:dGdR+Yk/N8duBmG6t+UnRsRCQ/OJZOg7u:doR+Y4NSG6oUnRsdOJZOg7u

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe
    "C:\Users\Admin\AppData\Local\Temp\e9bbbb9f58a7b3bf1415cfe153254ebb0748afd897aec938f6e87cdf00027d5e.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Local\Temp\Syslemjzscg.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemjzscg.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemjzscg.exe
    Filesize

    436KB

    MD5

    eeb6b32bdbdc25b4485dcfe7bf28b6df

    SHA1

    456fb85592633280aedb8043dcd531c0a4c98dd3

    SHA256

    3e703d068a641465b37fcf004045c81705b738ea00e94dbaf671bb986531bb04

    SHA512

    7dcca0c17ec941f7c90ceb52d0a7853251df8f9bfba6e20dfe0d7f52372880a0c5b1ab3bcc7ae7697256daf5f8c6dd74f1e0b0676a8fdbba770f1213897aa0c6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    7892fd2a20a5339f5c4217c731b58515

    SHA1

    6ce46ebddf0e5d31bffdf6c52e5b816b8d0f1262

    SHA256

    3cdcb52bb8b8aa20253be35fcc874e47a8839b4f3694a854e8c4f5b442e6a4bf

    SHA512

    0ef09a90ec55e320826b2670055ca3b7b45b9b01eca787f72cd92dc837e332e2cc0bdf0e8a7e78c396fe5e3791d6ec8bab856707470c3f4d5109d57377d72736

    Download Submit