Overview

overview

10

Static

static

3

fda935af71...cN.exe

windows7-x64

10

fda935af71...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2024 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fda935af7106c6281115b57639f4ce5f51f6a464b51bbd49e494e1ac83f91dfcN.exe

  • Size

    44KB

  • MD5

    708aed87ae6e514adcb85e9f67187740

  • SHA1

    641f52cbbdb78f025d6e81666bb1cbc00040d578

  • SHA256

    fda935af7106c6281115b57639f4ce5f51f6a464b51bbd49e494e1ac83f91dfc

  • SHA512

    d06fb8236690760a510965a1b4db7add482912770f26d207cd8e06cb5feb1c385e685aada71a8ab3087b2e7a6961af6c216acdc26812ea4d5716abc201d4af94

  • SSDEEP

    768:KmZ70XUP0K2I5f6VJiPy6jBZTCRoMUHIYhlDkYi0sDaF8QCFSXbyt/CSF7p97Db:Kf2V2IOSXQoMUHFhSYr+DQLytpF3

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fda935af7106c6281115b57639f4ce5f51f6a464b51bbd49e494e1ac83f91dfcN.exe
    "C:\Users\Admin\AppData\Local\Temp\fda935af7106c6281115b57639f4ce5f51f6a464b51bbd49e494e1ac83f91dfcN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2912
    • \??\c:\6088828.exe
      c:\6088828.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\6088828.exe
    Filesize

    44KB

    MD5

    37646fba7559cf2c3a5ea48a7e303496

    SHA1

    02a138f7c6457814d483c9d22b4d33e34e54bb21

    SHA256

    b81737bd1a79b10461d2708c9d0971ce4fbcc606dcb286792fb53ac3435a4c72

    SHA512

    42ad6327125593a10e0b38396b6ba6e6b3f6506d002b28e888426fb38fc820dd8550d395826ef9fdec855ba1587086e8169114a16632c157530aac8fc9f00e85

    Download Submit

  • \??\c:\jl
    Filesize

    103B

    MD5

    a3fec80be74832df7c006ab531c6e00c

    SHA1

    6108c93367543979b2a8fb0287a246c78aa05c04

    SHA256

    4b462c3152b49ebb622488f9c1bdb3ed36b53a8f26d07e03a93d69dff4d33ead

    SHA512

    d3772c97c860ae098c0b0e72735bc478cba591b39646def21a7dfd6863cd78da28370750fa6ba670657e0b133c4cc704efdc45d6cb39065c107549aea4389e7a

    Download Submit

  • memory/2912-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2912-10-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2912-8-0x0000000000220000-0x000000000024A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2960-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2960-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download