Overview

overview

10

Static

static

10

48997abc7a...fd.exe

windows7-x64

10

48997abc7a...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48997abc7a5f99d6e78a2f557ba7190ff0abcac948952efbae6e29be6a9255fd.exe

  • Size

    432KB

  • MD5

    8f5487dff12ebb13dc64a3060cf062cf

  • SHA1

    4390cb4381fecbd498b9cfd00a3d388855b3c2d3

  • SHA256

    48997abc7a5f99d6e78a2f557ba7190ff0abcac948952efbae6e29be6a9255fd

  • SHA512

    5bef3169928ae09d8c399cf6b95792a5fce487e31a943042d91ef195400f64001ed1c29666e6ec28710889575b4d7d839b61b0498ce852ca880cc5509019983c

  • SSDEEP

    3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKUB:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+2

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48997abc7a5f99d6e78a2f557ba7190ff0abcac948952efbae6e29be6a9255fd.exe
    "C:\Users\Admin\AppData\Local\Temp\48997abc7a5f99d6e78a2f557ba7190ff0abcac948952efbae6e29be6a9255fd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Users\Admin\AppData\Local\Temp\Systemalkvy.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemalkvy.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemalkvy.exe
    Filesize

    432KB

    MD5

    7a4154ed780004508aade0eec003752c

    SHA1

    47bfce6081c7bfe098c36ac2b40fee60d0564aa5

    SHA256

    97da94d845d9046a752c5a59bbe45ea28f8478afddfb880cf6b2f2afe1f4eaab

    SHA512

    5104bbd07075981e1b7a0f0619c9d054016e4730c2ceeef0a4a22d79e17537691a19c0592444effe93b861d154e30750894078fafd4262f166fe9d55e57e7406

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\path.ini
    Filesize

    102B

    MD5

    72dfecc0a5b0f88744cee8303487c39f

    SHA1

    c997e381cd63c61ab54dd53ea9b06bcba50ac4a6

    SHA256

    63f4a0f3edd1a2aee98b8411609ee51469f96e482ba5727bc69b9b1d57df23ef

    SHA512

    2be19036cbd0a51a9401274604b634305c4193d455c3a02d6f19d631fc307217189513cfe0cc13bc249a668aaaf29b6eb19ed493cd495f1a66b70061f6c43a28

    Download Submit