Overview

overview

10

Static

static

10

e7a3e19805...3N.exe

windows7-x64

10

e7a3e19805...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7a3e19805a91aa43c6f8f51f6876ce519ecdd87f7d744dbff4d5bf99e44aba3N.exe

  • Size

    2.1MB

  • MD5

    a2df606598320e14f6e722ff23b9dfb0

  • SHA1

    3bd628a57b717a78148cce337b4b2edcd693598c

  • SHA256

    e7a3e19805a91aa43c6f8f51f6876ce519ecdd87f7d744dbff4d5bf99e44aba3

  • SHA512

    bf243d8c0246c7c928e645a02e5f94c075ec41599d4b8100ea45d8cc420268cb4d84b15f82a030719f064a01a594457e9e7a5d3558e59da5bcfcca800efc812b

  • SSDEEP

    24576:3qzIIUgC8d36kLBXlnB8j7v5Ta+hLLQ20JmXSeWwa1oWJQjk0svTS/PPsbb1hwR/:3sCOfN6X5tLLQTg20ITS/PPs/1k/

Score
10/10
blackmoonnjratbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7a3e19805a91aa43c6f8f51f6876ce519ecdd87f7d744dbff4d5bf99e44aba3N.exe
    "C:\Users\Admin\AppData\Local\Temp\e7a3e19805a91aa43c6f8f51f6876ce519ecdd87f7d744dbff4d5bf99e44aba3N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:744
    • \??\c:\thbtnt.exe
      c:\thbtnt.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2968
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 224
        3⤵
        • Program crash
        PID:3528
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2968 -ip 2968
    1⤵
      PID:4992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\thbtnt.exe
      Filesize

      2.1MB

      MD5

      22999cab3e2fd6af05017bd8be9332ad

      SHA1

      99abbc7ed9d1675414056a136308b6dc362b8b08

      SHA256

      668a8297932fbf8774911ab5d329db97c08f4db2fcda770922d65cf5aa0bbb89

      SHA512

      e13cf45bd22dbe43ca489d0e7c276119a97c7e4b64e22de66c2a92d01acbbd9c95d5ad7d19acbaa8f727a878352522aeec93889630c978dbcca55b7a4d5fe1ec

      Download Submit

    • memory/744-0-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/744-5-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2968-4-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download