Overview

overview

10

Static

static

10

b0e84ed89c...4N.exe

windows7-x64

10

b0e84ed89c...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe

  • Size

    357KB

  • MD5

    aefeb74729763b0a94dd5710b8101560

  • SHA1

    c496cd8ffe2214bcd20fb232c90e00f9567435e1

  • SHA256

    b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4

  • SHA512

    14ee7f16588ab5ecc3f59648382ba8571dff2913d01c852fffb656da0f5e72436ac4ebe8338e04dd3aaa00a79eb335e9f76f73aaea0fab493bc0ec8ff5d6b620

  • SSDEEP

    6144:mvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7oJ:mvMQ5ibjnwka3pbRC19Gw/NsoJ

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe
    "C:\Users\Admin\AppData\Local\Temp\b0e84ed89cc8acf538542824d322d5bc91f893324489331430eb54af39fc2ef4N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\AppData\Local\Temp\Systemdswwa.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemdswwa.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systemdswwa.exe
    Filesize

    357KB

    MD5

    3eeabda1b1f2c89ac0e956eef52792e7

    SHA1

    cafad852c8eb3889693f1d8637f5a8c612d100bb

    SHA256

    6fb50b7ea0de33590bf10e64d9166d73c0da708dc15399d8f60b9dd0a1bb451a

    SHA512

    dfea0d12b74ddecf77d0be133d435481f5c68e128e1ca362cf6cbe1150b13567b5d703860247f850623ead6cafd2603b5285097583432dfa2b3b81cf149f27b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fpath.ini
    Filesize

    103B

    MD5

    ce973d9f21a7dccd9a7c48e32eb75ce9

    SHA1

    fb8da5cf3f53860ca858ba82f005187d55e46b2d

    SHA256

    8e44d60646c1ba29c801ad038f662c45d39f164b69129915248563b71d38c611

    SHA512

    8dfab83a3a3a49fd57e56c5230b26bde141db61b0fe37d5c676364c6acf3f4ee90625b45c6306dd9f919db1a38a3cbe336383eafc63c5abc8cf046383554a479

    Download Submit