Overview

overview

10

Static

static

5

d8a962c01a...4d.exe

windows7-x64

10

d8a962c01a...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe

  • Size

    74KB

  • MD5

    bcd4c107a4e12b065004c4ce99857bae

  • SHA1

    6431fb3a13bf0338f84586ae2f1f4e559704e283

  • SHA256

    d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d

  • SHA512

    39f69d0adc9f902791377e2ff697b41ebb8fee9493004f62ea1c491d139b1afbd24912e3a9f3cb2d24af6b2eb6c6862382f9961dbdaa32a9dc1d448c63d2745d

  • SSDEEP

    1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8L1:VfIS2vhLoz5sQkqgjg1YWZfoutJ

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe
    "C:\Users\Admin\AppData\Local\Temp\d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\Syslemyhcxb.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemyhcxb.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemyhcxb.exe
    Filesize

    74KB

    MD5

    89ab0cb43193cc3400fd0c8b93c48b49

    SHA1

    0c71ede464f5f8cd5b7a0aafdda87e3d3977b681

    SHA256

    c949e8d57d96597413ec85b7ed17ad0c27bcdbbce00633191680a95c3fc9011e

    SHA512

    378b665773e7d0978b7001f1249157aa49be5b1d6fbf5d6c76d3b79d99bdb596da89151a6f29708cb47c6b1e4742f03f40e88b8614e139dbbce00294416166e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    bc1a09b32c052e6b3498150233ff5cfe

    SHA1

    5a111e3bb1a66a07acbae2ef19fd67f80f834531

    SHA256

    a15f6dd76844ec33b59a1d69643912fb578f9cbf2ac65a981f274a050339e50f

    SHA512

    205366823044abd3153d054dd5f37bd32b5c27c0467aec37dcbd0eff84e8d4285fa7765dc106ccc07528689704894ab69f15d89e9d7af7ebdac087c8590e0fa6

    Download Submit

  • memory/1192-0-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/1192-14-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/4384-16-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download