Overview

overview

10

Static

static

10

c5c4b07d13...20.exe

windows7-x64

10

c5c4b07d13...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe

  • Size

    366KB

  • MD5

    0f73949e4672de28ad6b4533ef2eab13

  • SHA1

    65a0a911e2a95e858f29964e5fe4c5c20f8db837

  • SHA256

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220

  • SHA512

    c5fd0d373bd342da7eb284c4acb2210a69657b7f2082778d0c23f2a0bf849f9d7fe6ca5d06325f3db5a7967f7993aab8c1000b6ac3e4ee661052c9dd20f25eb6

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1P:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1P

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe
    "C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\Syslemivzer.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemivzer.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    acf91eb69a8244f33bc3c5fe7cc6945b

    SHA1

    b09d5ca0bb0a7d7999cae84159ce472611b38470

    SHA256

    e0cbdc3f3c572f83305aed7c64b0eaf74b257f79e5bb6c51caa6e081cf31854a

    SHA512

    00f48c074fcc276ddc376d866f3614f81e2a1624c970875c16c9a4469985b8c69100272215eb5e5ce46fb008daf0f88e065fd03ca4a9be615f62d8677ab82aac

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Syslemivzer.exe
    Filesize

    366KB

    MD5

    bfb7459e3ba3eca981181615e6d71c17

    SHA1

    b44af5f6d2c278c01d40b3cc68be40fb986bbbe6

    SHA256

    638fde1a374f7c7563bc690f43bc89c52aa1d83a1564dd5263d6ea2d963a7dc4

    SHA512

    587d5c8b56948b8f79ffd40198bb789474d0b99ef698787a3734f434adc4309121d54773d26409a0514380b686a925af7985bbc6bd301234d9d90dfd58747704

    Download Submit