Overview

overview

10

Static

static

10

c5c4b07d13...20.exe

windows7-x64

10

c5c4b07d13...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe

  • Size

    366KB

  • MD5

    0f73949e4672de28ad6b4533ef2eab13

  • SHA1

    65a0a911e2a95e858f29964e5fe4c5c20f8db837

  • SHA256

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220

  • SHA512

    c5fd0d373bd342da7eb284c4acb2210a69657b7f2082778d0c23f2a0bf849f9d7fe6ca5d06325f3db5a7967f7993aab8c1000b6ac3e4ee661052c9dd20f25eb6

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1P:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1P

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe
    "C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Users\Admin\AppData\Local\Temp\Syslemokgfo.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemokgfo.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemokgfo.exe
    Filesize

    366KB

    MD5

    09d033d2075071b96709564f4afa3aca

    SHA1

    12dade615ce7ad8ea3744349b3e4dafdb978d8a2

    SHA256

    aff49832e84e43b1ce4e1f1ae5aaf095d0bc6fc2df9cf847a9972bd6f1620e4b

    SHA512

    2d95c64c2c7b140379c20a7065c24c328bf9bda1df240d07e7338300f66e553c73f907e1b20c4f49b7deeedabda2bed4f45fb8ad72c44f5bd15aaefb6718b6d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    acf91eb69a8244f33bc3c5fe7cc6945b

    SHA1

    b09d5ca0bb0a7d7999cae84159ce472611b38470

    SHA256

    e0cbdc3f3c572f83305aed7c64b0eaf74b257f79e5bb6c51caa6e081cf31854a

    SHA512

    00f48c074fcc276ddc376d866f3614f81e2a1624c970875c16c9a4469985b8c69100272215eb5e5ce46fb008daf0f88e065fd03ca4a9be615f62d8677ab82aac

    Download Submit