Overview

overview

10

Static

static

10

c5c4b07d13...20.exe

windows7-x64

10

c5c4b07d13...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe

  • Size

    366KB

  • MD5

    0f73949e4672de28ad6b4533ef2eab13

  • SHA1

    65a0a911e2a95e858f29964e5fe4c5c20f8db837

  • SHA256

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220

  • SHA512

    c5fd0d373bd342da7eb284c4acb2210a69657b7f2082778d0c23f2a0bf849f9d7fe6ca5d06325f3db5a7967f7993aab8c1000b6ac3e4ee661052c9dd20f25eb6

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1P:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1P

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe
    "C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\Syslemaqtee.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemaqtee.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    acf91eb69a8244f33bc3c5fe7cc6945b

    SHA1

    b09d5ca0bb0a7d7999cae84159ce472611b38470

    SHA256

    e0cbdc3f3c572f83305aed7c64b0eaf74b257f79e5bb6c51caa6e081cf31854a

    SHA512

    00f48c074fcc276ddc376d866f3614f81e2a1624c970875c16c9a4469985b8c69100272215eb5e5ce46fb008daf0f88e065fd03ca4a9be615f62d8677ab82aac

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Syslemaqtee.exe
    Filesize

    366KB

    MD5

    b3fed7eb7844f40ef1febe02fa2583da

    SHA1

    bd841955a08a7363edd44dce6dc9cb511afeaf1f

    SHA256

    a782340859beb2298b1caae42af5b5e9dc64aa9ab416b895f2868785e9c99f18

    SHA512

    bafde556fc9b1e2748190e8dc4c91e29edd733235e666150fb715619ac793f725732ad63a1eed746fea0ce6150efbe38999e71cb2a2c7ee9e79fa38ac83d82cd

    Download Submit