Overview

overview

10

Static

static

10

c5c4b07d13...20.exe

windows7-x64

10

c5c4b07d13...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe

  • Size

    366KB

  • MD5

    0f73949e4672de28ad6b4533ef2eab13

  • SHA1

    65a0a911e2a95e858f29964e5fe4c5c20f8db837

  • SHA256

    c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220

  • SHA512

    c5fd0d373bd342da7eb284c4acb2210a69657b7f2082778d0c23f2a0bf849f9d7fe6ca5d06325f3db5a7967f7993aab8c1000b6ac3e4ee661052c9dd20f25eb6

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1P:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1P

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe
    "C:\Users\Admin\AppData\Local\Temp\c5c4b07d1316494714e311d3fdaf92402ad98c3d9ddb4852082c3357248f7220.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\Syslemakprp.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemakprp.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemakprp.exe
    Filesize

    366KB

    MD5

    4a1680dcdc87e2f3126e4532e25e5154

    SHA1

    9b68ece7c138cc1530e9a3026cfd6427c68482f2

    SHA256

    0a21ca7f158c5eadedd40264cf8ecd74ccf44e360c6ad7136df817b18a9b711a

    SHA512

    c75f2179da867c56d9ba8aaa05e11d2b10805cbcf596df4492300920e762fe622ab4284737aab9a0107c1732011c6657946ac3776386ec7408edf8426e88ca3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    acf91eb69a8244f33bc3c5fe7cc6945b

    SHA1

    b09d5ca0bb0a7d7999cae84159ce472611b38470

    SHA256

    e0cbdc3f3c572f83305aed7c64b0eaf74b257f79e5bb6c51caa6e081cf31854a

    SHA512

    00f48c074fcc276ddc376d866f3614f81e2a1624c970875c16c9a4469985b8c69100272215eb5e5ce46fb008daf0f88e065fd03ca4a9be615f62d8677ab82aac

    Download Submit