Overview

overview

10

Static

static

7

8ffd0412f2...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/04/2025, 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ffd0412f2172098f660e79ae6f932e977d0f7ebca4310a498b0feb47546abd3.exe

  • Size

    11.9MB

  • MD5

    a01f3244a007824b0ed79bb2f9c0ab8b

  • SHA1

    f047726ede8c269e881a8877139dcd2df458f6e6

  • SHA256

    8ffd0412f2172098f660e79ae6f932e977d0f7ebca4310a498b0feb47546abd3

  • SHA512

    cb6fd85eedbd6318a1981e57ed72b4ad009de5f408edc3b4740c6741555d072a2592fcf22523afbab4fca1e908c33647038c582e0294dc371454491d368fec5b

  • SSDEEP

    196608:vhGBU2YDejn3x25dLHqNpwgeK0SG+ZOaHoUAmmC8eQEx/gKr+vBI+f8KoNT5rF8N:QBJYDSIbqAg0SG+DHoxmr8n4y9fRodDG

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ffd0412f2172098f660e79ae6f932e977d0f7ebca4310a498b0feb47546abd3.exe
    "C:\Users\Admin\AppData\Local\Temp\8ffd0412f2172098f660e79ae6f932e977d0f7ebca4310a498b0feb47546abd3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c wmic OS Get DataExecutionPrevention_SupportPolicy>"C:\cmd_dep.txt"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic OS Get DataExecutionPrevention_SupportPolicy
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\RKinFeeSystem.ini
    Filesize

    129B

    MD5

    78d89536fa344a82364f1dda81d78f3a

    SHA1

    e866b4f7713f3b6718c2b4b836937c8b35ff7c31

    SHA256

    32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

    SHA512

    2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

    Download Submit

  • C:\cmd_dep.txt
    Filesize

    166B

    MD5

    2986710bef827476b9eb344a98c1ef75

    SHA1

    be0fa9c426a07af85a7c3e471af5f6a9c1f020da

    SHA256

    5a1bb571dc286002b186cc2139ff0eddfbfbaad4fcaea3b8c987544d8f577768

    SHA512

    d7ab88def47721d4e50c096f85297945cc010cad295bb6fcc1613e500a19cccfdd7b04c502f27c7f70dd2ef7093239f5bbbaa28e55817001d0e0f9c0e213300c

    Download Submit

  • memory/2784-0-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-2-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-1-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-3-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-12-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-13-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-14-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-15-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download

  • memory/2784-16-0x0000000000400000-0x0000000001D6E000-memory.dmp

    Filesize

    25.4MB

    Download