General

  • Target

    706d8d2f9bc001d3369661e52e89e93792f73730a49dea07d878b33846605f9f.zip

  • Size

    13.3MB

  • Sample

    220922-ryadmafdhq

  • MD5

    c5e0a79045758feb13d5cbf8767b811f

  • SHA1

    3d68c257892f3059ff5edf3387fa241ca6f0a8d3

  • SHA256

    8d7fe37f9a184c4dbda76633eb0b33f03b49a557f924f23883a8955975987ca4

  • SHA512

    c4f0f6e411985864068e082cc8b35d2264833226aa62539a297c7389f46566290f8f7a2c05b186124fb331a51ba4d0c19142bbf2ca4450bb61316ec4b4a0f739

  • SSDEEP

    393216:HHg1THcAJgsQRQgt90VvtnSbIBOcQBzuhmpim:HA1TgsSfLutSbYhmpim

Malware Config

Targets

    • Target

      706d8d2f9bc001d3369661e52e89e93792f73730a49dea07d878b33846605f9f.msi

    • Size

      13.6MB

    • MD5

      757e30a40a2c0428cbdc45531b6266d1

    • SHA1

      100e93213987e07ae20e835a304de2b325c5c3aa

    • SHA256

      706d8d2f9bc001d3369661e52e89e93792f73730a49dea07d878b33846605f9f

    • SHA512

      80f90be70faa431f5cad452f5bbc78ca1168560e8142126dd4c531bef1a1be956fe74f53479c2ebe3b65c54f679185816a6ce722266eb09677fd23039b6e18b4

    • SSDEEP

      393216:q+Fve+AYu1hvR7q+c8KbeTQdLi560QUhlr2XJk:RXAD1hvRJ3uL01lhh2Xu

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Tasks