blackmoon | a7080408311a0272519c657f304d466eb4f60c139bbb4181e4e9748e27b9a119

General

Target

a7080408311a0272519c657f304d466eb4f60c139bbb4181e4e9748e27b9a119
Size

28KB
Sample

221001-k36t3agger
MD5

bcaf79c6d46e39e195f6b740faafb29a
SHA1

0054e2208483d6d771277f6b1462987ef221f8f3
SHA256

a7080408311a0272519c657f304d466eb4f60c139bbb4181e4e9748e27b9a119
SHA512

28486f9566d606b175e0f083cdd1b424a1aaf5eebc5c09db7dbf6a72acd290df80c94eab5883ded7cdb4bd3daaf1a9aeee0099a77774629b34593c27a15d0bf5
SSDEEP

768:JkK1FEQRJZBeyTMxi5WxqjtqHB6qHBoSEXJ/:SK1FEQRJ2yTMxi5WxOtrVl

Score

10^/10

Malware Config

Targets

- Target
  
  a7080408311a0272519c657f304d466eb4f60c139bbb4181e4e9748e27b9a119
- Size
  
  28KB
- MD5
  
  bcaf79c6d46e39e195f6b740faafb29a
- SHA1
  
  0054e2208483d6d771277f6b1462987ef221f8f3
- SHA256
  
  a7080408311a0272519c657f304d466eb4f60c139bbb4181e4e9748e27b9a119
- SHA512
  
  28486f9566d606b175e0f083cdd1b424a1aaf5eebc5c09db7dbf6a72acd290df80c94eab5883ded7cdb4bd3daaf1a9aeee0099a77774629b34593c27a15d0bf5
- SSDEEP
  
  768:JkK1FEQRJZBeyTMxi5WxqjtqHB6qHBoSEXJ/:SK1FEQRJ2yTMxi5WxOtrVl
Score

10^/10

blackmoon joker banker bootkit discovery infostealer persistence trojan gh0strat rat
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- joker
  Joker is an Android malware that targets billing and SMS fraud.
  infostealer trojan joker
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Blackmoon, KrBanker

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

joker

ACProtect 1.3x - 1.4x DLL software

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2