General

  • Target

    6dbeebffd9de2d1c6c10c7d2bbc221dccf92b8ee4a203f5761d1343e34436a61

  • Size

    7.8MB

  • Sample

    221127-lrgw8sca5z

  • MD5

    3f8efccf72373add40eb426a335f99eb

  • SHA1

    9003bcb97756b4162fb5ec9cbbc5e347fcb789f6

  • SHA256

    6dbeebffd9de2d1c6c10c7d2bbc221dccf92b8ee4a203f5761d1343e34436a61

  • SHA512

    1a846905ab4d17f50af90c7e1172e615b4ac5084e193e29e63aed200279d0030ea306b05117b1f27873e10bfde977a723ad1c383cd47b450e41ea4446cb38ae6

  • SSDEEP

    196608:7iJOa4K0DldKHfNiBEPArOZrtpp0hnAPpzu11mFCks8j:7kl4K0DUNNBLpux4zG1Iz

Malware Config

Targets

    • Target

      츨11.27ɫ/츨.url

    • Size

      154B

    • MD5

      80fbd50c949bc2a5da573f855c178008

    • SHA1

      a2e113094149600f575f269674294b8d249b2cb8

    • SHA256

      2d5e0b36c9c72350ad613af0dd0f9dd52284326171078e8aac40f5ce54de3697

    • SHA512

      775e4b7b7ea7ff6e36f7f0de5ac165f8421d5f4bc9ca0d88727a4d99e6b2385f8701d841e7081670dcd37adfede0a1694c70348333009a589d471df2fe0aeace

    Score
    1/10
    • Target

      츨11.27ɫ/Ա.url

    • Size

      172B

    • MD5

      d0352b1e2dafefaf855d33b8fb47a523

    • SHA1

      f71da936c344746e062fe2055dc4c1ec7b1cf935

    • SHA256

      bd01549eef91fc327e2a704f88b214834de39faab76defbc3ebbe30e65c1977f

    • SHA512

      1fb8ff0a4e4496de2467c3314df48b0c886ec08225ae8595ecbc74cd6cffc94b0187cae9ccc87683050503ec62b70542c9414fd57fcba23abbaced701fb77471

    Score
    1/10
    • Target

      츨11.27ɫ/츨11.27ɫ/3km2.dll

    • Size

      1.5MB

    • MD5

      2e5ff9dc7ea781a0d99895d318af3cef

    • SHA1

      c2dddda1b2141a8d8fe2bd4619caffa4056e0737

    • SHA256

      6d884320514ec3a9dbb66914eebbe03e66dd3623f124988d350dc6322b76098a

    • SHA512

      fa0eccd58a8b7dbf8681547bc344d622391219fae1fa20eed3d7d67efa494e7f23c8670ad663ec35e4e1bb533c5ab7c784b195c5e96f7c954c45b7b2bbd50276

    • SSDEEP

      49152:zJ58ZHuvPUbFLfdwDclKIM3IMhWaz0I0:D8ZHuvPUtQclPM3IMhWaj

    Score
    8/10
    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      츨11.27ɫ/츨11.27ɫ/Astar.dll

    • Size

      35KB

    • MD5

      c0b716b0a39e6bd5b97ad509c59616cd

    • SHA1

      434b02800a9b19e17901eb7c46c6ca240bc573de

    • SHA256

      e791c2fa9b0435ade26b7d8d295ac957ce0eb5d30bca0cbc4cff3d3f5d8dbdef

    • SHA512

      60bbfa1d09ff9fc5aa25886d22cc9c4bd4b602e4a723a5f3ea454cf3834a8dabf8d8630dbc8f6a61765d3feb7d498526e19503db27fbb6350266d2ea40cb17cb

    • SSDEEP

      384:voWyKa2k8KeTduFoSQPZaqSItpQt/stcc/pjKhwElrP+lnu6EDHkCr1GNC8vyNbn:v+KWVKFazapm70+hf7GnTEDT8vyh

    Score
    3/10
    • Target

      츨11.27ɫ/츨11.27ɫ/Dll.dll

    • Size

      7KB

    • MD5

      0bbbca7038095d2ca8eff205bb1c7210

    • SHA1

      af89fc4b2dfbfd0a0ce464a171c78009f7caf1b6

    • SHA256

      3b4869d560062b4ea0edd78fba1d798a403b8749a9b32d323058e7e6416ee53e

    • SHA512

      2870cbf3eb75b3812f502b6ab5adae543349b02eb8e62ec1531d0464c9d475e69d4a9e6773a237dc7616f5754ef255903d976cf7d7a5d55e5b2b5043112595d7

    • SSDEEP

      96:yWf0YDrMtyjnyoSvDilH2tBOMrJQOBdFC+orPT3XAUPVAF6GDTnECt6M7N:5iy+o4DiwBOxO2rr3XHPV26Onf6A

    Score
    1/10
    • Target

      츨11.27ɫ/츨11.27ɫ/GetInfo.dll

    • Size

      1.5MB

    • MD5

      dbac2c9c7545463a542820337e504dd4

    • SHA1

      f1927a37103145678bffefd2437d3c18a9b68831

    • SHA256

      ef022b706eab8542d2cf3be7de64b66cb809509732b08f6e055abeb84bdbba48

    • SHA512

      298dca7f6a9b9557305d435463063b421285d2420f581f28770ffb837dee55ae7ab99547bbd5e4d80da7958d1eb259f0d3c8262bbbd71517d89a0de47795d384

    • SSDEEP

      49152:7wZEkRqxYYYGkMzgBss/g6hIOd9uZNMcC8CFyluyplN1vn:QEnxdHkMz8ss/g6hISuzvCFysyplN

    Score
    3/10
    • Target

      츨11.27ɫ/츨11.27ɫ/Lua.dll

    • Size

      156KB

    • MD5

      546696fc01d9c7c912da33a7ffecf21a

    • SHA1

      46f3ac49346afd4e85db46ade697f536afd8bee6

    • SHA256

      1b233ec23eccf5cc532e9f1349093ad7dc6b5d14973b1fb09251a21bf080e687

    • SHA512

      7ac984e2d3e91a23a256c6e118d2e83c5049310e5877b436f65a82b4c0e744677ef12d945625eac72f210ad73617133dc10a64b23aa03fcc9513906167174089

    • SSDEEP

      3072:kWxO4AOqXKN18lz1ajwgFxgi9bHb/fERierQ:kH/O+NlYBFxbnERVQ

    Score
    3/10
    • Target

      츨11.27ɫ/츨11.27ɫ/gom.dat

    • Size

      900KB

    • MD5

      f674e8892127fb6dee55c45f90bef80c

    • SHA1

      07d02adfd68e17d0744a139a37f063ccf3acc660

    • SHA256

      428133cfffb97d29571b38dd5eceefec586b35c1ec750717f4eadb3f9c49350d

    • SHA512

      184619f238f96651f33c72aeb9d6024919ab100f4b2314add3ca56dcd30a885f1b1111c1ffd36f0398140abaad887f0519e4683115e0cabd54e9e3cd6c6152bd

    • SSDEEP

      12288:bE4yngBeZp2Z3fubpeRIwgY49xOw9NHWoE1TEEtAPJBvMWt:bE43AZpO3fkplwf4rOWNHWoINB

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      츨11.27ɫ/츨11.27ɫ/gom.dll

    • Size

      1.4MB

    • MD5

      5292dd08cc360231e91320d2599c5c8a

    • SHA1

      caf0bd247c4c4d73854ba6c852ee97ce46cf4949

    • SHA256

      0d08a63a51270608424655e58669b4e843062a18e8eb97b232401ff3bd3510c9

    • SHA512

      ce86e3433d5857981419cf46b8bceae63570406938397acfc8f845eca99e89c654ec4d973a89b0d11a9c39ee1d9ebb5dbc33f906c89207970760c4223a781077

    • SSDEEP

      24576:/3//MJCTzF2S9rfY3Lxn8EacxRabl+dbl3rw3nk6aju8Yovco4Jc2af:/3bF2S9rfY3Lx1XRSl+/E3Ku8Yov4Raf

    Score
    1/10
    • Target

      츨11.27ɫ/츨11.27ɫ/jx.dll

    • Size

      652KB

    • MD5

      4e1c140d96b8cd84cd378ae96b2f6b1e

    • SHA1

      9441f2e1c20e5be9558ff36a8ca97659a8be230b

    • SHA256

      c8bc513379447f5e18a19daf61c9c50189dc8f22bbdcd697ed1fa624cf89b193

    • SHA512

      e6d69b2c5842fad80ad2e9d8013a5a474cc66eebebf30ca480bdd6a63737fff33cd87253089703df601f0801b422f657133a11c86a527bc986472aaf35fb1351

    • SSDEEP

      12288:wKKfhCzb/8x2JDoLqhM4xv4YGqmDV37g+J:w5CPU21oLq24xArqmDV37bJ

    Score
    3/10
    • Target

      츨11.27ɫ/츨11.27ɫ/sky.dll

    • Size

      2.3MB

    • MD5

      4b3997a17c3c356b3c4a964059312ad3

    • SHA1

      6b14988e49a58f48ced59248a41c17c9d6e1c3ef

    • SHA256

      f06dfce697f6caabdd47e5acecd6a116f3fd9e238b2dc2f382077937e194aa7d

    • SHA512

      7105816d6083681cdef6151fce90df2a6b922b5f32a65583006e7f2d3040d6c656e7e0b9d1274c8a5179d353d080fdbf44fb53688d645d71790bb86454d00908

    • SSDEEP

      24576:QkwBweg/qAPbCGbB6NjGdcfibb9ee2Kw29v1oG36MJhBRBmhD9DVdNv6VzGaI+Hv:IMxUO5Ropdl+L4YexzxXG9

    Score
    1/10
    • Target

      츨11.27ɫ/츨11.27ɫ/ty.dat

    • Size

      169KB

    • MD5

      04ab3fe511b4a7465c57fc9e7aedcd3d

    • SHA1

      f678150e525de20a58a2766d52846cc70ffcb622

    • SHA256

      81f15689949e602c3413de07cd00d25baab313dc7a05d5fb05b7de04842a616d

    • SHA512

      e4c5048c1ca4e4a355ff0c85932cb6e67c009f85b79189a0214026521a46744dd592cc3a83246c65a974dce67c570c2288be01150671ebc52ae9584bf10fc393

    • SSDEEP

      3072:uP89l9/zuYu3PvTiqTsKfw6H2vPrzDlNM6FHpU9yP7X4kXq2GzT:cmlzmPvjGHvPn53dBX8p

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      츨11.27ɫ/츨11.27ɫ/ty.dll

    • Size

      372KB

    • MD5

      6a6fcfdc2ad43d19e3299918a8845e84

    • SHA1

      a66030d34e3357e00181241d48e8302a0a4e2098

    • SHA256

      37e79983cde9c2f70fd73077dd7fafb944ec053f87976c6b33821b67001f0313

    • SHA512

      495fb60dec4a65f7de72893049f46529f70bbb0eb852feab6c75f9998453413c1dc78b6779d3c55e9510ca40457c09b812b414edf4188e136f6f4ffd5c20b2e8

    • SSDEEP

      6144:uz2R08dAbIs+orwFxCo0kNYXXGmo9TsrnpWh5G/ho0q4X/ieoNw4guSf629uCKPT:rRmIsgDOqOAyRGCVt/omrMc034jyXz02

    Score
    1/10
    • Target

      츨11.27ɫ/츨11.27ɫ/update.exe

    • Size

      376KB

    • MD5

      f2f3d6bc76550040e73748117d1f7043

    • SHA1

      0afb48cca00c061a8d5c2f1c786de987517dd029

    • SHA256

      b3f0b108f21183e10e5ec684a124144f51cc0b9c9363d030496ae18d8daee6e7

    • SHA512

      96c82248a60510494f6fd0350ab350a8b69e41e9955bf4177aa0eaf85cfe06e87900ac75e958f642d7f36cf6bad903ca25b8c422310bbb648e9bb9a81d7982ad

    • SSDEEP

      6144:LrIjtjvIP7C+Xx+eaKMKVt56pcRR5rhZFQGrsUwF7vlPoSv8cg:fQtcz9x+ziR5nWFpPoSJg

    Score
    8/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks whether UAC is enabled

    • Target

      츨11.27ɫ/츨11.27ɫ/ws.dll

    • Size

      596KB

    • MD5

      93f0109f592e1cda54c6b3f788298e47

    • SHA1

      8e2645971b4886983d3afa7b2523644b077522e0

    • SHA256

      80a1e632892e5f1e11f1e1527e6523716b25f64024255e91e91a81f39223cb01

    • SHA512

      f54d505395bda23208cdea578323b64723364186d5ddc03bce184f969a41660fa9b21cb1e4a54f42e5480a43bbfcbeb243322cf75e60f34ea1dce45b35e95e73

    • SSDEEP

      12288:jW7e/hIRy1EbQ9K3V0Ix3GdlnQgIXfZ2FbAityQn:jW7e/hIRy+bd3VZelQg4QcCVn

    Score
    1/10
    • Target

      츨11.27ɫ/츨11.27ɫ/츨11.27ɫ.exe

    • Size

      2.1MB

    • MD5

      9e2c071739ec34477c6a1237f42c92b0

    • SHA1

      486773f66d4f22f0ddf0101629d3a2f959b7994c

    • SHA256

      46ecf2080f94e17075c9501c32d47c82cfa834a9da6835318df6276a99eaf711

    • SHA512

      cd40461b30a173a81db25c50e8785c31f441ecea327baf85833a809e4d22836f36e48f62b9652599f2e5b96da7638b49e1a2562cd2b5173fa87a7826d3300a58

    • SSDEEP

      49152:FR2oTddQuFyp6ano1RYsj4Eh5SLiXw9ftPcnmZD:FHQNp6FYskEhiIwtt0nmZ

    Score
    8/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Tasks

static1

vmprotectblackmoon
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

vmprotect
Score
8/10

behavioral6

vmprotect
Score
8/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
3/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

bootkitpersistence
Score
6/10

behavioral16

bootkitpersistence
Score
6/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
3/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
5/10

behavioral24

Score
5/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

evasiontrojanupx
Score
8/10

behavioral28

evasiontrojanupx
Score
8/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

upxvmprotect
Score
8/10

behavioral32

upxvmprotect
Score
8/10