blackmoon | dc119b46e9b9ac1978b148f7e910032b5cd969af7c289a4e9f7778d346ae74be | Triage

Submit
Reports

Overview

overview

Static

static

dc119b46e9...be.exe

windows7-x64

dc119b46e9...be.exe

windows10-2004-x64

Sharing

General

Target

dc119b46e9b9ac1978b148f7e910032b5cd969af7c289a4e9f7778d346ae74be
Size

146KB
Sample

230222-csn79she34
MD5

02d8468b20978fe1a72baf45f901a04c
SHA1

5beb1e105c3467f54604cba5652a8834d8d77ad9
SHA256

dc119b46e9b9ac1978b148f7e910032b5cd969af7c289a4e9f7778d346ae74be
SHA512

dfaeccc14b2df75e77ca5e1fec79714048ae659211cb44634f81253416b325578b64d768b38f5213babf899c4b0f8c05e81ef7bf3c7c41e49ef90cc4652f6fcc
SSDEEP

3072:woMYxYmFlZcCcKHsoseJYd72cGqnbdB2vN2V:woMtylZcdKM5ek6c7nbdUvNW

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

dc119b46e9b9ac1978b148f7e910032b5cd969af7c289a4e9f7778d346ae74be.exe

Resource

win7-20230220-en

blackmoon gh0strat banker persistence rat trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

dc119b46e9b9ac1978b148f7e910032b5cd969af7c289a4e9f7778d346ae74be.exe

Resource

win10v2004-20230220-en

blackmoon gh0strat banker persistence rat trojan upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  dc119b46e9b9ac1978b148f7e910032b5cd969af7c289a4e9f7778d346ae74be
- Size
  
  146KB
- MD5
  
  02d8468b20978fe1a72baf45f901a04c
- SHA1
  
  5beb1e105c3467f54604cba5652a8834d8d77ad9
- SHA256
  
  dc119b46e9b9ac1978b148f7e910032b5cd969af7c289a4e9f7778d346ae74be
- SHA512
  
  dfaeccc14b2df75e77ca5e1fec79714048ae659211cb44634f81253416b325578b64d768b38f5213babf899c4b0f8c05e81ef7bf3c7c41e49ef90cc4652f6fcc
- SSDEEP
  
  3072:woMYxYmFlZcCcKHsoseJYd72cGqnbdB2vN2V:woMtylZcdKM5ek6c7nbdUvNW
Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoongh0stratbankerpersistencerattrojanupx

behavioral2

blackmoongh0stratbankerpersistencerattrojanupx

© 2018-2024

Terms | Privacy