blackmoon | 78820d3214565b9958d30b12809d7f4640b901f2fd6cfa270230bcef8ae65031 | Triage

Submit
Reports

Overview

overview

Static

static

1

78820d3214...31.exe

windows7-x64

78820d3214...31.exe

windows10-2004-x64

Sharing

General

Target

78820d3214565b9958d30b12809d7f4640b901f2fd6cfa270230bcef8ae65031
Size

318KB
Sample

230314-ewxpxsfd4t
MD5

5ce44008c4372001cb7678bc7dc8f00c
SHA1

ba946a7a4be8f025bce238468ce3d2cd72ca313d
SHA256

78820d3214565b9958d30b12809d7f4640b901f2fd6cfa270230bcef8ae65031
SHA512

9b0ea574bb837a7ca2419a482e3631d3036f3172ac36ccde18be37039a7286e1fc69439bc75c400ba72ad4b549898cd28efd9516d00a0b8bb404b88888e723ba
SSDEEP

6144:ly6a+OEqfTG1Rljw5zudnuIyOQ5UDz9uLXtUSRGyQ/LLH/iDN7pLKM:Y+OD06AdnVyZUnULXtUSR78vWN7j

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

78820d3214565b9958d30b12809d7f4640b901f2fd6cfa270230bcef8ae65031.exe

Resource

win7-20230220-en

blackmoon gh0strat banker persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

78820d3214565b9958d30b12809d7f4640b901f2fd6cfa270230bcef8ae65031.exe

Resource

win10v2004-20230220-en

blackmoon gh0strat banker persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  78820d3214565b9958d30b12809d7f4640b901f2fd6cfa270230bcef8ae65031
- Size
  
  318KB
- MD5
  
  5ce44008c4372001cb7678bc7dc8f00c
- SHA1
  
  ba946a7a4be8f025bce238468ce3d2cd72ca313d
- SHA256
  
  78820d3214565b9958d30b12809d7f4640b901f2fd6cfa270230bcef8ae65031
- SHA512
  
  9b0ea574bb837a7ca2419a482e3631d3036f3172ac36ccde18be37039a7286e1fc69439bc75c400ba72ad4b549898cd28efd9516d00a0b8bb404b88888e723ba
- SSDEEP
  
  6144:ly6a+OEqfTG1Rljw5zudnuIyOQ5UDz9uLXtUSRGyQ/LLH/iDN7pLKM:Y+OD06AdnVyZUnULXtUSR78vWN7j
Score

10^/10

blackmoon gh0strat banker persistence rat trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoongh0stratbankerpersistencerattrojan

behavioral2

blackmoongh0stratbankerpersistencerattrojan

© 2018-2024

Terms | Privacy