blackmoon | 18d6f5e4ec32987307342fe6ddee304ea38704d45d19ef7626be6b5e72608df3 | Triage

Submit
Reports

Overview

overview

Static

static

1

18d6f5e4ec...f3.exe

windows7-x64

18d6f5e4ec...f3.exe

windows10-2004-x64

Sharing

General

Target

18d6f5e4ec32987307342fe6ddee304ea38704d45d19ef7626be6b5e72608df3
Size

1.9MB
Sample

230316-m2p62aae54
MD5

3202d225f0e5c40b10c5c97c48d0a1f4
SHA1

be16d53281f0efb98b771416aab76ebe275de2bd
SHA256

18d6f5e4ec32987307342fe6ddee304ea38704d45d19ef7626be6b5e72608df3
SHA512

4ac24ca0e59dae7773b5ac56bfbc33929d055a98aedef1c4df0017f4155c7c83e0c912856e23c26b8137cc46535f713e52eeca752a0368c5cfedcf352dea1583
SSDEEP

49152:jPIuk9fRS95WYWtF8WSjLpmgvzbUkE5QC9d1GQ0x:jPIPJS95WYWtF8WSjLpmgvzbUkE5QC9

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

18d6f5e4ec32987307342fe6ddee304ea38704d45d19ef7626be6b5e72608df3.exe

Resource

win7-20230220-en

blackmoon gh0strat banker persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

18d6f5e4ec32987307342fe6ddee304ea38704d45d19ef7626be6b5e72608df3.exe

Resource

win10v2004-20230220-en

blackmoon gh0strat banker persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  18d6f5e4ec32987307342fe6ddee304ea38704d45d19ef7626be6b5e72608df3
- Size
  
  1.9MB
- MD5
  
  3202d225f0e5c40b10c5c97c48d0a1f4
- SHA1
  
  be16d53281f0efb98b771416aab76ebe275de2bd
- SHA256
  
  18d6f5e4ec32987307342fe6ddee304ea38704d45d19ef7626be6b5e72608df3
- SHA512
  
  4ac24ca0e59dae7773b5ac56bfbc33929d055a98aedef1c4df0017f4155c7c83e0c912856e23c26b8137cc46535f713e52eeca752a0368c5cfedcf352dea1583
- SSDEEP
  
  49152:jPIuk9fRS95WYWtF8WSjLpmgvzbUkE5QC9d1GQ0x:jPIPJS95WYWtF8WSjLpmgvzbUkE5QC9
Score

10^/10

blackmoon gh0strat banker persistence rat trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoongh0stratbankerpersistencerattrojan

behavioral2

blackmoongh0stratbankerpersistencerattrojan

© 2018-2024

Terms | Privacy