blackmoon | de1cdfd7cd6e9fe54f7a8bb7636b9041f180b707cc9e05797181a1c0f46907e6 | Triage

Submit
Reports

Overview

overview

Static

static

1

MeeTalk.msi

windows7-x64

7

MeeTalk.msi

windows10-2004-x64

Sharing

General

Target

MeeTalk(1).zip
Size

185.1MB
Sample

230329-jkcb3agh9v
MD5

f8af499442d8ca1daa1b282830256c9a
SHA1

05d343ab75efef4b80896a4651d8e9abaabe1317
SHA256

de1cdfd7cd6e9fe54f7a8bb7636b9041f180b707cc9e05797181a1c0f46907e6
SHA512

1d94a7100ae6604f3b33971e3818d44c10184c4f3e2c263de504525c2228fee1b724f3c2ffb0b06ea86b2bae72974151b85a441edf80c2dc8c912af2fea623e8
SSDEEP

3145728:GpbEjiZoO0SCWk6fKG1zJLbVrjGGp2JkKIOI+JHNAP2Wc9xifH7Y8k675ZjxgJ9X:GkFO0DWk6fKG11VC6GIOT8P21xifbO6I

Score

10^/10

blackmoon gh0strat purplefox banker persistence rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

MeeTalk.msi

Resource

win7-20230220-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

MeeTalk.msi

Resource

win10v2004-20230220-en

blackmoon gh0strat purplefox banker persistence rat rootkit trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  MeeTalk.msi
- Size
  
  186.6MB
- MD5
  
  72f5d7578038f91c96340d31858cb124
- SHA1
  
  dd0064c57d83a54e84d12569e0710676cd4deaba
- SHA256
  
  d614d576366b76b3543346c2be3078f30938c5869b94c05030322af1e493aecb
- SHA512
  
  43dc33f04f2c1e320089634d9ee3598bfa20f3e1dfb957249860a111bf1cf03923c481360c311e115a069fb4a11d64f8eb86584d179f805e72280fd4b545ddbb
- SSDEEP
  
  3145728:ohkbCHNOivX2+oL7FFsrGxk50YWn1/X7JrVE0ubQYCcOxk8r5C+03i9VfJHCJpcp:oTJX2hL7FFsrGxSEVq0rba8r8PiBHYcp
Score

10^/10

blackmoon gh0strat purplefox banker persistence rat rootkit trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

blackmoongh0stratpurplefoxbankerpersistenceratrootkittrojan

© 2018-2024

Terms | Privacy