blackmoon | 5671393fa023e67e323e8a4329c3f501172f481ee205cf0d0a9425643b6ea7e4 | Triage

Submit
Reports

Overview

overview

Static

static

tq.exe

windows7-x64

tq.exe

windows10-2004-x64

Sharing

General

Target

tq.jpg
Size

221KB
Sample

230330-y3863sfe9w
MD5

8296e188b3d8d564c388343aa7750148
SHA1

1186da1b5ace8b372c66e69356360fab22baae3f
SHA256

5671393fa023e67e323e8a4329c3f501172f481ee205cf0d0a9425643b6ea7e4
SHA512

2c44bbb0fcecbdc2ac87aeb59901f02843e152fcd45a572072783f4ee6f855ae1b45b7bc94931af9d6c83a2a03f661d8854222d0bb3ac4f191c6c78a6af533ee
SSDEEP

6144:LW2mnNJHkM+3GokGAV4lVh9/pOBsyEsbth:L5mPHkIokGiG7tpOBWs

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Static task

static1

upx blackmoon gh0strat

5 signatures

Behavioral task

behavioral1

Sample

tq.exe

Resource

win7-20230220-en

blackmoon gh0strat banker persistence rat trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

tq.exe

Resource

win10v2004-20230220-en

blackmoon gh0strat banker persistence rat trojan upx

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  tq.jpg
- Size
  
  221KB
- MD5
  
  8296e188b3d8d564c388343aa7750148
- SHA1
  
  1186da1b5ace8b372c66e69356360fab22baae3f
- SHA256
  
  5671393fa023e67e323e8a4329c3f501172f481ee205cf0d0a9425643b6ea7e4
- SHA512
  
  2c44bbb0fcecbdc2ac87aeb59901f02843e152fcd45a572072783f4ee6f855ae1b45b7bc94931af9d6c83a2a03f661d8854222d0bb3ac4f191c6c78a6af533ee
- SSDEEP
  
  6144:LW2mnNJHkM+3GokGAV4lVh9/pOBsyEsbth:L5mPHkIokGiG7tpOBWs
Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Registers new Print Monitor
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

upxblackmoongh0strat

behavioral1

blackmoongh0stratbankerpersistencerattrojanupx

behavioral2

blackmoongh0stratbankerpersistencerattrojanupx

© 2018-2024

Terms | Privacy