Overview

overview

10

Static

static

10

up-tset-x64.3.9.5.exe

windows7-x64

10

up-tset-x64.3.9.5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2023 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    up-tset-x64.3.9.5.exe

  • Size

    127.7MB

  • MD5

    e48a2e55f1a45d86668c9d8dca33a015

  • SHA1

    7c84c4bb3776511c925337a550489a0a9084455b

  • SHA256

    6757bdf3922a9c57be8b2b73bc875a34487e27e3f8161f7f94598e13dfab61aa

  • SHA512

    5fdfcdf8fa4ad2bd4b86ff5e08d08517abb1314201f20442b3b081180414937f48c0e4d029dcd5978f3d8a9a796e985f5d6150795a1d954b9828323e0da9a341

  • SSDEEP

    3145728:ntCyIAERU5gLBva3wsppUHB7lbVtI92tIE+kspv:nMyS5a/nUHvbc92tlZOv

Score
10/10
blackmoongh0stratbankerpersistencerattrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Modifies RDP port number used by Windows 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\up-tset-x64.3.9.5.exe
    "C:\Users\Admin\AppData\Local\Temp\up-tset-x64.3.9.5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Users\Public\DocumentsvAnj0pbB\vAnj0.exe
      C:\Users\Public\DocumentsvAnj0pbB\vAnj0.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Remote Desktop Protocol

1
T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\DocumentsvAnj0pbB\liteav.dll
    Filesize

    87.9MB

    MD5

    d042e95a7c68eb9c3f6b8a91ae346ad1

    SHA1

    0725dfa94d13c759abb86798e0bf228d2c7d2aa5

    SHA256

    16b1d3d34da9f9f3eb7c166257774f717eaabe461d8d46ac460646e18b746f5f

    SHA512

    e79e67e7f831d7109b63bbb10592f3283031cd8bde34d0490315a758514ba6dab449051a2f80f40014f2336edcb502b0364a6dbff8c76691dcd50e7da2a6cb9e

    Download Submit
  • C:\Users\Public\DocumentsvAnj0pbB\liteav.dll
    Filesize

    87.9MB

    MD5

    d042e95a7c68eb9c3f6b8a91ae346ad1

    SHA1

    0725dfa94d13c759abb86798e0bf228d2c7d2aa5

    SHA256

    16b1d3d34da9f9f3eb7c166257774f717eaabe461d8d46ac460646e18b746f5f

    SHA512

    e79e67e7f831d7109b63bbb10592f3283031cd8bde34d0490315a758514ba6dab449051a2f80f40014f2336edcb502b0364a6dbff8c76691dcd50e7da2a6cb9e

    Download Submit
  • C:\Users\Public\DocumentsvAnj0pbB\vAnj0.exe
    Filesize

    694KB

    MD5

    90e3fb138dbfe3f3e9800bed07c1a4db

    SHA1

    7f394811b88d28494e5c24dbe516a5df848dec31

    SHA256

    be40eb8f02ddb9f423e223c673c555d104cc07e046708082fd676938cdecfb6d

    SHA512

    57cae097f559cc3237d5d7a8b24f78dc28bb22c9ca4660b8c3cb95a75f707a39d181177b724016340597391f970804433e2c280bea6bae8b73938d30737039ef

    Download Submit
  • C:\Users\Public\DocumentsvAnj0pbB\vAnj0.exe
    Filesize

    694KB

    MD5

    90e3fb138dbfe3f3e9800bed07c1a4db

    SHA1

    7f394811b88d28494e5c24dbe516a5df848dec31

    SHA256

    be40eb8f02ddb9f423e223c673c555d104cc07e046708082fd676938cdecfb6d

    SHA512

    57cae097f559cc3237d5d7a8b24f78dc28bb22c9ca4660b8c3cb95a75f707a39d181177b724016340597391f970804433e2c280bea6bae8b73938d30737039ef

    Download Submit
  • memory/824-141-0x00000000027C0000-0x00000000027ED000-memory.dmp
    Filesize

    180KB

    Download
  • memory/824-145-0x00000000027C0000-0x00000000027ED000-memory.dmp
    Filesize

    180KB

    Download