Overview

overview

10

Static

static

10

tsetup.2.4.1.exe

windows7-x64

10

tsetup.2.4.1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    232s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2023 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tsetup.2.4.1.exe

  • Size

    127.7MB

  • MD5

    efe1989f03f440b7a16d5ce44839a406

  • SHA1

    03c6b96031cf76750cf36adbdf4c0d9a13c95b0d

  • SHA256

    379710c4ff31e416071255e22dc12a42cd701c0bbe6e56b0118a6d9955b6b4dc

  • SHA512

    972bb5025c552dc0b9986eb90417e4e8045b165d6cbcbbf24661f4e5d34978292ae163addec8551d0aa23b13c1084587258acb44bbcf96ff83e8b3a283a7a932

  • SSDEEP

    3145728:e1JGH/t1L28a3wsppUHB7lbVtI92tIE+kspK:Ff7fa/nUHvbc92tlZOK

Score
10/10
blackmoongh0stratbankerpersistencerattrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Modifies RDP port number used by Windows 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tsetup.2.4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\tsetup.2.4.1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Users\Public\DocumentsBA6upRMZ\pLDbU.exe
      C:\Users\Public\DocumentsBA6upRMZ\pLDbU.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Remote Desktop Protocol

1
T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\DocumentsBA6upRMZ\StarBurn.dll
    Filesize

    87.9MB

    MD5

    8c475f447c622613bb600b5d93726281

    SHA1

    e31cabc5ef628ee5c391133f683b3ee5ad8a9479

    SHA256

    dc452e4661385c03b761712e7f86b4af1c3e05c2e16658142ccba165142c72a9

    SHA512

    f4478c37fd4810c60dd07528d211a363338b033def5cb092026ac49492a0a237885448fed21314bb6717a3bc5527b94edd3df109e44b828b19b99f56ad2d2a1b

    Download Submit
  • C:\Users\Public\DocumentsBA6upRMZ\StarBurn.dll
    Filesize

    87.9MB

    MD5

    8c475f447c622613bb600b5d93726281

    SHA1

    e31cabc5ef628ee5c391133f683b3ee5ad8a9479

    SHA256

    dc452e4661385c03b761712e7f86b4af1c3e05c2e16658142ccba165142c72a9

    SHA512

    f4478c37fd4810c60dd07528d211a363338b033def5cb092026ac49492a0a237885448fed21314bb6717a3bc5527b94edd3df109e44b828b19b99f56ad2d2a1b

    Download Submit
  • C:\Users\Public\DocumentsBA6upRMZ\pLDbU.exe
    Filesize

    905KB

    MD5

    790c885de6cd9b130bbfb8332652b0fc

    SHA1

    5c9d3aaa43c7982e98d33c7d5c50e42fd84493df

    SHA256

    c39d7f48548c8ee0b8dc36f4d4a452658fa5f3308bcb2c7bf181dc4e09191e8b

    SHA512

    7cf09b39a2f9f07d3259d6f01f793bf89ec19c46aad0f8feb9541ddef21e1b4459b8a3042aa8aa1bf2fc31f00e64cd40485e5cb5e3474757bcded1a55e4b7304

    Download Submit
  • C:\Users\Public\DocumentsBA6upRMZ\pLDbU.exe
    Filesize

    905KB

    MD5

    790c885de6cd9b130bbfb8332652b0fc

    SHA1

    5c9d3aaa43c7982e98d33c7d5c50e42fd84493df

    SHA256

    c39d7f48548c8ee0b8dc36f4d4a452658fa5f3308bcb2c7bf181dc4e09191e8b

    SHA512

    7cf09b39a2f9f07d3259d6f01f793bf89ec19c46aad0f8feb9541ddef21e1b4459b8a3042aa8aa1bf2fc31f00e64cd40485e5cb5e3474757bcded1a55e4b7304

    Download Submit
  • memory/3676-141-0x00000000022F0000-0x000000000231D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3676-145-0x00000000022F0000-0x000000000231D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3676-147-0x0000000008CF0000-0x0000000008E35000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3676-150-0x0000000008CF0000-0x0000000008E35000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3676-151-0x0000000008CF0000-0x0000000008E35000-memory.dmp
    Filesize

    1.3MB

    Download