blackmoon | c0b78a59daf60b8dbd191a3c6b6ef6b6e64a365c447daffca3cb5a3779afe00d | Triage

Submit
Reports

Overview

overview

Static

static

3

514e0cd471...58.exe

windows7-x64

514e0cd471...58.exe

windows10-2004-x64

Sharing

General

Target

514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1).7z
Size

372KB
Sample

230526-czjlcsea9z
MD5

a4490380a997c36479dc0ae6cd4d4b41
SHA1

453f8feb0c504219d2e28b7887e4b78575b8a046
SHA256

c0b78a59daf60b8dbd191a3c6b6ef6b6e64a365c447daffca3cb5a3779afe00d
SHA512

77b91baf8b6e6835850528094e245a7805f98cba77e4c14bf8a38cc699fdb74ffeca7e87afb106747bfc73f9c49adbfead6b786f815badfdfbc595f9c43a879e
SSDEEP

6144:k3Y/lKmtXPL0iDHmnscPGkuhGnY944jdrH/sqdQjuD2nUMV8AtuSnAWaCtN51Sqd:k3Y9XPLP7mnvPGkwlxjlH/pdQjaK8AtZ

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)/514e0cd471b6e2065a13931a2f75c58.exe

Resource

win7-20230220-en

blackmoon gh0strat banker persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)/514e0cd471b6e2065a13931a2f75c58.exe

Resource

win10v2004-20230221-en

blackmoon gh0strat banker persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)/514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5
- Size
  
  844KB
- MD5
  
  07979781449b4a4de757c980a2368412
- SHA1
  
  811fe4940f1eac767a5912922b4b3001b0dfb2f9
- SHA256
  
  514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5
- SHA512
  
  4cb87e513e2d9ebf9be7aaf22dda491c55670b9861a10ea4011b5133ed4d1901dd573890d3696816ed89aec4cecf906b13b69a95ee0e36701498f8a5710606c7
- SSDEEP
  
  12288:bRZ5tsO2zUoq8qRgAH3yaCFoGvDoy2iAnRItlu4k7kO:bRZ5tsO2wohqqAXTCURmlO
Score

10^/10

blackmoon gh0strat banker persistence rat trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

blackmoongh0stratbankerpersistencerattrojan

behavioral2

blackmoongh0stratbankerpersistencerattrojan

© 2018-2024

Terms | Privacy