General

  • Target

    ab2a6b6b702f08f2a0050046baf0e922706f3a852efa45c30f67563b4261a668

  • Size

    784KB

  • Sample

    230531-fdhzgsdc2x

  • MD5

    89ccfc812eba006576d189948377e487

  • SHA1

    a8eff5e4c81b71423d9b19b6dcb6f1cbe5a05a97

  • SHA256

    ab2a6b6b702f08f2a0050046baf0e922706f3a852efa45c30f67563b4261a668

  • SHA512

    e630c9980e82907e960ff9de6c2cb75cd649933297ad219979d7110aa3c2a8af6794ee189b0f5984311fbfe3ecc12c4c57c3c8328742ef015094f88f303b73bd

  • SSDEEP

    12288:61jYS8aludL81AOxq/mTUSRwiiNtcEHEQp5bB3t3PeH1zdaXU3:6FYS8Wudw1AqoBvNDzNVByJaXg

Malware Config

Targets

    • Target

      ab2a6b6b702f08f2a0050046baf0e922706f3a852efa45c30f67563b4261a668

    • Size

      784KB

    • MD5

      89ccfc812eba006576d189948377e487

    • SHA1

      a8eff5e4c81b71423d9b19b6dcb6f1cbe5a05a97

    • SHA256

      ab2a6b6b702f08f2a0050046baf0e922706f3a852efa45c30f67563b4261a668

    • SHA512

      e630c9980e82907e960ff9de6c2cb75cd649933297ad219979d7110aa3c2a8af6794ee189b0f5984311fbfe3ecc12c4c57c3c8328742ef015094f88f303b73bd

    • SSDEEP

      12288:61jYS8aludL81AOxq/mTUSRwiiNtcEHEQp5bB3t3PeH1zdaXU3:6FYS8Wudw1AqoBvNDzNVByJaXg

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks