General

  • Target

    38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8

  • Size

    1.1MB

  • Sample

    230531-ybtbjsaf66

  • MD5

    c32f116d99d020151ef5c7d76da67538

  • SHA1

    aa42c1f4f6912f35900002244493df895050a36d

  • SHA256

    38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8

  • SHA512

    62ca4147c2361ca51a204fbc9b72da72e4083309ca522642a55d2cb876a81de95bd32a5038d91f95c38b5a4fbb472006d504036fc581baf17d65d657b2e776c7

  • SSDEEP

    24576:+dnyiGl/a/pl4yV1sddFoVSF3QLRqjhMd0Tu6NofZzvP:+dnyiwy/psddiSlCRUMd0S66

Malware Config

Targets

    • Target

      38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8

    • Size

      1.1MB

    • MD5

      c32f116d99d020151ef5c7d76da67538

    • SHA1

      aa42c1f4f6912f35900002244493df895050a36d

    • SHA256

      38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8

    • SHA512

      62ca4147c2361ca51a204fbc9b72da72e4083309ca522642a55d2cb876a81de95bd32a5038d91f95c38b5a4fbb472006d504036fc581baf17d65d657b2e776c7

    • SSDEEP

      24576:+dnyiGl/a/pl4yV1sddFoVSF3QLRqjhMd0Tu6NofZzvP:+dnyiwy/psddiSlCRUMd0S66

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks