blackmoon | 38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8 | Triage

Submit
Reports

Overview

overview

Static

static

3

38a7e651a0...a8.exe

windows7-x64

38a7e651a0...a8.exe

windows10-2004-x64

Sharing

General

Target

38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8
Size

1.1MB
Sample

230531-ybtbjsaf66
MD5

c32f116d99d020151ef5c7d76da67538
SHA1

aa42c1f4f6912f35900002244493df895050a36d
SHA256

38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8
SHA512

62ca4147c2361ca51a204fbc9b72da72e4083309ca522642a55d2cb876a81de95bd32a5038d91f95c38b5a4fbb472006d504036fc581baf17d65d657b2e776c7
SSDEEP

24576:+dnyiGl/a/pl4yV1sddFoVSF3QLRqjhMd0Tu6NofZzvP:+dnyiwy/psddiSlCRUMd0S66

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8.exe

Resource

win7-20230220-en

blackmoon gh0strat banker persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8.exe

Resource

win10v2004-20230220-en

blackmoon gh0strat banker persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8
- Size
  
  1.1MB
- MD5
  
  c32f116d99d020151ef5c7d76da67538
- SHA1
  
  aa42c1f4f6912f35900002244493df895050a36d
- SHA256
  
  38a7e651a0bce7edc5329ec3ff426113431f842a374d963e0ac4fb5f038602a8
- SHA512
  
  62ca4147c2361ca51a204fbc9b72da72e4083309ca522642a55d2cb876a81de95bd32a5038d91f95c38b5a4fbb472006d504036fc581baf17d65d657b2e776c7
- SSDEEP
  
  24576:+dnyiGl/a/pl4yV1sddFoVSF3QLRqjhMd0Tu6NofZzvP:+dnyiwy/psddiSlCRUMd0S66
Score

10^/10

blackmoon gh0strat banker persistence rat trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoongh0stratbankerpersistencerattrojan

behavioral2

blackmoongh0stratbankerpersistencerattrojan

© 2018-2024

Terms | Privacy