blackmoon | 6cc4412124674537ce946fe4266b4750efbbe237c3ed6f3e62287c5f33f3cdd1 | Triage

Submit
Reports

Overview

overview

Static

static

点击运�...�3.exe

windows7-x64

6

点击运�...�3.exe

windows10-2004-x64

Sharing

General

Target

Signed-语言包.7z
Size

86.2MB
Sample

230611-r7zpwahc72
MD5

456b29e1d430908e7c1427f39545ec33
SHA1

4a15ee78d1d522009586721d0889b1c842a96ecd
SHA256

6cc4412124674537ce946fe4266b4750efbbe237c3ed6f3e62287c5f33f3cdd1
SHA512

4d2614db80a495b38abcee5aca9b0758860abee5672405b683dd0bee29ec4508cb9ddb8b19690e5301f1e57a68e3ab9aa5d933a369dbdca7c8a79de2163692dd
SSDEEP

1572864:rB1ctpHw4qmIY85WznLGoPDAUAwf/G1NfjTWem8Ywi9MnA6ux/I9E:d1Sq4qa85MnLGobAUTf/C9KeV9i3x/IC

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

点击运行转换中文版3.exe

Resource

win7-20230220-en

windows7-x64

3 signatures

300 seconds

Behavioral task

behavioral2

Sample

点击运行转换中文版3.exe

Resource

win10v2004-20230220-en

blackmoon gh0strat banker persistence rat trojan upx

windows10-2004-x64

15 signatures

300 seconds

Malware Config

Extracted

Family

gh0strat

C2

kekn.asselst.com

Targets

- Target
  
  点击运行转换中文版3.exe
- Size
  
  101.3MB
- MD5
  
  8508b8d8c7f18a83c3273962015c4801
- SHA1
  
  376250d1eff8073cdd8a675e0611f3cae24f5197
- SHA256
  
  0bd10f7f1910e9b5d5c6dd6bffbb479ea636d86cc4d99a5cf24640cf9b83cdac
- SHA512
  
  26b84e4463d1170a76528c9719366a7205c62370ff4f9e191b47f35f09b45db66753a3943e8cba7eb7fb257ff8ac44282468f5da3ea18523e57e2aa715e90a5b
- SSDEEP
  
  3145728:G7kwwuE7sMxfyADRgk1I/uQ9kodzNI3b7zN9:l7sAJDFMdkcNqLN9
Score

10^/10

persistence blackmoon gh0strat banker rat trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Modifies RDP port number used by Windows
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Remote Desktop Protocol

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

blackmoongh0stratbankerpersistencerattrojanupx

© 2018-2024

Terms | Privacy