blackmoon | 6cc4412124674537ce946fe4266b4750efbbe237c3ed6f3e62287c5f33f3cdd1

General

Target

点击运行转换中文版3.exe
Size

101.3MB
MD5

8508b8d8c7f18a83c3273962015c4801
SHA1

376250d1eff8073cdd8a675e0611f3cae24f5197
SHA256

0bd10f7f1910e9b5d5c6dd6bffbb479ea636d86cc4d99a5cf24640cf9b83cdac
SHA512

26b84e4463d1170a76528c9719366a7205c62370ff4f9e191b47f35f09b45db66753a3943e8cba7eb7fb257ff8ac44282468f5da3ea18523e57e2aa715e90a5b
SSDEEP

3145728:G7kwwuE7sMxfyADRgk1I/uQ9kodzNI3b7zN9:l7sAJDFMdkcNqLN9

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Extracted

Family

gh0strat

C2

kekn.asselst.com

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4544-145-0x0000000010000000-0x0000000010020000-memory.dmp	family_blackmoon

Gh0st RAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4544-142-0x0000000002590000-0x00000000025EF000-memory.dmp	family_gh0strat
behavioral2/memory/4544-157-0x0000000002590000-0x00000000025EF000-memory.dmp	family_gh0strat
behavioral2/memory/4544-167-0x00000000038C0000-0x0000000003A05000-memory.dmp	family_gh0strat
behavioral2/memory/4544-168-0x00000000038C0000-0x0000000003A05000-memory.dmp	family_gh0strat
behavioral2/memory/4544-173-0x0000000003610000-0x000000000361B000-memory.dmp	family_gh0strat
behavioral2/memory/4544-174-0x0000000003610000-0x000000000361B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4544-164-0x00000000038C0000-0x0000000003A05000-memory.dmp	upx
behavioral2/memory/4544-167-0x00000000038C0000-0x0000000003A05000-memory.dmp	upx
behavioral2/memory/4544-168-0x00000000038C0000-0x0000000003A05000-memory.dmp	upx
behavioral2/memory/4544-170-0x0000000003610000-0x000000000361B000-memory.dmp	upx
behavioral2/memory/4544-173-0x0000000003610000-0x000000000361B000-memory.dmp	upx
behavioral2/memory/4544-174-0x0000000003610000-0x000000000361B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

点击运行转换中文版3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	点击运行转换中文版3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup = "C:\\Users\\Public\\DocumentsH357uHsQ\\DivX Player.exe"	点击运行转换中文版3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DivX Player.exe

description pid process target process

PID 4544 set thread context of 612 4544 DivX Player.exe svchost.exe
Executes dropped EXE 1 IoCs

Processes:

DivX Player.exe

pid process

4544 DivX Player.exe
Loads dropped DLL 1 IoCs

Processes:

DivX Player.exe

pid process

4544 DivX Player.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4544 set thread context of 612	4544	DivX Player.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DivX Player.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DivX Player.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DivX Player.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

DivX Player.exe

pid	process
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe
4544	DivX Player.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DivX Player.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4544 DivX Player.exe
Token: SeDebugPrivilege 4544 DivX Player.exe
Token: SeDebugPrivilege 612 svchost.exe

description	pid	process
Token: SeDebugPrivilege	4544	DivX Player.exe
Token: SeDebugPrivilege	4544	DivX Player.exe
Token: SeDebugPrivilege	612	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

点击运行转换中文版3.exeDivX Player.exe

description	pid	process	target process
PID 3680 wrote to memory of 4544	3680	点击运行转换中文版3.exe	DivX Player.exe
PID 3680 wrote to memory of 4544	3680	点击运行转换中文版3.exe	DivX Player.exe
PID 3680 wrote to memory of 4544	3680	点击运行转换中文版3.exe	DivX Player.exe
PID 4544 wrote to memory of 3856	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 3856	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 3856	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe
PID 4544 wrote to memory of 612	4544	DivX Player.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\点击运行转换中文版3.exe
"C:\Users\Admin\AppData\Local\Temp\点击运行转换中文版3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Public\DocumentsH357uHsQ\DivX Player.exe
"C:\Users\Public\DocumentsH357uHsQ\DivX Player.exe"
2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3856

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\DocumentsH357uHsQ\DivX Player.dll

Filesize
18KB

MD5
7592e971f1f49e72c5daf1768c51dc9a

SHA1
f0c3bd988b82ca3817e6fc202a68460f4d487c4a

SHA256
bd3eb54a72ccf3e2927b979e6e92041615e3afb9f9e0fbb197b084f6a376c0dc

SHA512
976bd2215ccffcd21ebb15ab07c87679e5b8d6eb8502ac1e5a099afecde23daa3fc5b9b23192fc0515920d6534630c434aaa747a98409b5de1d80d6fb941fbf6

Download Submit
C:\Users\Public\DocumentsH357uHsQ\DivX Player.dll

Filesize
18KB

MD5
7592e971f1f49e72c5daf1768c51dc9a

SHA1
f0c3bd988b82ca3817e6fc202a68460f4d487c4a

SHA256
bd3eb54a72ccf3e2927b979e6e92041615e3afb9f9e0fbb197b084f6a376c0dc

SHA512
976bd2215ccffcd21ebb15ab07c87679e5b8d6eb8502ac1e5a099afecde23daa3fc5b9b23192fc0515920d6534630c434aaa747a98409b5de1d80d6fb941fbf6

Download Submit
C:\Users\Public\DocumentsH357uHsQ\DivX Player.exe

Filesize
1.8MB

MD5
7a293decf55e5b9e4748848f7aa48ee9

SHA1
7a34c49ddc165e13148da79c1cd8fe20bfffc2ca

SHA256
c9903f53c8222b771f23fc037d95ea07b2b01d88e504db6d446509ca31fbf442

SHA512
0db15afb5269969c4129a42d2349f857f47ebdecb7609eac0f50a9c28aa1abcf6e4dc210d7bddeecd6cbcbd46373c50112a4c2a1923997a6e032de28197ac871

Download Submit
C:\Users\Public\DocumentsH357uHsQ\DivX Player.exe

Filesize
1.8MB

MD5
7a293decf55e5b9e4748848f7aa48ee9

SHA1
7a34c49ddc165e13148da79c1cd8fe20bfffc2ca

SHA256
c9903f53c8222b771f23fc037d95ea07b2b01d88e504db6d446509ca31fbf442

SHA512
0db15afb5269969c4129a42d2349f857f47ebdecb7609eac0f50a9c28aa1abcf6e4dc210d7bddeecd6cbcbd46373c50112a4c2a1923997a6e032de28197ac871

Download Submit
C:\Users\Public\DocumentsH357uHsQ\msvcp140.dll

Filesize
360KB

MD5
601c997d496ce57fadb897c98522105f

SHA1
ccb65abbe14b0ce1ad7db90c98aed95396c71d7c

SHA256
c0bd5ec34f7497c23372225ae922e0ca5bb1d9f46e5fe5e38081da02e2e2d33a

SHA512
516b02d0fa4dd5e5aa0549b4eb1044137e7f25e47fe8d2d166eca4f53f4142fbec09edc2df2167114f5cfe7801b4d732d61ed72a89a1c98f3b0039dfcc71b7d3

Download Submit
memory/612-153-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/612-158-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/612-156-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/612-154-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/612-152-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4544-142-0x0000000002590000-0x00000000025EF000-memory.dmp

Filesize
380KB

Download
memory/4544-149-0x0000000002B50000-0x0000000002B8F000-memory.dmp

Filesize
252KB

Download
memory/4544-146-0x0000000000750000-0x0000000000753000-memory.dmp

Filesize
12KB

Download
memory/4544-157-0x0000000002590000-0x00000000025EF000-memory.dmp

Filesize
380KB

Download
memory/4544-145-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4544-164-0x00000000038C0000-0x0000000003A05000-memory.dmp

Filesize
1.3MB

Download
memory/4544-167-0x00000000038C0000-0x0000000003A05000-memory.dmp

Filesize
1.3MB

Download
memory/4544-168-0x00000000038C0000-0x0000000003A05000-memory.dmp

Filesize
1.3MB

Download
memory/4544-170-0x0000000003610000-0x000000000361B000-memory.dmp

Filesize
44KB

Download
memory/4544-173-0x0000000003610000-0x000000000361B000-memory.dmp

Filesize
44KB

Download
memory/4544-174-0x0000000003610000-0x000000000361B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads