General

  • Target

    a95737adb2cd7b1af2291d143200a82d8d32a868c64fb4acc542608f56a0aeda

  • Size

    146KB

  • Sample

    230614-kn5nfsfc51

  • MD5

    0558b31bd9e3e8233ca74837754882d7

  • SHA1

    a4bcad094372c9348bce850034a028460d19b0a6

  • SHA256

    a95737adb2cd7b1af2291d143200a82d8d32a868c64fb4acc542608f56a0aeda

  • SHA512

    4e8cb6bcd0b74b5508ee211fb2d7796fc5177d3b10fdc3283614ae872bd4cfa32d80648e35c79b2b2b3fa867eadcce4e706301f6e716e46fddefca08eeb1fb04

  • SSDEEP

    3072:GB1Q3LeTWmL359vd0OmS7ok57ORL2G4kOqOcPxab/gp2pFuuxE6l/:E1WeTWmLp9vd0Om6B57ORaG4Rqh51p2q

Malware Config

Targets

    • Target

      a95737adb2cd7b1af2291d143200a82d8d32a868c64fb4acc542608f56a0aeda

    • Size

      146KB

    • MD5

      0558b31bd9e3e8233ca74837754882d7

    • SHA1

      a4bcad094372c9348bce850034a028460d19b0a6

    • SHA256

      a95737adb2cd7b1af2291d143200a82d8d32a868c64fb4acc542608f56a0aeda

    • SHA512

      4e8cb6bcd0b74b5508ee211fb2d7796fc5177d3b10fdc3283614ae872bd4cfa32d80648e35c79b2b2b3fa867eadcce4e706301f6e716e46fddefca08eeb1fb04

    • SSDEEP

      3072:GB1Q3LeTWmL359vd0OmS7ok57ORL2G4kOqOcPxab/gp2pFuuxE6l/:E1WeTWmLp9vd0Om6B57ORaG4Rqh51p2q

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Registers new Print Monitor

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks