blackmoon | 1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e

General

Target

1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e
Size

1.3MB
Sample

230619-x9ck1sfh44
MD5

92a753c31da401b6692309fda418944f
SHA1

b05031f5b9e880a048f1f7724f2baf367eea0c3a
SHA256

1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e
SHA512

464c51c29477469e3702d22c323a4d655e1856130e040580713a6bcabb819e180c494021f53f358b66ac7304976a61662891136d8945b2dfe511d2b5ff2c8e59
SSDEEP

24576:KxeYhMsrtw26BJAqF6wigz574mMG2IIjjKuyhEkAsD1XDEhuaTCuB5:seiykmMGfEkAggtH

Score

10^/10

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.94

Targets

- Target
  
  1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e
- Size
  
  1.3MB
- MD5
  
  92a753c31da401b6692309fda418944f
- SHA1
  
  b05031f5b9e880a048f1f7724f2baf367eea0c3a
- SHA256
  
  1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e
- SHA512
  
  464c51c29477469e3702d22c323a4d655e1856130e040580713a6bcabb819e180c494021f53f358b66ac7304976a61662891136d8945b2dfe511d2b5ff2c8e59
- SSDEEP
  
  24576:KxeYhMsrtw26BJAqF6wigz574mMG2IIjjKuyhEkAsD1XDEhuaTCuB5:seiykmMGfEkAggtH
Score

10^/10

blackmoon gh0strat aspackv2 banker rat trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Downloads MZ/PE file
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blackmoon, KrBanker

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

Downloads MZ/PE file

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2