General

  • Target

    1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e

  • Size

    1.3MB

  • Sample

    230619-x9ck1sfh44

  • MD5

    92a753c31da401b6692309fda418944f

  • SHA1

    b05031f5b9e880a048f1f7724f2baf367eea0c3a

  • SHA256

    1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e

  • SHA512

    464c51c29477469e3702d22c323a4d655e1856130e040580713a6bcabb819e180c494021f53f358b66ac7304976a61662891136d8945b2dfe511d2b5ff2c8e59

  • SSDEEP

    24576:KxeYhMsrtw26BJAqF6wigz574mMG2IIjjKuyhEkAsD1XDEhuaTCuB5:seiykmMGfEkAggtH

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.94

Targets

    • Target

      1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e

    • Size

      1.3MB

    • MD5

      92a753c31da401b6692309fda418944f

    • SHA1

      b05031f5b9e880a048f1f7724f2baf367eea0c3a

    • SHA256

      1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e

    • SHA512

      464c51c29477469e3702d22c323a4d655e1856130e040580713a6bcabb819e180c494021f53f358b66ac7304976a61662891136d8945b2dfe511d2b5ff2c8e59

    • SSDEEP

      24576:KxeYhMsrtw26BJAqF6wigz574mMG2IIjjKuyhEkAsD1XDEhuaTCuB5:seiykmMGfEkAggtH

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks