Overview

overview

10

Static

static

7

1bfc86347b...3e.exe

windows7-x64

10

1bfc86347b...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2023 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e.exe

  • Size

    1.3MB

  • MD5

    92a753c31da401b6692309fda418944f

  • SHA1

    b05031f5b9e880a048f1f7724f2baf367eea0c3a

  • SHA256

    1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e

  • SHA512

    464c51c29477469e3702d22c323a4d655e1856130e040580713a6bcabb819e180c494021f53f358b66ac7304976a61662891136d8945b2dfe511d2b5ff2c8e59

  • SSDEEP

    24576:KxeYhMsrtw26BJAqF6wigz574mMG2IIjjKuyhEkAsD1XDEhuaTCuB5:seiykmMGfEkAggtH

Score
10/10
blackmoongh0strataspackv2bankerrattrojanupx

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.94

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Downloads MZ/PE file
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e.exe
    "C:\Users\Admin\AppData\Local\Temp\1bfc86347bfa5de88a0d472dc25fc4d6488bef2166210ebf6583e02f5a0ff53e.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
        3⤵
          PID:2524
      • C:\Users\Public\xiaodaxzqxia\jecxz.exe
        C:\Users\Public\xiaodaxzqxia\jecxz.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2252
      • C:\Users\Public\xiaodaxzqxia\v.exe
        "C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
        2⤵
        • Executes dropped EXE
        PID:4548
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5056
      • C:\Windows\hh.exe
        "C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\7604163333238100\A11.chm
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4384
      • C:\Windows\hh.exe
        "C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\7604163333238100\A11.chm
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2880

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
        Filesize

        8KB

        MD5

        1c9ed45434a816fccc7dbd8621336546

        SHA1

        63be8f5ed6cc2667cfe14c87ce53d47ec6f41933

        SHA256

        ab861bfb611172b171c4f7c2b130cc02411d59e5b4e9bf6eaee93570dbf57b0f

        SHA512

        750002f0fd0f211653b689290cb9b87ef201f238eb2e16f3c61600e98d4a4585be94598ab6c99678db80fb671d5bd2f39a85dd28cbd1dfd7d35bc8a505951b86

        Download Submit
      • C:\Users\Public\cxzvasdfg\7604163333238100\A11.chm
        Filesize

        11KB

        MD5

        db7961bf21e69e9cdbbfbc5357b6ae84

        SHA1

        6b43da6f1a502cc3ede9a46a71536e79335e3169

        SHA256

        49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

        SHA512

        e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\1
        Filesize

        87KB

        MD5

        bdf3dd3475930858348ea6b5a77e3998

        SHA1

        e5289a668266e8971e3222e661d3217e230a5ef8

        SHA256

        ae672174efa9b755742fedd8048b19a07790a929863898791622bbf4a54ebd04

        SHA512

        95fa68aa85cfac57ca561596bf73e268ede7c6c9c3166aac273b9b77c7af43f0db586580916802c6cd3c938ad36135faa332276904b728e9afff9130ae52ae28

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\111
        Filesize

        1.3MB

        MD5

        6b1a26cbe4f1044615d528039d3e9997

        SHA1

        08f3e65e3de6a3f58990599afbb985bab9d18130

        SHA256

        2421d87fcaeef5a0105b6d4aea7cd0de12a7e5e78c86394feb4f8211db63a940

        SHA512

        fb998c6d452548d7a582f080a6558eaf443e6760dbcac29f3b2e19b235791c79482b68f57d42b7e2f4dd879e4004abf8617c6f0388fced217c27891b27626237

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\jecxz.exe
        Filesize

        16KB

        MD5

        9a0dd06445e36d0c2fc29cbcfe11d8f9

        SHA1

        a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

        SHA256

        a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

        SHA512

        fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\jecxz.exe
        Filesize

        16KB

        MD5

        9a0dd06445e36d0c2fc29cbcfe11d8f9

        SHA1

        a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb

        SHA256

        a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92

        SHA512

        fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\n.bat
        Filesize

        263B

        MD5

        c7d8b33e05722104d63de564a5d92b01

        SHA1

        fd703f1c71ac1dae65dc34f3521854604cec8091

        SHA256

        538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

        SHA512

        54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\v.exe
        Filesize

        161KB

        MD5

        fecf803f7d84d4cfa81277298574d6e6

        SHA1

        0fd9a61bf9a361f87661de295e70a9c6795fe6a1

        SHA256

        81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

        SHA512

        a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\v.exe
        Filesize

        161KB

        MD5

        fecf803f7d84d4cfa81277298574d6e6

        SHA1

        0fd9a61bf9a361f87661de295e70a9c6795fe6a1

        SHA256

        81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

        SHA512

        a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

        Download Submit
      • memory/1140-149-0x0000000000400000-0x0000000000725000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1140-167-0x0000000000400000-0x0000000000725000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1140-178-0x0000000000400000-0x0000000000725000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1140-133-0x0000000000400000-0x0000000000725000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2252-142-0x0000000000400000-0x000000000040F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/2252-145-0x0000000010000000-0x0000000010015000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2252-144-0x0000000000400000-0x000000000040F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/4548-165-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download