General

  • Target

    oreki.exe

  • Size

    673KB

  • Sample

    230702-fld1habg7w

  • MD5

    2284c315e2528e666ade79b75a0371cd

  • SHA1

    47e5af85d7ee5f3742837fbfe7f088f954e4ccac

  • SHA256

    ec36faf4a4d8329b10ac75b3b6c815cd041c62918eb1c9efb7adeea8e88e8744

  • SHA512

    cc0b76f20e36fe8425742715f87a0364c371ca6b4557ad754a9b802cbaa556f59fa8d3adabdba0081f8ae64cdfe402104fa56822c5e76d06517c58fce28426a0

  • SSDEEP

    12288:w4cVWcj9yXy13MiG6UvbZ61pccDFT0iqgsI8em8O+1qI:w4apyCOZuCc9LHm8O+

Malware Config

Targets

    • Target

      oreki.exe

    • Size

      673KB

    • MD5

      2284c315e2528e666ade79b75a0371cd

    • SHA1

      47e5af85d7ee5f3742837fbfe7f088f954e4ccac

    • SHA256

      ec36faf4a4d8329b10ac75b3b6c815cd041c62918eb1c9efb7adeea8e88e8744

    • SHA512

      cc0b76f20e36fe8425742715f87a0364c371ca6b4557ad754a9b802cbaa556f59fa8d3adabdba0081f8ae64cdfe402104fa56822c5e76d06517c58fce28426a0

    • SSDEEP

      12288:w4cVWcj9yXy13MiG6UvbZ61pccDFT0iqgsI8em8O+1qI:w4apyCOZuCc9LHm8O+

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Modifies RDP port number used by Windows

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks