blackmoon | 93f03ffa074a803276daae21a0c1b14e23903ccfee918bb6719f8ba43f392981

General

Target

xiaodaxzqxia.zip
Size

2.4MB
Sample

230705-f2hcvsae75
MD5

e9ca082c8fdbfa6d9453a60aa3bf8ee2
SHA1

32eb31fad178deadc471e3eff7ae254546449643
SHA256

93f03ffa074a803276daae21a0c1b14e23903ccfee918bb6719f8ba43f392981
SHA512

d0b47210c7542c3fb699ea48bd8b62015a74364f25f709196da52128d4d79ab137647a798f95cbfa78022785bd1c6a7d2396c6de453ae12764583059a8230105
SSDEEP

49152:JPdwMDud2AjGIf24SkT6BCotc2l14Qbi52AO2IaMR1VIu4BR7rex8HcE:JqMD22QGIu4Sk2Cotc04r2AOB1VIu4BV

Score

10^/10

Malware Config

Targets

- Target
  
  libcrypto-3.dll
- Size
  
  102.3MB
- MD5
  
  4bcb44a845417cafc7d9b26fe931ac3a
- SHA1
  
  d47e4b9d732585e28ce229f7ef9bdd941fabea6e
- SHA256
  
  dc5c197f147eeb7dc774653b80b1fc13a0bc1221eb0e942621bd1631ca2d0573
- SHA512
  
  5a6e0a75ff7546a2f51c2dc57eb1dc18514439037d05d7f078a22793b4972d09aa3e77eef9edd17850671bcbb1359b8bf8ffd55d7765db20dd8ddde9d4d852eb
- SSDEEP
  
  24576:7Yqgr+TBzrabXb8zsMbQrjQzeBa3q0LZdU0B9IwiPr6VoVVD83HNUJyPiOKLA:7ztzsM5n62U0BG76VoPuHNMy6
Score

10^/10

blackmoon gh0strat banker rat trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  saxbn.exe
- Size
  
  1.7MB
- MD5
  
  af7aac457eaefe1c228937403b933251
- SHA1
  
  166cbb657538ad45778dc77b9ae2b70eb961038b
- SHA256
  
  24411c2364855dfecc955f5ce2081d2ba9af1cb108eef97963b3c8a91ff288b8
- SHA512
  
  9b77d0605b3d4e0b79fc7ad01f7873e04c1331e438f20960fb18d51f4063ecb1c4df2d739e7731d78f2f5c89555e0135db65429baebc03a0144fc756f8410f8c
- SSDEEP
  
  49152:1Z6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVc5:1g3Yz5J/693km
Score

10^/10

blackmoon gh0strat banker rat trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Blackmoon, KrBanker

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

Blackmoon, KrBanker

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4