Overview

overview

10

Static

static

3

tranny-gar...ge.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tranny-garbage.rar

  • Size

    5.3MB

  • Sample

    230706-bqy41sge23

  • MD5

    9371cf53b06bfbabd75e77f294f82d8f

  • SHA1

    19e60ce9c7e2fb815374a6c04df474817612f161

  • SHA256

    45ed564080a3c100d32f53674d2a66a50219df571657039ae80f788cfeb0a240

  • SHA512

    67966410eacad999b889640c31acd41e3b85ce713ce658f8e7d0575c1f7f691052487dfa0f30c7d832a687560c24023a9d661fd822f094307358f33512d89f9b

  • SSDEEP

    98304:y1UReUeORPqnmPqOAFjnHq9wee8d4dBzb094uXO+N+N8qedgmfJaL6bZ1F:y1vcMnmPqNFjHG3BuY4ueS+NBsc43

Score
10/10
blackmoongh0stratramnitxorddosbankerbootkitbotnetdiscoverydownloaderevasionpersistencepyinstallerratspywarestealertrojanupxworm

Malware Config

Targets

    • Target

      tranny-garbage/tranny-garbage.dll

    • Size

      3.5MB

    • MD5

      bc81934baa6f5939787dbb4c19e5ab89

    • SHA1

      aadf1d30a10887a741a901e438a496db6bf999d7

    • SHA256

      f37d3174eac0d4279439ec64db92bc35d7a5b6afcf0c0306c5701072655b459b

    • SHA512

      aaa347e234558fc80f6d9d972aa38e9eea3e1d356669246dd56abcc602d7986832cdda0f2712cfa488830429952e56de421bac9a8e3dad227c8cd06fd169c726

    • SSDEEP

      98304:8k6EP4/F1jENrx4ECqUKtvoNg2mP8zVCrHRjrpu:8fjENrqVqUEOa8m

    Score
    10/10
    blackmoongh0stratramnitxorddosbankerbootkitbotnetdiscoverydownloaderevasionpersistenceratspywarestealertrojanupxworm

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Modifies firewall policy service

      evasion

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

      botnetdownloaderxorddos

    • XorDDoS payload

    • Downloads MZ/PE file

    • Modifies RDP port number used by Windows

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks