General

  • Target

    a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae

  • Size

    432KB

  • Sample

    230828-1fby6sbb2x

  • MD5

    1ec07a06295fbd106998f68f81035292

  • SHA1

    9344788b70d9e4be55aefcf7fc031834463582ef

  • SHA256

    a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae

  • SHA512

    922bff3a99501c286450982eab6b5375c9b4833c8090f661a1bb93eaa3a6bc6ac60589a2d91bc11e1422c41ef52629502af3980cc02cd28dcaf567fe2d90024f

  • SSDEEP

    12288:kov9YJjrV+pJR6cuXFqaYCL9yKASIAcl3hkWWlyvQO:B+JHVyR6xXky0KASbcdh6yvQO

Malware Config

Targets

    • Target

      a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae

    • Size

      432KB

    • MD5

      1ec07a06295fbd106998f68f81035292

    • SHA1

      9344788b70d9e4be55aefcf7fc031834463582ef

    • SHA256

      a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae

    • SHA512

      922bff3a99501c286450982eab6b5375c9b4833c8090f661a1bb93eaa3a6bc6ac60589a2d91bc11e1422c41ef52629502af3980cc02cd28dcaf567fe2d90024f

    • SSDEEP

      12288:kov9YJjrV+pJR6cuXFqaYCL9yKASIAcl3hkWWlyvQO:B+JHVyR6xXky0KASbcdh6yvQO

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks