Overview

overview

10

Static

static

7

1111111111...11.exe

windows7-x64

6

1111111111...11.exe

windows10-1703-x64

6

1111111111...11.exe

windows10-2004-x64

6

9VIcoCiitn.exe

windows7-x64

6

9VIcoCiitn.exe

windows10-1703-x64

6

9VIcoCiitn.exe

windows10-2004-x64

1

Microsoft Windows.exe

windows7-x64

10

Microsoft Windows.exe

windows10-1703-x64

10

Microsoft Windows.exe

windows10-2004-x64

10

New.exe

windows7-x64

7

New.exe

windows10-1703-x64

7

New.exe

windows10-2004-x64

7

SBLlgcMqPg.exe

windows7-x64

10

SBLlgcMqPg.exe

windows10-1703-x64

10

SBLlgcMqPg.exe

windows10-2004-x64

10

hh.chm

windows7-x64

10

hh.chm

windows10-1703-x64

8

hh.chm

windows10-2004-x64

8

nY4Ke1JkQH.exe

windows7-x64

10

nY4Ke1JkQH.exe

windows10-1703-x64

10

nY4Ke1JkQH.exe

windows10-2004-x64

10

qnr.dll

windows7-x64

3

qnr.dll

windows10-1703-x64

3

qnr.dll

windows10-2004-x64

3

˫װ.exe

windows7-x64

7

˫װ.exe

windows10-1703-x64

7

˫װ.exe

windows10-2004-x64

7

�...װ.exe

windows7-x64

7

�...װ.exe

windows10-1703-x64

7

�...װ.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.zip

  • Size

    20.6MB

  • Sample

    231001-k3rp5shg81

  • MD5

    740cf839bad9df13360e6df2714fcb7c

  • SHA1

    d9e33fac2fb18b9aa3c4eed83e640be0da454c8a

  • SHA256

    0ee170eb92a1063c45512e55aa2c4c7e40e58e1cdc77ce13b5fe56163b871531

  • SHA512

    7346a5d52d9e872fa32d3a3f58303ac7c84aab7648544429a39daca9f836d7254488ac8a357e6e3a3346325eb25b876387b362e56ae427de447f87373e020a99

  • SSDEEP

    393216:JQ8VRqtoxGeTwM7hEdUPDgY4PoIEYaVQwiHlyoej+JsFePJsF5:JQ8VVwmhEdoDN4Poka+wIAT+JaePJa5

Score
10/10
blackmoongh0strataspackv2bankerevasionpersistencerattrojanupx

Malware Config

Extracted

Family

gh0strat

C2

154.221.25.208

Targets

    • Target

      1111111111111111111111.exe

    • Size

      288KB

    • MD5

      ba36525430720564c0ff6db7c7f527d5

    • SHA1

      2a01ef1171726e56c01a6c773ec3b9a92ac7162b

    • SHA256

      a9317d8db186396a1a570f1dea184b94ddd2a6d2f7c381c563e0e745c0f8cc16

    • SHA512

      0f0cf60a3148dba434509ec34934df663b0d24cceff70d2368b37277cd69752202c55289874e42bdd216f3610530f50fe79336064fb1f6a6ed0927eb8a9567f0

    • SSDEEP

      3072:m4jPfhWV9XBb0MAtrg0OoHpFcNTXT2pTnhR1g2br54Qun9UItLpCEcbqGpYl7WUB:m4jUXB0MZDoJFcp0pgI6QkUIcbpO5zx

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2behavioral3

    • Target

      9VIcoCiitn.exe

    • Size

      415KB

    • MD5

      d9e0c8b4633ceb671413e867a52f2b6b

    • SHA1

      4836da2acd2f2c14edc083f18643d4ccaf35b40d

    • SHA256

      ca5a050e28aaeab063fbb4f217475fa5463f07e0cf6b6c884d21a55e1a4a56b2

    • SHA512

      da120bbc5ddc57fdb67e0ef49d4dd2ccfd557dc15db2ee60fca8295792e7fd9b8716d98ddb8758a83419da799356fd2977344ef5df6790118d58e32f5cc3b967

    • SSDEEP

      12288:N1rx3SZpHuD8dl4K0P9h511FfUusSjz/:32pHoYl4fsusSj

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral4behavioral5behavioral6

    • Target

      Microsoft Windows.com

    • Size

      1.7MB

    • MD5

      48154d5b444c7e235da7be4a0f2ade3a

    • SHA1

      57c00c9f26309b28bd4f725adbe2db10dce979e2

    • SHA256

      8936302e7140a879dc4ea137692a370f5876b9ccd1a63b9f1d930456b3338ba8

    • SHA512

      9e3bf380bb417ca7ae7b5a0986fa3fb1f99dc0d93329557adc17895f273e6bb98e2926ed671c4b566a7c024a15aec58ec575b7c622ed2fb020a49a9c05e2ae45

    • SSDEEP

      49152:FjHh/f9vfZryVsqv63smC88jukhTwp1mU9E:tp9vfpWsZcv6uyjE

    Score
    10/10
    evasionpersistencetrojan

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral7behavioral8behavioral9

    • Target

      New.exe

    • Size

      11.5MB

    • MD5

      0206f9662974d6981d4f25124756acd7

    • SHA1

      01ec2fbc13e8b4b300c8b767fe787d491b41a981

    • SHA256

      38bea668d99664f6ab1431bfc4c46ff83994f992891f0d2cd834e8c9b89fc881

    • SHA512

      5a95e9576b7c076dc75fdc21a781989736a1c14c96fdc304241db16d919b059090b3920476c1aed0546227501c192d7aeeb674fac0c5d8758e746f47c18baa40

    • SSDEEP

      196608:aVqzwI4lSTTYeCHCPVTBiWXvPQqhcna4Uqy9XS2s38sxhAnY0rndqnZORru1:apiT0IBiWXvoPappS2s38sWYSdg0A1

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral11behavioral12

    • Target

      SBLlgcMqPg.exe

    • Size

      692KB

    • MD5

      b5c9e88f297775547ca77953f4eee2ca

    • SHA1

      835f2f087d9a740d656b676ce2007db9512ff06d

    • SHA256

      d64f2f04a0c31f0f3ee4cc14722eeb14b8f5af917e8d8e1b3a4dc9eb2ce06229

    • SHA512

      b75011c586bab6ac51692833b0ac0c051d68eba74baf473a0c788d81067de309671de57631a6f2a87f6d5d3b896b389c36754eb1b6cf980dcdf9b276b35fc438

    • SSDEEP

      12288:auq+qEN+gwB4lmjNyjW/GM/emM17CbU67RMklDia0zR5:auBqEI7kXjsJe1ubv7RMcDJ0z

    Score
    10/10
    evasiontrojan

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral13behavioral14behavioral15

    • Target

      hh.chm

    • Size

      201KB

    • MD5

      8dd20f3f2f25bb297c9b64895530f920

    • SHA1

      87c98fe066c3424ae89f18b439cede19679076b2

    • SHA256

      3317b010df0c78ddd2043dfc02a824023faba86d362627e4d42b38084134e275

    • SHA512

      22713705334e69564df34938194692cb534f0c8a8be4ced34fc367aa2a7e77c96e1742b9d6ce72004c3d378fba6930fb1800a0a39985b969ced0d02d14e8d459

    • SSDEEP

      6144:iTnr34RHDSWdynEzIsOcr792z8Xn5UBq0:onr3yHOiIsOcr7SOn5UU0

    Score
    10/10
    blackmoonbankerevasiontrojan

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • UAC bypass

      evasiontrojan

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral16behavioral17behavioral18

    • Target

      nY4Ke1JkQH.exe

    • Size

      214KB

    • MD5

      415e87055596d88f1793be910abe60aa

    • SHA1

      3182b59a3063df587987a6bc6f7e39c42c075e8f

    • SHA256

      399e60f78e458f5e010da46a45c66ccf9b0fd30c128234a5dd9d9c9aa32ffa27

    • SHA512

      4129ed2744ee101e22aefc63e495ddb2b877ae33d4d8aa957992bad9ea46896256c2272597e6c82d6ad94dc6dea24af0e3e706bdaa0b76d0e158b002597feda3

    • SSDEEP

      3072:9kIcMtRin3zIf6naro5T6zaKPCbd5XX4E1Tgmn8Y5W646CN:9PPtRJ6NeKfocpnJ5W64

    Score
    10/10
    gh0stratpersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral19behavioral20behavioral21

    • Target

      qnr.dll

    • Size

      455KB

    • MD5

      d29c850c3b5820060316176c1786c5cc

    • SHA1

      c86dab1668b1a13ec8901db146d44f034eedf05e

    • SHA256

      641a7339c2000604dc8f425383e9c34b1b117f647e40e1786838828a2552d27c

    • SHA512

      cf4c8a9544fd2a2a4ddc4b00118508315f809bc2efb28c7526e951f498e349f3593e777332df960f41eca2d7600335f81c8607e5159079f8a50b8b83644e77a4

    • SSDEEP

      12288:GowmOwSqB7wGo/DzEOdg64dBBVIDL1jRQ+sc6r:kP96w3/Dzd2VI9jGpc6r

    Score
    3/10
    behavioral22behavioral23behavioral24

    • Target

      ˫װ.exe

    • Size

      6.8MB

    • MD5

      4e53a65f92a258aafe4654ad6ea14332

    • SHA1

      ba11d19faa5f68f795d0355fa11091d3904889c1

    • SHA256

      ec0029ed11e838c80c35da057f69ff7be9a01a9b1fa2246f530c49c2fa56e647

    • SHA512

      04e125f3c99e81a9b227177f51c142818177e79642cfc93f2ecab9fc658c85aba2533718ad40583c85229bf280b05d9913bcb5b5f98d8f0e94c0cc736e352b30

    • SSDEEP

      98304:3rr0GhfuHLZ9l8lJA8dHxv1x13pQCHZ66z24VZbR:br0GhQL7lwJzRv1x15Q4Z66z24VZbR

    Score
    7/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral25behavioral26behavioral27

    • Target

      ٷѰװ.exe

    • Size

      6.8MB

    • MD5

      d29e0172941811344a23c7bd23701942

    • SHA1

      ae606314147c0929bfc3beac462a6d914ebf9bff

    • SHA256

      2229caa63c12cbb42cb66a6644cd4b88c74b440c133df37ec1d0e32e3db67bcf

    • SHA512

      c0f7434326e0a4b99a583dd44344b73cd4ea74a4f11c85cc8def201137f299499b54e63cbcb1df2f771976dd058c5b1213ea53a3fa76ad8eed0b6ad1a1b8958f

    • SSDEEP

      98304:3rr0GhfuHLZ9l8lJA8dHxv1x1zHNCHZ66z24VZbR:br0GhQL7lwJzRv1x1jN4Z66z24VZbR

    Score
    7/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral28behavioral29behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

6
T1112

Scripting

1
T1064

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

aspackv2
Score
7/10

behavioral1

Score
6/10

behavioral2

Score
6/10

behavioral3

Score
6/10

behavioral4

Score
6/10

behavioral5

Score
6/10

behavioral6

Score
1/10

behavioral7

evasionpersistencetrojan
Score
10/10

behavioral8

evasionpersistencetrojan
Score
10/10

behavioral9

evasionpersistencetrojan
Score
10/10

behavioral10

Score
7/10

behavioral11

Score
7/10

behavioral12

Score
7/10

behavioral13

evasiontrojan
Score
10/10

behavioral14

evasiontrojan
Score
10/10

behavioral15

evasiontrojan
Score
10/10

behavioral16

blackmoonbankerevasiontrojan
Score
10/10

behavioral17

Score
8/10

behavioral18

Score
8/10

behavioral19

gh0stratpersistencerat
Score
10/10

behavioral20

gh0stratpersistencerat
Score
10/10

behavioral21

gh0stratpersistencerat
Score
10/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

upx
Score
7/10

behavioral26

upx
Score
7/10

behavioral27

upx
Score
7/10

behavioral28

upx
Score
7/10

behavioral29

upx
Score
7/10

behavioral30

upx
Score
7/10