blackmoon | fa0c0f8b78d82e551307f82653476b528019d9b6a244b4926cffedaa7fdebb20 | Triage

Submit
Reports

Overview

overview

Static

static

fa0c0f8b78...20.exe

windows7-x64

fa0c0f8b78...20.exe

windows10-2004-x64

Sharing

General

Target

fa0c0f8b78d82e551307f82653476b528019d9b6a244b4926cffedaa7fdebb20
Size

1.4MB
Sample

231013-qh8e2sbh83
MD5

a290036850c46087bef2e9397f679765
SHA1

a819e551ee45e25583505389c3b63da7dc340cb2
SHA256

fa0c0f8b78d82e551307f82653476b528019d9b6a244b4926cffedaa7fdebb20
SHA512

d61c2af16f6d8acac4c591d5cda1c50f3f925e2079c1697ef8da608483f9958474fd7e47826789bc8ecd9acb0a6c0b06be1ac0a082d7264db00496b4316c2572
SSDEEP

24576:kOQpwBCp2TjRg3SMlowWhI0PIpxRVInc6TEtAjLprdCiuU0Oqcdli:kJOjx6owWhI0PIpLKH/jVr9h+

Score

10^/10

blackmoon gh0strat rat vmprotect

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

fa0c0f8b78d82e551307f82653476b528019d9b6a244b4926cffedaa7fdebb20.exe

Resource

win7-20230831-en

gh0strat rat vmprotect

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

fa0c0f8b78d82e551307f82653476b528019d9b6a244b4926cffedaa7fdebb20.exe

Resource

win10v2004-20230915-en

gh0strat rat vmprotect

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

7003.aadaa1.cc

Targets

- Target
  
  fa0c0f8b78d82e551307f82653476b528019d9b6a244b4926cffedaa7fdebb20
- Size
  
  1.4MB
- MD5
  
  a290036850c46087bef2e9397f679765
- SHA1
  
  a819e551ee45e25583505389c3b63da7dc340cb2
- SHA256
  
  fa0c0f8b78d82e551307f82653476b528019d9b6a244b4926cffedaa7fdebb20
- SHA512
  
  d61c2af16f6d8acac4c591d5cda1c50f3f925e2079c1697ef8da608483f9958474fd7e47826789bc8ecd9acb0a6c0b06be1ac0a082d7264db00496b4316c2572
- SSDEEP
  
  24576:kOQpwBCp2TjRg3SMlowWhI0PIpxRVInc6TEtAjLprdCiuU0Oqcdli:kJOjx6owWhI0PIpLKH/jVr9h+
Score

10^/10

gh0strat rat vmprotect
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Downloads MZ/PE file
- Modifies RDP port number used by Windows
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratratvmprotect

behavioral2

gh0stratratvmprotect

© 2018-2024

Terms | Privacy