Resubmissions

17-11-2023 11:39

231117-nsb4gsha54 10

General

  • Target

    6x.rar

  • Size

    8.9MB

  • Sample

    231117-nsb4gsha54

  • MD5

    9e48e265b3926103852b0165043cf2d1

  • SHA1

    6f6a0b4f6e465358d1011ef91af3c04aea9d745d

  • SHA256

    e74ae95242abb122523a9c5ca121d99ed569515554a5b02d592214947e4a0774

  • SHA512

    060bb933b313646178f21ba6ca9e16b60a7223ac68aae5ed22f0412f89c7bba275ed3fa671abe1de32184c0504ec9556ee826f82b163bacc5fa97f8627a4982d

  • SSDEEP

    196608:1dLA6C5V0SKvVUIPWtGKDG5Lwamv1S8XUBQhNn/fwcMQP:1dnZvVmdDG50ag48kSBnd3P

Malware Config

Targets

    • Target

      10.20 저작권 자료 2023 - Hybe Entertaiment.exe.vir

    • Size

      3.9MB

    • MD5

      e7d9e0958885f34da44ae88dd5156a0b

    • SHA1

      b5c76d314478ded785b0b23bd5b6d9bbf856e33d

    • SHA256

      484a6f30c8ff19e9c908888666e218738035daf232691c37742206a7870e75bf

    • SHA512

      f2e1a62e9ce5aabd48cc54253892d182d1ee4f06e675c3a2c9b1b26ebd0351c21567ce70348b3d2da2f64f047f83dfa0637bf1e9f6c70cc86c7ef19911400135

    • SSDEEP

      49152:c2KYSTaPZynvI39ZhCbIymD1XW4IA9jGXC9sk/IRUnyX12l7Xoc40U9iC/YxMe:x4arZdTIAcXo3yCXD40U9i9

    Score
    1/10
    • Target

      2023-11-17.exe.vir

    • Size

      1.2MB

    • MD5

      e4b61de15bcd690222a2f42817299434

    • SHA1

      25450ea7ff0286b13c674cffcc264b174a133849

    • SHA256

      f41bd077e20efe9c56a7cfc9535bc5538a8f57a32559e13eff47a69a55de68f6

    • SHA512

      311a8c8285ce346481b40d16ef01c31e2ecd8808cd4c8096053cdefcac6c3ba481e7837344cd7157d97dd4ef8758d1dd9115172ff83f473e90820d1e819c992c

    • SSDEEP

      24576:cJEwSKlyiFU7SsmMUkwUbbOyvAl/cmMcGk3+77VMorutImQtBe/+6icqj:cqgyGsCc+yfCM7++58/riPj

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      20231116端.exe.vir

    • Size

      1.6MB

    • MD5

      360fd9b01505ba48bf1b020b3c4886eb

    • SHA1

      890969d061274d981052d60e78f0c256f7e84032

    • SHA256

      d2d6394e87bd144c0a2259604ffecb9d98803e6f8c4b8edf6df6b19559597783

    • SHA512

      f25c607d38b1ce968b2537293764ad3d21548b9ebacecc430ad40e1234c361c117bb98664d16362e3415e3425d80d633d12637e2b89c1631a8fd839c031d420b

    • SSDEEP

      12288:3H94IkPCLv3uCg8TjnRH4F2RUAzmB/nW4b4fTlxm9hBEjVhUcyL4NJm4tparK8pW:XR9LfRfRvbBxm9EgLcm9rKrBfJXAu

    Score
    1/10
    • Target

      Pokemon-Shellcode-Loader.exe.vir

    • Size

      228KB

    • MD5

      584ff21cb8f392b228df18ef3215d0db

    • SHA1

      0f70e7dee7ce09057fb80ab246649ba99d5cceb0

    • SHA256

      53ae48c81b781bbf5619ed7fa50bea3a0360709d4113f02b3e3ed58512cf3d24

    • SHA512

      5cf675e5a2ab93a8857c23b88a89d7e739f3b5e3fb4a2a84a6d95b68fc3b6c5fc2fb75c0f6926c1e11c0fc6a5efe5a249976c1ddd79cea073a55d371c8fe8fe8

    • SSDEEP

      3072:lVgSMIUsOVGOcgaNISK9LuPPQJW12Z8dF:8SMPsISga69SGi

    Score
    1/10
    • Target

      安全检查资产上报收集表-20231104-___xslx.vmp.scr.vir

    • Size

      6.0MB

    • MD5

      d8443bd24b359098862057d1f7d3d1d5

    • SHA1

      72c27d3a02ae775331cb866724c843f69ec16207

    • SHA256

      033e2a68e082ba2b9eb9f9b0b9b92fdc647443ce0f7813c83d685f75bed01b6d

    • SHA512

      05eddfc5f00ef4eb06e2c2575fe022d1c6d61ed31150de4898676743d8f139b160f4c0ef4023869d86f319f1c65668778fe781e879563d03238e09b3633327c2

    • SSDEEP

      98304:TbzgEx488OgcsJuUylT/Qtk489LjQkKfusVX2jQvAEecACMP2mW/C70:THgUi8/jLZ57YusYjQvAEecjMP2mws0

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      未解锁成功企业名单-电脑版.exe.vir

    • Size

      408KB

    • MD5

      dd62abc08db08b25e95fe27a0fe491ba

    • SHA1

      5ad129285af0068cd29a07c842032fa2a083230d

    • SHA256

      61fab831d9a503c4521abcb360412994682c6baa97170cad50b22c32ec8090e6

    • SHA512

      57520208fb04965f1b29dc6f4d1255893ac53e28f2f33e9612a5052918f44e7d019b7bf06cb77d694a8eeb77296a29afed02baab9c8948faf0a217a7a0166491

    • SSDEEP

      6144:MUE6N4FFuSmzoTcUJGIY9VIAeBjCVxdhPJbPfZE+M9IrC1hMK7VZxOlG:MlFuSooTR0IYXIAgOVxxPBPM9GhKBT

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks