General

  • Target

    68e2776d149bf90ff328dc9583943728e65ffc4726baa82f521269f2067479c4

  • Size

    14.6MB

  • Sample

    231118-n5qgmsdh89

  • MD5

    f8ea008668400d88e8aaee36c9c7cbd6

  • SHA1

    e8b777b42c62eed5898148bd1682b608ac8621d7

  • SHA256

    68e2776d149bf90ff328dc9583943728e65ffc4726baa82f521269f2067479c4

  • SHA512

    8d9c77aac9279aab6300170bad572ffa76ef1893b752be78a179f5a8bbff4246bd59645edcd5a8f3ad1718b9e17c06baaff443a273f778b5a87c419c85daad9b

  • SSDEEP

    393216:YE9pu8amlTvXuRC6Ynzpy3Vsga9bHXT1xgBnxGf:Z9pfTvuw6xld8b3TiGf

Malware Config

Targets

    • Target

      68e2776d149bf90ff328dc9583943728e65ffc4726baa82f521269f2067479c4

    • Size

      14.6MB

    • MD5

      f8ea008668400d88e8aaee36c9c7cbd6

    • SHA1

      e8b777b42c62eed5898148bd1682b608ac8621d7

    • SHA256

      68e2776d149bf90ff328dc9583943728e65ffc4726baa82f521269f2067479c4

    • SHA512

      8d9c77aac9279aab6300170bad572ffa76ef1893b752be78a179f5a8bbff4246bd59645edcd5a8f3ad1718b9e17c06baaff443a273f778b5a87c419c85daad9b

    • SSDEEP

      393216:YE9pu8amlTvXuRC6Ynzpy3Vsga9bHXT1xgBnxGf:Z9pfTvuw6xld8b3TiGf

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Generic Chinese Botnet

      A botnet originating from China which is currently unnamed publicly.

    • Chinese Botnet payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks