blackmoon | 254c47277797a8913ee9e13a2272bea90551e625e5813541c2838ab6f1536eed

Sharing

Copy URL

Twitter E-mail

General

Target

diu.rar
Size

115.9MB
Sample

240112-c7dp3seac7
MD5

343590e4c1c79a3ad89481f6c0fd5fd4
SHA1

22ca8a00bab74d0e4b74d66ab89d25ede598418f
SHA256

254c47277797a8913ee9e13a2272bea90551e625e5813541c2838ab6f1536eed
SHA512

f9012631869f749da53fd07ee4add521a6a8013c085f7be5f377566bdb1be57e41b01d0bcbee99513917697d4722dedec19643718064fc4608c92180afa36006
SSDEEP

3145728:KmHCmvai2ImjnTjh9qotVeDDeU/+wJAQv495Ijc6OMBua:dHVy7nHLtL5wp48ua

Score

10^/10

Malware Config

Targets

- Target
  
  IFProtects/Protects/AAProtects.exe
- Size
  
  2.1MB
- MD5
  
  9ff0022d04676d2dadcf48eb2c504457
- SHA1
  
  72684853f92a5ad87cf4adc3f87d58f7213e980e
- SHA256
  
  c1233ae149ce38b9419f1ff06829491cbb50fb12fa43333109ebbda67cd95bec
- SHA512
  
  6b46946d6df03bd0bea07e4465e23d046fee29e07084f8a9c1ccec9f2b01c45578e7738e5dbf6e923196ddd8131aebbb848940a4d8ca4696c5bbedf74ff07281
- SSDEEP
  
  49152:fh8Ov/P2Rvy3V0QOtBQ7o+/ykRqCEycpeqa2tS:f2OnuRvy3V9OE7o+/ybO
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  IFProtects/Protects/AAProtects2.exe
- Size
  
  2.1MB
- MD5
  
  9ff0022d04676d2dadcf48eb2c504457
- SHA1
  
  72684853f92a5ad87cf4adc3f87d58f7213e980e
- SHA256
  
  c1233ae149ce38b9419f1ff06829491cbb50fb12fa43333109ebbda67cd95bec
- SHA512
  
  6b46946d6df03bd0bea07e4465e23d046fee29e07084f8a9c1ccec9f2b01c45578e7738e5dbf6e923196ddd8131aebbb848940a4d8ca4696c5bbedf74ff07281
- SSDEEP
  
  49152:fh8Ov/P2Rvy3V0QOtBQ7o+/ykRqCEycpeqa2tS:f2OnuRvy3V9OE7o+/ybO
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  IFProtects/lWAbout/IWAbout.exe
- Size
  
  754KB
- MD5
  
  fda866e7a42e3432c3ac089b4fbac286
- SHA1
  
  410b9deef188cb8229f18aaba9a3908e1da12ba6
- SHA256
  
  8840dcc3c2da8f3465b5bdc7d9cdaf824f95afbe3d037cc277de84079afa8b04
- SHA512
  
  d7fa58a8d9af4d71f3d9123f47a5e81b412d824977d05fcada8b76abea79a9d634b0e3bad0d731828a927d9824357953770c8992ddaaaffca8074cd49766b44a
- SSDEEP
  
  12288:esgaRhSHo7x9EA5hChGtvKP9ID6v3QD4o4jMdC4i97db4+N22zIxUK+XvfS2ajs:eG9vrvZD6vgD4o4jMdC4i97db4+N2Jxo
Score

3^/10
behavioral5 behavioral6
- Target
  
  active/WebUnion.exe
- Size
  
  232KB
- MD5
  
  11fa2146c4527103ca10513b727a2f16
- SHA1
  
  b27bbae26949f55b7ffe6d895d8e9f47e1a71688
- SHA256
  
  c406715895b447c0d94125442386cf9d0680e28e486401ab998957f08dd8f859
- SHA512
  
  5c157d1a6cd101ea6baf0b1708bfc6b67dcc470419162425b8bfd6b72f40d9b71e39567765110e6fafbcf5e7010988e78aeff25804ebe5c6b4c6128bc3f6d063
- SSDEEP
  
  3072:mqyyfpuqYo4sE5u3p7oyBLoqN8r9b3fEoQnSe7CZftJUOGX9M63QoboxH:mXuVE5uZ7ogWr9ZntSX9M63cH
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  d86645adc1cdc9e4ad55f0bb801525e5f08a4c52efbf8043ad4fffcfaa311cef/Dism.exe
- Size
  
  282KB
- MD5
  
  472646bd684bcaac510be7f65f9a08ab
- SHA1
  
  6affd43146aa832ef56bdb1fc46294361b554bb1
- SHA256
  
  6a2bc5111b7ea9c4c6fdca0db462187b8b9b1ef009bd2d28a2a0124e3d31b95d
- SHA512
  
  9aea80eca65e3e7537ed9f5fa6f65cfbf05b4eac98ac9e4eff6c166a62b1560918c0b8861e625697d49a43529e6f77a99c08aff5dfae2568d8042794a2d4e28d
- SSDEEP
  
  3072:b5VvsVPUSHmEk6vQWW8mw7T33RtvgdURr7RW1i4MPhEej1D8TboZwC2IMktE/AVF:z0VPUgjnRtnNlW4+WD8TbVC2SrJ
Score

10^/10

phishing
- Detected phishing page
  phishing
behavioral10 behavioral9
- Target
  
  d86645adc1cdc9e4ad55f0bb801525e5f08a4c52efbf8043ad4fffcfaa311cef/Document.pdf.lnk
- Size
  
  2KB
- MD5
  
  170121b443dfb94113e76d0a3125977f
- SHA1
  
  a9d3e8971781a70cdf9fb03301b8b68299f3f8e4
- SHA256
  
  de37f3b4aeeada22873dfb5fa074bd53e959fab38593ee22b8ab689fa767f8c8
- SHA512
  
  81dcefa5a4fd8a91e64280d365f645e30eff332e08189d3e006c3722d1cae46a53ad3841b0db9bc2bf58b8dfd4b3287b4ac5a15f0df5948d3d0bf0ac5c3bd779
Score

10^/10

phishing
- Detected phishing page
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11 behavioral12
- Target
  
  fgyjk/03F76412C9334BF.exe
- Size
  
  232KB
- MD5
  
  11fa2146c4527103ca10513b727a2f16
- SHA1
  
  b27bbae26949f55b7ffe6d895d8e9f47e1a71688
- SHA256
  
  c406715895b447c0d94125442386cf9d0680e28e486401ab998957f08dd8f859
- SHA512
  
  5c157d1a6cd101ea6baf0b1708bfc6b67dcc470419162425b8bfd6b72f40d9b71e39567765110e6fafbcf5e7010988e78aeff25804ebe5c6b4c6128bc3f6d063
- SSDEEP
  
  3072:mqyyfpuqYo4sE5u3p7oyBLoqN8r9b3fEoQnSe7CZftJUOGX9M63QoboxH:mXuVE5uZ7ogWr9ZntSX9M63cH
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral13 behavioral14
- Target
  
  wyanoc/Agghosts.exe
- Size
  
  23KB
- MD5
  
  5aab297fa8f143bfa67310ad78b76d3f
- SHA1
  
  5db963c2cca1bc8c8c060c52f7df76ccb477f01a
- SHA256
  
  8ec64bc55e5641d7683288e5e8e27c9391f06eb4da096c3d677d8f25ca4d04df
- SHA512
  
  c1ee67bd4c6bcfdc4179f905c7abc4ac632c9265b61dd5fdb90eeeec39802abe2cc487a5c8ded8a0748728104170c1b4d3a88904f102e1c3f891fac7702a2256
- SSDEEP
  
  384:08bdzeOuMnujhAz3W1xEuw41M0Jn5DGlIPxh8E9VF0NyEoMe:0wdzeBo4lndw2M8n5DGiPxWE2g
Score

10^/10

fatalrat infostealer persistence rat
- FatalRat
  FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
  infostealer rat fatalrat
- Fatal Rat payload
  rat infostealer
- Adds Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral15 behavioral16
- Target
  
  xiuxiu-/webprocess.exe
- Size
  
  387KB
- MD5
  
  6b4b0bed018f38d6382a97619747b60c
- SHA1
  
  4461639fe9886ab62327241dcc49f6066dffc852
- SHA256
  
  1c304154bcd3da78c896e221694fc861eee4cb61f964e927f518769eed48855e
- SHA512
  
  a1c5fb83ec423d6b98591f820b190204a8ee6f0cbb5be1b71a6dafcc201d4835b0cf82c059d22dde6c49f28ecc4fce0c33c83f5a8b93306b87388e22a1dcc2d3
- SSDEEP
  
  12288:nzWbxI9aG3CYJ2Tos2uhpWcvD1RRWpD6h:nzT9aGyYQTnz7JuDa
Score

10^/10

gh0strat purplefox rat rootkit trojan
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Adds Run key to start application

Adds Run key to start application

Adds Run key to start application

Detected phishing page

Detected phishing page

Checks computer location settings

Adds Run key to start application

FatalRat

Fatal Rat payload

Adds Run key to start application

Checks computer location settings

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat

PurpleFox

Enumerates connected drives

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18