blackmoon | 88b6522f46ba37bfd5db77c40e4e61328f2c5ed86f3e687d86ea4dc4e42cf18f | Triage

Submit
Reports

Overview

overview

Static

static

3

88b6522f46...8f.exe

windows7-x64

88b6522f46...8f.exe

windows10-2004-x64

Sharing

General

Target

88b6522f46ba37bfd5db77c40e4e61328f2c5ed86f3e687d86ea4dc4e42cf18f
Size

14.6MB
Sample

240528-3nreyaac84
MD5

1f6c7c645957715002f1ffbf3b7e6641
SHA1

450ae8aede3be0cf71a3628c0894ecbeb6a7b1eb
SHA256

88b6522f46ba37bfd5db77c40e4e61328f2c5ed86f3e687d86ea4dc4e42cf18f
SHA512

20e613e0d855a1be661b547eeef4f645162827cecf3d8e62a2516c7c028c994220ef202fe1148007cb6c8a72cfb1cb11b73816c1439a5c0ed0f213e7b5c8fce1
SSDEEP

196608:Ln8MWPOVaTyhCTHRcUkswMXLttbR9E+KNqXeptbPqC3A2QT7SNhb6q/s9Lh:D8MWPvi2HRMu3wqu7znZNhb6CE

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

88b6522f46ba37bfd5db77c40e4e61328f2c5ed86f3e687d86ea4dc4e42cf18f.exe

Resource

win7-20240215-en

blackmoon gh0strat banker persistence rat trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

88b6522f46ba37bfd5db77c40e4e61328f2c5ed86f3e687d86ea4dc4e42cf18f.exe

Resource

win10v2004-20240508-en

blackmoon gh0strat banker persistence rat trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  88b6522f46ba37bfd5db77c40e4e61328f2c5ed86f3e687d86ea4dc4e42cf18f
- Size
  
  14.6MB
- MD5
  
  1f6c7c645957715002f1ffbf3b7e6641
- SHA1
  
  450ae8aede3be0cf71a3628c0894ecbeb6a7b1eb
- SHA256
  
  88b6522f46ba37bfd5db77c40e4e61328f2c5ed86f3e687d86ea4dc4e42cf18f
- SHA512
  
  20e613e0d855a1be661b547eeef4f645162827cecf3d8e62a2516c7c028c994220ef202fe1148007cb6c8a72cfb1cb11b73816c1439a5c0ed0f213e7b5c8fce1
- SSDEEP
  
  196608:Ln8MWPOVaTyhCTHRcUkswMXLttbR9E+KNqXeptbPqC3A2QT7SNhb6q/s9Lh:D8MWPvi2HRMu3wqu7znZNhb6CE
Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoongh0stratbankerpersistencerattrojanupx

behavioral2

blackmoongh0stratbankerpersistencerattrojanupx

© 2018-2024

Terms | Privacy