Malware Analysis Report

2024-10-24 17:01

Sample ID 240619-g9e35swalh
Target 159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f
SHA256 159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f
Tags
blackmoon gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f

Threat Level: Known bad

The file 159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f was found to be: Known bad.

Malicious Activity Summary

blackmoon gh0strat rat

Blackmoon family

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

Modifies RDP port number used by Windows

Blocklisted process makes network request

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 06:30

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 06:29

Reported

2024-06-19 06:32

Platform

win7-20240221-en

Max time kernel

120s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f.dll,#1

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies RDP port number used by Windows

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 barret.asselst.com udp
CN 124.71.68.30:13149 barret.asselst.com tcp
US 8.8.8.8:53 sx.hacksx.top udp
HK 93.187.128.93:65531 sx.hacksx.top tcp

Files

memory/1920-1-0x0000000010000000-0x000000001002D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 06:29

Reported

2024-06-19 06:32

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f.dll,#1

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4164 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4164 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\159c622af0c59ccbcf682efa268beae7f20f99e43ce5d4211a910c765692372f.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 barret.asselst.com udp
US 8.8.8.8:53 sx.hacksx.top udp
US 8.8.8.8:53 barret.asselst.com udp
US 8.8.8.8:53 barret.asselst.com udp
US 8.8.8.8:53 sx.hacksx.top udp
US 8.8.8.8:53 barret.asselst.com udp
US 8.8.8.8:53 sx.hacksx.top udp
US 8.8.8.8:53 barret.asselst.com udp
US 8.8.8.8:53 sx.hacksx.top udp
US 8.8.8.8:53 barret.asselst.com udp
US 8.8.8.8:53 sx.hacksx.top udp
US 8.8.8.8:53 barret.asselst.com udp
US 8.8.8.8:53 sx.hacksx.top udp

Files

memory/928-0-0x0000000010000000-0x000000001002D000-memory.dmp