Overview

overview

10

Static

static

10

d0a798b5e7...71.exe

windows7-x64

10

d0a798b5e7...71.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

  • Size

    45KB

  • Sample

    240701-bqbzgsvfkl

  • MD5

    3d3aedfaeaf39544ff74fe6fe4541fc2

  • SHA1

    ad4135e142b3e9564d90d96eca0c21e17f0de542

  • SHA256

    d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71

  • SHA512

    703b057201b3b261225cca58799c05caa152c5643f7de012d9fb1aff523f35c7c1ac7d24d14bcd3fe67c51b33230d864063077b59e1264ca1da1eada443db581

  • SSDEEP

    768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G

Score
10/10
blackmoongh0stratbankerdiscoveryevasionpersistenceprivilege_escalationrattrojanupx

Malware Config

Targets

    • Target

      d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe

    • Size

      45KB

    • MD5

      3d3aedfaeaf39544ff74fe6fe4541fc2

    • SHA1

      ad4135e142b3e9564d90d96eca0c21e17f0de542

    • SHA256

      d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71

    • SHA512

      703b057201b3b261225cca58799c05caa152c5643f7de012d9fb1aff523f35c7c1ac7d24d14bcd3fe67c51b33230d864063077b59e1264ca1da1eada443db581

    • SSDEEP

      768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G

    Score
    10/10
    blackmoongh0stratbankerdiscoveryevasionpersistenceprivilege_escalationrattrojanupx

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Detects executables containing possible sandbox analysis VM usernames

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • UPX dump on OEP (original entry point)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks