General

  • Target

    1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f.exe

  • Size

    13.9MB

  • Sample

    240725-bwebsszdmn

  • MD5

    ced8ef4a79d487315657632b9923003d

  • SHA1

    ca58da3d229ae599a0663a0dbc587fca20d95bda

  • SHA256

    1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f

  • SHA512

    ac0c932ee2222163fcc37442ac9e3205c9bf4c23da28263d4d7ccdaea43c53c46af357f6835adc5dca99f7fcde319606477964f6f9cd29b1c7a9e095b0c38597

  • SSDEEP

    196608:2ODLXS7IPQPNLUQ6S8as8C/EQx4K2rikIwNLu7vi991uJBV1ptdYQbRti4g:2ODjQIIPNmA0rAc4u76VuJxpt59t9g

Malware Config

Targets

    • Target

      1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f.exe

    • Size

      13.9MB

    • MD5

      ced8ef4a79d487315657632b9923003d

    • SHA1

      ca58da3d229ae599a0663a0dbc587fca20d95bda

    • SHA256

      1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f

    • SHA512

      ac0c932ee2222163fcc37442ac9e3205c9bf4c23da28263d4d7ccdaea43c53c46af357f6835adc5dca99f7fcde319606477964f6f9cd29b1c7a9e095b0c38597

    • SSDEEP

      196608:2ODLXS7IPQPNLUQ6S8as8C/EQx4K2rikIwNLu7vi991uJBV1ptdYQbRti4g:2ODjQIIPNmA0rAc4u76VuJxpt59t9g

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Detect Neshta payload

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks