General

  • Target

    KRNL-REBORN.zip

  • Size

    75.6MB

  • Sample

    240731-2bzp4swgkn

  • MD5

    8df254c1ef2d7b8713b3e9ccc35427e8

  • SHA1

    91ae668936b94d35bb87f1c456ff477a2efcdffb

  • SHA256

    40c92384d321d4728f5f8a7e86066069313b91ed9368f0fa50a55b6ec7f72a25

  • SHA512

    dd0c70a1babca0405a59cb0b1c5b7a3f8c5bfd6dd8a9d8840a05cd748d0409c0b093968926e62648db380d4cc3939cc980f3223e05db6a7001143b453b94c941

  • SSDEEP

    1572864:f8UbNceAHLWXB7CtDirBHgRA+sBp/HjOSGoGcCU/blj7:f83VHztuxKK3LdGTcCSbh7

Malware Config

Targets

    • Target

      KRNL-REBORN/Bunifu_UI_v1.5.3.dll

    • Size

      236KB

    • MD5

      2ecb51ab00c5f340380ecf849291dbcf

    • SHA1

      1a4dffbce2a4ce65495ed79eab42a4da3b660931

    • SHA256

      f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

    • SHA512

      e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

    • SSDEEP

      6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG

    Score
    1/10
    • Target

      KRNL-REBORN/ScintillaNET.dll

    • Size

      1.3MB

    • MD5

      9166536c31f4e725e6befe85e2889a4b

    • SHA1

      f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

    • SHA256

      ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

    • SHA512

      113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

    • SSDEEP

      24576:IJSShz305vgNF7/cOCPHPSVs4Eq+QTNX+cfQdS+2MMPishd/Ws5:ti0aNvoHqs4L95X+cfx/HGC

    Score
    1/10
    • Target

      KRNL-REBORN/autoexec.lnk

    • Size

      1KB

    • MD5

      4093f1e5a6222a64baf60a90e2b82cc3

    • SHA1

      e9b8175224ad7c715fa2f08b79dbf864597f33fe

    • SHA256

      b05e77d756a0970c0e8345ccc53b637b9f3926e788bbf5c1bbbb2bbff4d82348

    • SHA512

      594685509699d205845f2843853e5e6c5e8b3a2950f34e40fa9395584df257f891d5ff86120f53c077ff7346cd03907eb33913f25be5ca860e6272416cd70c23

    Score
    3/10
    • Target

      KRNL-REBORN/krnl-reborn.dll

    • Size

      5.3MB

    • MD5

      e9921b7d3ff7044834e0c5998270cd0c

    • SHA1

      e30c5794dbc92578d5bbd23d095a4a256caf4912

    • SHA256

      c0e5c51445b189f8a17529ce8fce8d11ed7f99211e19684228fdd12366c458ab

    • SHA512

      8a9a83050fee7084caa606f5e26018d4ce4b0a7a10e481fcdd8b1eae6c7b459dbe633b5b4b03b91d49427481f9e03880a64418a7e52ad6c06d25de98692a028e

    • SSDEEP

      98304:QsK42Kx51uNmHTgZk74mqBjqSQWJuR7iGsMPD4nBx1GyePSByA5Pzm:Iwr154XBJQWaKSsnBv6a5Pz

    Score
    3/10
    • Target

      KRNL-REBORN/krnlss_v102.exe

    • Size

      69.7MB

    • MD5

      41de5a1628d155a926bfcc83f75d896d

    • SHA1

      f3328b7cd2bd92a30b4288d2ac486d5fca95f6c7

    • SHA256

      31e271dbbf255b1f77f0bcaf5dcf901901b1cf0962ee23b86974d017e94bb9ab

    • SHA512

      4bfb66e6cbc42fed0be763222175229a9252f6494b7c6e587258ef0204b913997cd3dc0e6d1531f4b93a514859efce86cb4770df91a3f13c58cecd6aaec7ae5c

    • SSDEEP

      1572864:8BLX5WJoWbgWRSgkNOXWxtQSNdiIGsOX6ylfZJ0WuOD:aX5M3gbcKCwGnX3dz09E

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Target

      KRNL-REBORN/workspace.lnk.lnk

    • Size

      1KB

    • MD5

      b24aa4c070dcbe2c4b4123f65e239724

    • SHA1

      5ac5fcaebbedea247a6fdc6905c6640d5b4c66f6

    • SHA256

      a1bb2847ca301059384d736f1e977c694b69f5dd32249298f09a781f560fccf7

    • SHA512

      11bbe6abb1f5e2375ddad981aaa8be1a05c83730afad2bb81ac87002153a3ff6a30bd1695343d6e08b16ea1a66cd943fd3215a233599c201183e1ab8b10869e9

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks