General
-
Target
KRNL-REBORN.zip
-
Size
6.6MB
-
Sample
240817-kj1tpszdjq
-
MD5
7bccd4f9ffaec873718dd950ba24d5a7
-
SHA1
68914941c4f83efaa21eb6e30bde64cebed8f4b6
-
SHA256
c81c82788950ed0c32e3c54d9f18dca2e537404f3bedbb332a61d3501826ad8f
-
SHA512
ed5a91c5e12d407f104181d9671b72b707ad373a169102959d5299757adc5932ffb2d1144f0a756e380f2f72722351ea9a8c1a0d97c4d6ce13f3d7b547b4e05a
-
SSDEEP
196608:5Qspbuwip4dB/oKGY0FxZVkCwT55T4tpSKoBufT:5Qspbuw3gKGY0FjWM4J2T
Malware Config
Targets
-
-
Target
KRNL-REBORN/Bunifu_UI_v1.5.3.dll
-
Size
236KB
-
MD5
2ecb51ab00c5f340380ecf849291dbcf
-
SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931
-
SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
-
SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
SSDEEP
6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
Score1/10 -
-
-
Target
KRNL-REBORN/ScintillaNET.dll
-
Size
1.3MB
-
MD5
9166536c31f4e725e6befe85e2889a4b
-
SHA1
f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae
-
SHA256
ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163
-
SHA512
113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562
-
SSDEEP
24576:IJSShz305vgNF7/cOCPHPSVs4Eq+QTNX+cfQdS+2MMPishd/Ws5:ti0aNvoHqs4L95X+cfx/HGC
Score1/10 -
-
-
Target
KRNL-REBORN/autoexec.lnk
-
Size
1KB
-
MD5
4093f1e5a6222a64baf60a90e2b82cc3
-
SHA1
e9b8175224ad7c715fa2f08b79dbf864597f33fe
-
SHA256
b05e77d756a0970c0e8345ccc53b637b9f3926e788bbf5c1bbbb2bbff4d82348
-
SHA512
594685509699d205845f2843853e5e6c5e8b3a2950f34e40fa9395584df257f891d5ff86120f53c077ff7346cd03907eb33913f25be5ca860e6272416cd70c23
Score3/10 -
-
-
Target
KRNL-REBORN/krnl-reborn.dll
-
Size
5.3MB
-
MD5
e9921b7d3ff7044834e0c5998270cd0c
-
SHA1
e30c5794dbc92578d5bbd23d095a4a256caf4912
-
SHA256
c0e5c51445b189f8a17529ce8fce8d11ed7f99211e19684228fdd12366c458ab
-
SHA512
8a9a83050fee7084caa606f5e26018d4ce4b0a7a10e481fcdd8b1eae6c7b459dbe633b5b4b03b91d49427481f9e03880a64418a7e52ad6c06d25de98692a028e
-
SSDEEP
98304:QsK42Kx51uNmHTgZk74mqBjqSQWJuR7iGsMPD4nBx1GyePSByA5Pzm:Iwr154XBJQWaKSsnBv6a5Pz
Score3/10 -
-
-
Target
KRNL-REBORN/krnlss_v103.exe
-
Size
172KB
-
MD5
42e083508f6dbc52fce36b0822026b8f
-
SHA1
336106238d1ea53cf3133ec65e2a38e0767ddde9
-
SHA256
2f38bbeb717b7e3e9b5604d78ebad3f18918352aeec4d5e55bc4eb066fb1668f
-
SHA512
d2b7b46bb261a0d3111f2c3c6fefa6925de16d595138fda4adf60f4f60bae31903ca329eedd7b424e954d12145e8ae624d774faf819884161be6960bf7d3b2b0
-
SSDEEP
3072:+MobR7ezAjLOZvmX1S5GWp1icKAArDZz4N9GhbkrNEklczT:jeR7eammOp0yN90QEH
Score8/10-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
KRNL-REBORN/workspace.lnk.lnk
-
Size
1KB
-
MD5
b24aa4c070dcbe2c4b4123f65e239724
-
SHA1
5ac5fcaebbedea247a6fdc6905c6640d5b4c66f6
-
SHA256
a1bb2847ca301059384d736f1e977c694b69f5dd32249298f09a781f560fccf7
-
SHA512
11bbe6abb1f5e2375ddad981aaa8be1a05c83730afad2bb81ac87002153a3ff6a30bd1695343d6e08b16ea1a66cd943fd3215a233599c201183e1ab8b10869e9
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1