blackmoon | 4695fbf41abd54d1449d8da4a5976d50aec0499e3e2959e20686237d32db3114 | Triage

Submit
Reports

Overview

overview

Static

static

0ebfef7d60...7b.exe

windows7-x64

0ebfef7d60...7b.exe

windows10-2004-x64

Sharing

General

Target

0ebfef7d6059b82e87e05a54e80e5a7b.virus
Size

2.6MB
Sample

240916-yw6sdaxemh
MD5

0ebfef7d6059b82e87e05a54e80e5a7b
SHA1

3c1ab9c072625b9e08b72013967b04bd2e0cb69e
SHA256

4695fbf41abd54d1449d8da4a5976d50aec0499e3e2959e20686237d32db3114
SHA512

a695816e77c3d569ba861fab022035910858cf2db0e15dd2a58398c6f39394add35172ca209de1d0d02019f5f0a4f35beb8e3ea56c4e0c37cb645379d1d9e5c9
SSDEEP

24576:3bsATQUIP6braCWyv6BpHv+LOez9OulOcsV9DK2J2aBcpsam5RvikgJkf:3vbDCv+HOulOcQMYYsP5RviP6

Score

10^/10

blackmoon gh0strat mimikatz credential_access discovery evasion persistence rat trojan

Static task

static1

blackmoon gh0strat mimikatz

7 signatures

Behavioral task

behavioral1

Sample

0ebfef7d6059b82e87e05a54e80e5a7b.exe

Resource

win7-20240708-en

gh0strat mimikatz credential_access discovery evasion persistence rat trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

0ebfef7d6059b82e87e05a54e80e5a7b.exe

Resource

win10v2004-20240802-en

gh0strat mimikatz credential_access discovery evasion persistence rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  0ebfef7d6059b82e87e05a54e80e5a7b.virus
- Size
  
  2.6MB
- MD5
  
  0ebfef7d6059b82e87e05a54e80e5a7b
- SHA1
  
  3c1ab9c072625b9e08b72013967b04bd2e0cb69e
- SHA256
  
  4695fbf41abd54d1449d8da4a5976d50aec0499e3e2959e20686237d32db3114
- SHA512
  
  a695816e77c3d569ba861fab022035910858cf2db0e15dd2a58398c6f39394add35172ca209de1d0d02019f5f0a4f35beb8e3ea56c4e0c37cb645379d1d9e5c9
- SSDEEP
  
  24576:3bsATQUIP6braCWyv6BpHv+LOez9OulOcsV9DK2J2aBcpsam5RvikgJkf:3vbDCv+HOulOcQMYYsP5RviP6
Score

10^/10

gh0strat mimikatz credential_access discovery evasion persistence rat trojan
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- UAC bypass
  evasion trojan
- OS Credential Dumping: LSASS Memory
  Malicious access to Credentials History.
  credential_access
- mimikatz is an open source tool to dump credentials on Windows
- Blocklisted process makes network request
- Server Software Component: Terminal Services DLL
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Server Software Component

Terminal Services DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

OS Credential Dumping

LSASS Memory

Discovery

Network Service Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

blackmoongh0stratmimikatz

behavioral1

gh0stratmimikatzcredential_accessdiscoveryevasionpersistencerattrojan

behavioral2

gh0stratmimikatzcredential_accessdiscoveryevasionpersistencerattrojan

© 2018-2025

Terms | Privacy