Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gofile.io/d/...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://gofile.io/d/myrNL2

  • Sample

    240919-typ57aybna

Score
10/10
ardamaxblackmoongh0stratxwormbankerdiscoveryexecutionkeyloggerpyinstallerratstealertrojanupx

Malware Config

Targets

    • Target

      https://gofile.io/d/myrNL2

    Score
    10/10
    ardamaxblackmoongh0stratxwormbankerdiscoveryexecutionkeyloggerpyinstallerratstealertrojanupx

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Detect Xworm Payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks