Overview

overview

10

Static

static

1

4a94cb3b86...dc.msi

windows7-x64

10

4a94cb3b86...dc.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a94cb3b8694baaa65d24769fcccf890c8dfd3a8ce2e187bed58b926563c1cdc.msi.vir

  • Size

    35.8MB

  • Sample

    241119-rgf5vawqcv

  • MD5

    09e49ede1ae81b8193683bdb8a74394c

  • SHA1

    f1ba4ab8c9f5cf3a6f4642e4e1e5f100bc50a939

  • SHA256

    4a94cb3b8694baaa65d24769fcccf890c8dfd3a8ce2e187bed58b926563c1cdc

  • SHA512

    11e4dbc34573c66de90b9a2785fd7b85c4931ce86bd2001bf86d7a5869835b3ebc7c2ed0cfee6731ec8acd58195470db46d43c5ea473e44e569ad1438e9164d5

  • SSDEEP

    786432:bMf7E/aq2GdHnewtdV5Kout5tyDQuA6xGbdu91PLu6Oimm/Kc5:bOA/aq7lnewtdVFK5tykoxYgDvmm/l5

Score
10/10
blackmoonbankerbootkitdiscoveryevasionexecutionpersistenceprivilege_escalationthemidatrojan

Malware Config

Targets

    • Target

      4a94cb3b8694baaa65d24769fcccf890c8dfd3a8ce2e187bed58b926563c1cdc.msi.vir

    • Size

      35.8MB

    • MD5

      09e49ede1ae81b8193683bdb8a74394c

    • SHA1

      f1ba4ab8c9f5cf3a6f4642e4e1e5f100bc50a939

    • SHA256

      4a94cb3b8694baaa65d24769fcccf890c8dfd3a8ce2e187bed58b926563c1cdc

    • SHA512

      11e4dbc34573c66de90b9a2785fd7b85c4931ce86bd2001bf86d7a5869835b3ebc7c2ed0cfee6731ec8acd58195470db46d43c5ea473e44e569ad1438e9164d5

    • SSDEEP

      786432:bMf7E/aq2GdHnewtdV5Kout5tyDQuA6xGbdu91PLu6Oimm/Kc5:bOA/aq7lnewtdVFK5tykoxYgDvmm/l5

    Score
    10/10
    blackmoonbankerbootkitdiscoveryevasionexecutionpersistenceprivilege_escalationtrojanthemida

    • Blackmoon family

      blackmoon

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies Windows Firewall

      evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Installer Packages

1
T1546.016

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Installer Packages

1
T1546.016

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

8
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks