General
-
Target
i4.msi.vir
-
Size
414.8MB
-
Sample
241122-fv4mhs1kgp
-
MD5
5458ded6540ceaa02e7c1b74b38fa8ba
-
SHA1
77f63bfb0c37b76005b9105e3544a63dd2240f77
-
SHA256
7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6
-
SHA512
cac691c9c69e6db69e4e9d16a60aa9e01f2cf6f2fc7bafc15b9ba88d13dc0bcfb2f966e9e7b888aafa547cb49f2ca6df625fe555b6eb6d757e30aa601ea8feec
-
SSDEEP
12582912:kGJfvUrxERbTpxS6bJSPeXi2ffucxlgJIerR:kGq9Mp9bJSWXi2fpxOIerR
Malware Config
Targets
-
-
Target
i4.msi.vir
-
Size
414.8MB
-
MD5
5458ded6540ceaa02e7c1b74b38fa8ba
-
SHA1
77f63bfb0c37b76005b9105e3544a63dd2240f77
-
SHA256
7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6
-
SHA512
cac691c9c69e6db69e4e9d16a60aa9e01f2cf6f2fc7bafc15b9ba88d13dc0bcfb2f966e9e7b888aafa547cb49f2ca6df625fe555b6eb6d757e30aa601ea8feec
-
SSDEEP
12582912:kGJfvUrxERbTpxS6bJSPeXi2ffucxlgJIerR:kGq9Mp9bJSWXi2fpxOIerR
Score10/10-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Defense Evasion
Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1