General
-
Target
ef1050c92d8b2053fc88be90d527a7fb73e76a32b16cbdd8dcb2f429b6c4f037.exe
-
Size
5.0MB
-
Sample
241124-entcjatjf1
-
MD5
f45ef44f86e756b76afe151ef9c630f4
-
SHA1
de16feb362b62382590e21f723dba440721f4e6f
-
SHA256
ef1050c92d8b2053fc88be90d527a7fb73e76a32b16cbdd8dcb2f429b6c4f037
-
SHA512
773e1202d6164489096fec60f7e0d1b88fff8bcadc12df6a7011b896dffd43c2ffd2b5e377697ecab2fd52f978cc84fd950d76ff41bc797062833b7b3bbe2be0
-
SSDEEP
98304:mfgwpJXZdLmpdT2pVWLncQC0ofccWg1uMb3XmcTYmRKl8fgwpJXZdLmpdT2pVWLj:6HpzdwIWLYc41uaTZZHpzdwIWLYc41uD
Malware Config
Targets
-
-
Target
ef1050c92d8b2053fc88be90d527a7fb73e76a32b16cbdd8dcb2f429b6c4f037.exe
-
Size
5.0MB
-
MD5
f45ef44f86e756b76afe151ef9c630f4
-
SHA1
de16feb362b62382590e21f723dba440721f4e6f
-
SHA256
ef1050c92d8b2053fc88be90d527a7fb73e76a32b16cbdd8dcb2f429b6c4f037
-
SHA512
773e1202d6164489096fec60f7e0d1b88fff8bcadc12df6a7011b896dffd43c2ffd2b5e377697ecab2fd52f978cc84fd950d76ff41bc797062833b7b3bbe2be0
-
SSDEEP
98304:mfgwpJXZdLmpdT2pVWLncQC0ofccWg1uMb3XmcTYmRKl8fgwpJXZdLmpdT2pVWLj:6HpzdwIWLYc41uaTZZHpzdwIWLYc41uD
Score10/10-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Image File Execution Options Injection
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1