blackmoon | 947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738

General

Target

947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738
Size

153KB
Sample

241227-fc3bqssjav
MD5

0dbc181e2d3c29cff307d69d70df4a80
SHA1

7a7ee57261356957fc9cd66d70771ba0b8609f83
SHA256

947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738
SHA512

cec7c14cb6000620bc31fed4bbc464bd553d091838ddba3b74972ed4f55630aa7d965c822db059bca52c62357e542db521659847892de6c238a4160812ef48e7
SSDEEP

3072:C5VK0lTSG9xoC+CQpiU5M8U3mjfv2JxhGtBx0N4w:d0T9xB+CUamjfvIxhGtB6N

Score

10^/10

Malware Config

Targets

- Target
  
  947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738
- Size
  
  153KB
- MD5
  
  0dbc181e2d3c29cff307d69d70df4a80
- SHA1
  
  7a7ee57261356957fc9cd66d70771ba0b8609f83
- SHA256
  
  947897f1318cd1e03417c2e4699ac14c2d8b2e4fd7e51a5044fc2d5f8257e738
- SHA512
  
  cec7c14cb6000620bc31fed4bbc464bd553d091838ddba3b74972ed4f55630aa7d965c822db059bca52c62357e542db521659847892de6c238a4160812ef48e7
- SSDEEP
  
  3072:C5VK0lTSG9xoC+CQpiU5M8U3mjfv2JxhGtBx0N4w:d0T9xB+CUamjfvIxhGtB6N
Score

10^/10

blackmoon gh0strat banker discovery rat trojan upx
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Blackmoon family

Blackmoon, KrBanker

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

Gh0strat family

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Creates a large amount of network flows

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2