General

  • Target

    20202f42027b64e33411b04085ef1b530d027eb3698082f4e5d0cd82495ebee7.exe

  • Size

    1.7MB

  • Sample

    250216-mztfnstjak

  • MD5

    d1161809cea5167bf7f6bf6b56c72090

  • SHA1

    bee6f57f252c31237fa6cf3aeff6ef7c6a816b0c

  • SHA256

    20202f42027b64e33411b04085ef1b530d027eb3698082f4e5d0cd82495ebee7

  • SHA512

    489b4ece26cbaf31683ca87ef883a6f092c576215aa9056483ec9732635877d28660f2db55d3cfebc1782a986f798ebded6bbc96f05410b175f013b0b7653312

  • SSDEEP

    24576:69SQXgnU56Gt4ULYVI8RGwvrK7/ckFLI78ch:KsnxUG

Malware Config

Targets

    • Target

      20202f42027b64e33411b04085ef1b530d027eb3698082f4e5d0cd82495ebee7.exe

    • Size

      1.7MB

    • MD5

      d1161809cea5167bf7f6bf6b56c72090

    • SHA1

      bee6f57f252c31237fa6cf3aeff6ef7c6a816b0c

    • SHA256

      20202f42027b64e33411b04085ef1b530d027eb3698082f4e5d0cd82495ebee7

    • SHA512

      489b4ece26cbaf31683ca87ef883a6f092c576215aa9056483ec9732635877d28660f2db55d3cfebc1782a986f798ebded6bbc96f05410b175f013b0b7653312

    • SSDEEP

      24576:69SQXgnU56Gt4ULYVI8RGwvrK7/ckFLI78ch:KsnxUG

    • Blackshades

      Blackshades is a remote access trojan with various capabilities.

    • Blackshades family

    • Blackshades payload

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks