General

  • Target

    2f4ef25c8bc4b01ad37c1755f048edde0815b2e1fd5f8dcae54c09fc4cd23542.exe

  • Size

    1.6MB

  • Sample

    250216-x34qxswphz

  • MD5

    f55d6f1ce7a650e14d1559bd839f37a2

  • SHA1

    e0dbd9e4ea329e730d18b205f7f66a158d6ccce2

  • SHA256

    2f4ef25c8bc4b01ad37c1755f048edde0815b2e1fd5f8dcae54c09fc4cd23542

  • SHA512

    d35990c6286c82266d7b3e1920178788bd4c06f7ac9df5e3ca8ccfdb55c919b3d1973390671a836f17d84d3b121c84602f61745261cf743ebfc64d6c8ea43ed7

  • SSDEEP

    12288:avk//qKF76/OXpqSjnTf0clY9uWC+RMpk1OC7HmrWcmbQC5onsYiq:h1zltpu0iq

Malware Config

Targets

    • Target

      2f4ef25c8bc4b01ad37c1755f048edde0815b2e1fd5f8dcae54c09fc4cd23542.exe

    • Size

      1.6MB

    • MD5

      f55d6f1ce7a650e14d1559bd839f37a2

    • SHA1

      e0dbd9e4ea329e730d18b205f7f66a158d6ccce2

    • SHA256

      2f4ef25c8bc4b01ad37c1755f048edde0815b2e1fd5f8dcae54c09fc4cd23542

    • SHA512

      d35990c6286c82266d7b3e1920178788bd4c06f7ac9df5e3ca8ccfdb55c919b3d1973390671a836f17d84d3b121c84602f61745261cf743ebfc64d6c8ea43ed7

    • SSDEEP

      12288:avk//qKF76/OXpqSjnTf0clY9uWC+RMpk1OC7HmrWcmbQC5onsYiq:h1zltpu0iq

    • Blackshades

      Blackshades is a remote access trojan with various capabilities.

    • Blackshades family

    • Blackshades payload

    • Modifies firewall policy service

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks