General
-
Target
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
-
Size
45KB
-
Sample
240630-fs9qraxejj
-
MD5
3d3aedfaeaf39544ff74fe6fe4541fc2
-
SHA1
ad4135e142b3e9564d90d96eca0c21e17f0de542
-
SHA256
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
-
SHA512
703b057201b3b261225cca58799c05caa152c5643f7de012d9fb1aff523f35c7c1ac7d24d14bcd3fe67c51b33230d864063077b59e1264ca1da1eada443db581
-
SSDEEP
768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G
Behavioral task
behavioral1
Sample
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
-
Size
45KB
-
MD5
3d3aedfaeaf39544ff74fe6fe4541fc2
-
SHA1
ad4135e142b3e9564d90d96eca0c21e17f0de542
-
SHA256
d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
-
SHA512
703b057201b3b261225cca58799c05caa152c5643f7de012d9fb1aff523f35c7c1ac7d24d14bcd3fe67c51b33230d864063077b59e1264ca1da1eada443db581
-
SSDEEP
768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G
-
Detect Blackmoon payload
-
Gh0st RAT payload
-
Boot or Logon Autostart Execution: Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Port Monitors
1Create or Modify System Process
1Windows Service
1Server Software Component
1Terminal Services DLL
1Event Triggered Execution
1Netsh Helper DLL
1