Overview

overview

10

Static

static

10

360664dbd5...cs.exe

windows7-x64

10

360664dbd5...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe

  • Size

    36KB

  • Sample

    240701-e98dkszdlr

  • MD5

    5f500bf425159642df0533f6cc76ad70

  • SHA1

    5b0f9d99b7c10092fa3579eee44dd4ef30a2e18d

  • SHA256

    360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01

  • SHA512

    e11d34dca0d0d73a1cd40e91574cda0cb4a0f70c6b1032713b5e22560fec3cbb1c38bb9aa7ff6bb4f2762454dfa2bd18cf12add1d847ef14d255ac8a9703cf9e

  • SSDEEP

    768:+mfjwQzmBOYMZeQEDNpPv0c3q7QZJxhJkn4l11uy:+mjzm8vzsEZaJxhS4Buy

Score
10/10
blackmoongh0stratbankerdiscoveryevasionpersistenceprivilege_escalationrattrojanupx

Malware Config

Targets

    • Target

      360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01_NeikiAnalytics.exe

    • Size

      36KB

    • MD5

      5f500bf425159642df0533f6cc76ad70

    • SHA1

      5b0f9d99b7c10092fa3579eee44dd4ef30a2e18d

    • SHA256

      360664dbd5bb1fbc4493eee7bea66a97db20f7deabac57cbbeba455226ae5c01

    • SHA512

      e11d34dca0d0d73a1cd40e91574cda0cb4a0f70c6b1032713b5e22560fec3cbb1c38bb9aa7ff6bb4f2762454dfa2bd18cf12add1d847ef14d255ac8a9703cf9e

    • SSDEEP

      768:+mfjwQzmBOYMZeQEDNpPv0c3q7QZJxhJkn4l11uy:+mjzm8vzsEZaJxhS4Buy

    Score
    10/10
    blackmoongh0stratbankerevasionpersistenceprivilege_escalationrattrojanupxdiscovery

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Network Service Discovery

1
T1046

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks