blackmoon | 84eb401b2fff7dd5e2d028021a4540e7172998b928b550ec19f320c395e70735

Sharing

Copy URL Twitter E-mail

General

Target

84eb401b2fff7dd5e2d028021a4540e7172998b928b550ec19f320c395e70735
Size

964KB
MD5

7833d691f83280e08d9e3c7ca76e11f5
SHA1

c34cee752c448672877155647e5f73d1a01f055e
SHA256

84eb401b2fff7dd5e2d028021a4540e7172998b928b550ec19f320c395e70735
SHA512

2d7ac1fc52ed41c7ab78cd696084566cfdd29f4d1704b9056d6d2824349dd3b2e7f8f5375a678598e176eca541e010e363f9b5d771e06decb475c8534e4df149
SSDEEP

24576:BzMaPRqEu8MsK3XbRNuU0wivRXr89R4GeEMGbVgtiJ:pHQobCVQe

Score

10^/10

oss_ak blackmoon joker

Malware Config

Extracted

Family

joker

http://xem.oss-cn-hangzhou.aliyuncs.com

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Joker family
joker

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

resource	yara_rule
sample	detect_ak_stuff

Files

84eb401b2fff7dd5e2d028021a4540e7172998b928b550ec19f320c395e70735
.exe windows x86

4f3725ef42d977f8b3b9f5df6ea4f910

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapCreate
lstrlenW
lstrcmpW
lstrcmpiW
VirtualFree
WaitForSingleObject
lstrcpyn
CreateMutexA
ReleaseMutex
lstrcmpA
CreateTimerQueue
GetSystemTimeAsFileTime
GetLocalTime
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
DeleteTimerQueueEx
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
lstrcpynA
GetModuleHandleA
ExitProcess
HeapReAlloc
IsBadReadPtr
GetModuleFileNameA
CreateDirectoryA
DeleteFileA
CreateProcessA
GetStartupInfoA
GetUserDefaultLCID
FormatMessageA
WriteFile
GetFileSize
GetPrivateProfileStringA
GetTickCount
Sleep
WritePrivateProfileStringA
SetFilePointer
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
CompareStringW
CompareStringA
GetLocaleInfoW
LCMapStringW
SetStdHandle
IsBadCodePtr
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
GetOEMCP
GetACP
HeapDestroy
GetLocaleInfoA
IsValidCodePage
IsValidLocale
GetCPInfo
GetTimeZoneInformation
RaiseException
GetEnvironmentVariableA
TlsGetValue
SetLastError
TlsAlloc
TlsSetValue
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
RtlUnwind
GetVersion
InterlockedCompareExchange
AreFileApisANSI
CreateFileW
CreateFileMappingA
CreateFileMappingW
CreateMutexW
DeleteFileW
RtlZeroMemory
InterlockedDecrement
InterlockedIncrement
GetLastError
lstrcatA
ReadFile
CloseHandle
GetFileSizeEx
CreateFileA
WideCharToMultiByte
lstrlenA
VirtualAlloc
RtlMoveMemory
GetCurrentThreadId
HeapFree
HeapAlloc
GetProcessHeap
LocalSize
CreateThread
GetModuleHandleW
MultiByteToWideChar
FlushFileBuffers
FormatMessageW
GetCurrentProcessId
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetFileAttributesA
GetFileAttributesW
GetFileAttributesExW
GetFullPathNameA
GetFullPathNameW
GetSystemInfo
GetSystemTime
GetTempPathA
GetTempPathW
GetVersionExA
HeapSize
SetEnvironmentVariableA
HeapValidate
LoadLibraryW
LocalFree
LockFile
LockFileEx
MapViewOfFile
QueryPerformanceCounter
SetEndOfFile
SystemTimeToFileTime
UnlockFile
UnlockFileEx
UnmapViewOfFile
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
GetTimeFormatA
EnumSystemLocalesA
GetDateFormatA

user32

IsZoomed
PtInRect
IsWindow
IsRectEmpty
SetWindowLongW
SetPropA
GetPropA
ScreenToClient
ReleaseCapture
GetWindowLongW
LoadCursorW
DefWindowProcA
GetWindowRect
OffsetRect
GetDC
ReleaseDC
InvalidateRect
RemovePropA
wvsprintfA
MessageBoxA
wsprintfA
MessageBeep
DispatchMessageA
GetMessageA
SystemParametersInfoW
CreateWindowExW
LoadIconW
PeekMessageA
SetFocus
GetFocus
EndPaint
IntersectRect
GetClientRect
BeginPaint
CallWindowProcW
GetMessageW
MapVirtualKeyA
CallNextHookEx
DispatchMessageW
TranslateMessage
SetCapture
RegisterClassExW
ShowWindow
DefWindowProcW
UpdateLayeredWindow
SetWindowsHookExW

gdi32

BitBlt
GetCurrentObject
GetObjectA
CreateCompatibleDC
DeleteDC
DeleteObject
SelectObject
CreateCompatibleBitmap

advapi32

CryptHashData
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptReleaseContext
CryptDecrypt
CryptDestroyKey
CryptEncrypt
CryptDeriveKey
CryptAcquireContextA

ole32

CoCreateInstance
CLSIDFromString
CLSIDFromProgID
OleRun
CreateStreamOnHGlobal
CoUninitialize
CoInitialize

oleaut32

SystemTimeToVariantTime
VariantTimeToSystemTime
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VariantCopy
RegisterTypeLi
LHashValOfNameSys
VariantChangeType
VarR8FromBool
VarR8FromCy
SysFreeString
SafeArrayGetElemsize
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetDim
SafeArrayAllocData
SafeArrayAllocDescriptor
VariantInit
LoadTypeLi

gdiplus

GdipCreateFromHDC
GdipDeleteGraphics
GdipDisposeImage
GdipDrawImageRect
GdiplusStartup
GdipLoadImageFromStream
GdipGetImageDimension
GdiplusShutdown

iphlpapi

GetAdaptersInfo

shell32

ShellExecuteA

ws2_32

bind
htonl
closesocket
__WSAFDIsSet
select
connect
listen
htons
WSASetLastError
gethostbyname
inet_addr
recv
WSAGetLastError
accept
send
WSACleanup
WSAStartup
setsockopt
getpeername
getsockname
inet_ntoa
ntohs
recvfrom
sendto
socket

shlwapi

StrToIntW
StrToIntExW
PathFileExistsA

wininet

InternetQueryOptionA
InternetWriteFile
HttpEndRequestA
InternetReadFile
InternetOpenA
InternetConnectA
HttpOpenRequestA
InternetSetOptionA
InternetSetCookieA
HttpQueryInfoA
InternetCloseHandle
HttpSendRequestExA

comdlg32

GetOpenFileNameW
GetSaveFileNameA

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext
ImmSetCandidateWindow

Sections

.text
Size: 844KB - Virtual size: 843KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 68KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

4f3725ef42d977f8b3b9f5df6ea4f910

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

ole32

oleaut32

gdiplus

iphlpapi

shell32

ws2_32

shlwapi

wininet

comdlg32

imm32

Sections

.text Size: 844KB - Virtual size: 843KB

.rdata Size: 28KB - Virtual size: 24KB

.data Size: 68KB - Virtual size: 131KB

.rsrc Size: 20KB - Virtual size: 18KB

.text
Size: 844KB - Virtual size: 843KB

.rdata
Size: 28KB - Virtual size: 24KB

.data
Size: 68KB - Virtual size: 131KB

.rsrc
Size: 20KB - Virtual size: 18KB