blackmoon | c8f04dddb46183865f7f2fe2b9fb2747f2d13f5d9fea926c7e8b3491d039c826

Sharing

Copy URL Twitter E-mail

General

Target

c8f04dddb46183865f7f2fe2b9fb2747f2d13f5d9fea926c7e8b3491d039c826
Size

250KB
MD5

a98797796bbd7d7b804d06e59d35def4
SHA1

044f544ef2bf5e2bb463750624a05d422ed8eef5
SHA256

c8f04dddb46183865f7f2fe2b9fb2747f2d13f5d9fea926c7e8b3491d039c826
SHA512

72870479615276bab59ef3cff60a88f4db66310fd11826ecf5557f1e2687b99b429e979dbf0940a38c1ca4431970929e9150bcfa844b868a11980dcf93d6587c
SSDEEP

6144:Oop3GqvWfVGiJjODSd0XuLwvr/eR2fq4P+yvDmIB4:OoRGqvqnJjODSWXMwvr/7fq49Dm1

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Files

c8f04dddb46183865f7f2fe2b9fb2747f2d13f5d9fea926c7e8b3491d039c826
.exe windows x86

d0dd453d9d5cbf4a67bbce243ffee067

Code Sign

55:21:db:26:ce:0c:b3:e4
Certificate

Issuer

CN=TrustAsia.com Code Signing CA,O=Dotsoft Technologies\, Inc.,C=CN

Not Before

01/03/2011, 01:07

Not After

01/03/2014, 01:07

Subject

CN=亚洲诚信数字签名测试证书,O=上海域联软件技术有限公司,L=上海市,ST=上海市,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04
Certificate

Issuer

CN=TrustAsia.com Root CA,O=Dotsoft Technologies\, Inc.,C=CN

Not Before

15/02/2010, 16:37

Not After

15/02/2020, 16:37

Subject

CN=TrustAsia.com Code Signing CA,O=Dotsoft Technologies\, Inc.,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

bb:5f:ec:2c:f9:63:b9:e3:24:25:e1:1a:83:9d:ce:4f:87:6f:a4:c2
Signer

Actual PE Digest

bb:5f:ec:2c:f9:63:b9:e3:24:25:e1:1a:83:9d:ce:4f:87:6f:a4:c2

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=亚洲诚信数字签名测试证书,O=上海域联软件技术有限公司,L=上海市,ST=上海市,C=CN

28/11/2022, 11:52
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

EnterCriticalSection
LeaveCriticalSection
GlobalAlloc
GlobalLock
GlobalUnlock
lstrcpyn
GlobalSize
GlobalFree
MultiByteToWideChar
lstrcpynA
CreatePipe
GetStartupInfoA
CreateProcessA
ReadFile
WriteFile
DeleteCriticalSection
SuspendThread
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
VirtualAlloc
CreateDirectoryA
MoveFileExA
RemoveDirectoryA
DeleteFileA
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetTickCount
GetModuleFileNameA
CopyFileA
SetFileAttributesA
WaitForSingleObject
CreateFileA
GetFileSize
SetFilePointer
FindNextFileA
FindFirstFileA
FindClose
WideCharToMultiByte
GetUserDefaultLCID
GetLocalTime
GetCurrentDirectoryA
GetComputerNameA
LCMapStringA
FlushFileBuffers
SetStdHandle
IsBadCodePtr
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
LoadLibraryA
GetOEMCP
GetACP
GetCPInfo
LCMapStringW
RaiseException
GetProcAddress
HeapCreate
HeapDestroy
GetEnvironmentVariableA
TlsGetValue
SetLastError
TlsAlloc
TlsSetValue
GetCurrentThreadId
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
RtlUnwind
InterlockedIncrement
InterlockedDecrement
GetVersion
GetSystemDirectoryA
GetWindowsDirectoryA
GetDiskFreeSpaceExA
GetLogicalDriveStringsA
GlobalMemoryStatus
ResumeThread
Sleep
InitializeCriticalSection
LocalSize
GetLastError
VirtualFree
GetQueuedCompletionStatus
CreateThread
CreateIoCompletionPort
GetTempPathA
TerminateProcess
OpenProcess
Module32First
CloseHandle
Process32Next
Process32First
CreateToolhelp32Snapshot
RtlMoveMemory
GetDiskFreeSpaceA
GetDriveTypeA
GetVersionExA
GetSystemInfo
GetCurrentProcessId
GetCommandLineA
GetCurrentProcess

user32

GetMessagePos
GetMessageA
TranslateMessage
DispatchMessageA
ShowWindowAsync
GetMessageTime
LoadIconA
LoadCursorA
RegisterClassExA
CreateWindowExA
SetWindowLongA
DefWindowProcA
SetTimer
GetForegroundWindow
EnumDisplaySettingsA
GetKeyState
keybd_event
mouse_event
SetCursorPos
GetDC
ReleaseDC
GetSystemMetrics
CloseClipboard
GetClipboardData
OpenClipboard
PeekMessageA
wsprintfA
MessageBoxA
BringWindowToTop
SendMessageA
IsWindow
GetWindowTextLengthA
GetWindowRect
PrintWindow
GetWindowTextA
GetAsyncKeyState
KillTimer
FindWindowExA

winmm

waveInStart
waveInGetNumDevs
mixerGetNumDevs
waveOutGetNumDevs
waveInOpen
waveInAddBuffer
waveInClose
waveInStop
waveInUnprepareHeader
waveInPrepareHeader

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

ws2_32

WSASocketA
gethostname
inet_ntoa
WSACleanup
gethostbyname
connect
htons
inet_addr
WSARecv
closesocket
WSAStartup
WSASend

shell32

SHGetPathFromIDList
ShellExecuteA
SHGetSpecialFolderLocation

advapi32

RegCloseKey
RegOpenKeyA
EnumServicesStatusExA
OpenSCManagerA
GetUserNameA
OpenServiceA
QueryServiceStatus
StartServiceA
CloseServiceHandle
ControlService
RegOpenKeyExA
RegEnumKeyExA
RegEnumValueA
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA

gdi32

CreateCompatibleDC
SelectObject
BitBlt
DeleteObject
DeleteDC
CreateCompatibleBitmap
GetObjectA
GetDIBits
CreateDIBSection

gdiplus

GdipDisposeImage
GdipSaveImageToStream
GdipCreateBitmapFromStream
GdiplusShutdown
GdiplusStartup

ole32

CLSIDFromString
CLSIDFromProgID
CoCreateInstance
OleRun
CoUninitialize
CoInitialize
GetHGlobalFromStream
CreateStreamOnHGlobal

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

ntdll

NtShutdownSystem
RtlAdjustPrivilege

shlwapi

PathFileExistsA

oleaut32

SafeArrayGetElement
VariantClear
SysAllocString
SafeArrayCreate
VariantChangeType
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
VariantInit
SafeArrayAccessData
SafeArrayUnaccessData
RegisterTypeLi
LoadTypeLi
LHashValOfNameSys
SafeArrayDestroy

Sections

.text
Size: 192KB - Virtual size: 188KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

d0dd453d9d5cbf4a67bbce243ffee067

Code Sign

55:21:db:26:ce:0c:b3:e4Certificate

Extended Key Usages

Key Usages

04Certificate

Extended Key Usages

Key Usages

bb:5f:ec:2c:f9:63:b9:e3:24:25:e1:1a:83:9d:ce:4f:87:6f:a4:c2Signer

Signature Validations

Verification

28/11/2022, 11:52 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

winmm

version

ws2_32

shell32

advapi32

gdi32

gdiplus

ole32

avicap32

ntdll

shlwapi

oleaut32

Sections

.text Size: 192KB - Virtual size: 188KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 32KB - Virtual size: 83KB

.rsrc Size: 8KB - Virtual size: 5KB

55:21:db:26:ce:0c:b3:e4
Certificate

04
Certificate

bb:5f:ec:2c:f9:63:b9:e3:24:25:e1:1a:83:9d:ce:4f:87:6f:a4:c2
Signer

28/11/2022, 11:52
Valid: false

.text
Size: 192KB - Virtual size: 188KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 32KB - Virtual size: 83KB

.rsrc
Size: 8KB - Virtual size: 5KB