blackmoon | 2c09c746897514f0415310731cc85bdc61817e653e8b30827a853331cba2dab4

Sharing

Copy URL Twitter E-mail

General

Target

2c09c746897514f0415310731cc85bdc61817e653e8b30827a853331cba2dab4
Size

536KB
MD5

c66e06625bab42cf224250f18d63b70f
SHA1

05059237dd275cbb62f6eb294bb6bc97f44cad95
SHA256

2c09c746897514f0415310731cc85bdc61817e653e8b30827a853331cba2dab4
SHA512

9e975743d1498a395a15d6720dcc52255771cd40c42345b60f4e813efd4095bede54bca6296fe022af9ded893bebde5ea9def0673bb7f163634394993f268e16
SSDEEP

6144:2E1Iqvom2PSZMPjhLfuonTO3Fxa+alVrmc2BwQ+nLnn/r59zLhKYj:2MIqvfdZMPdLhTO3Lalz8wQgnzLhKY

Score

10^/10

vmprotect blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Files

2c09c746897514f0415310731cc85bdc61817e653e8b30827a853331cba2dab4
.exe windows x86

6685b39a036e7bf5b5cb74c151a0d8fb

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

DuplicateHandle
FlushFileBuffers
LockFile
UnlockFile
SetEndOfFile
lstrcpynA
GetFullPathNameA
GetFileTime
LocalAlloc
InitializeCriticalSection
TlsAlloc
DeleteCriticalSection
GlobalHandle
LeaveCriticalSection
GlobalReAlloc
EnterCriticalSection
TlsSetValue
LocalReAlloc
TlsGetValue
SetErrorMode
GlobalFlags
GetCurrentDirectoryA
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetProcessVersion
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCPInfo
GetOEMCP
RtlUnwind
RaiseException
GetSystemTime
GetLocalTime
HeapSize
GetACP
GetStringTypeA
GetStringTypeW
LCMapStringW
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
MulDiv
IsBadWritePtr
SetUnhandledExceptionFilter
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
IsBadCodePtr
IsValidLocale
IsValidCodePage
EnumSystemLocalesA
GetUserDefaultLCID
SetStdHandle
GetLocaleInfoW
CompareStringA
CompareStringW
SetEnvironmentVariableA
GetCurrentThreadId
LocalFree
WideCharToMultiByte
InterlockedDecrement
InterlockedIncrement
WinExec
lstrcatA
WriteProfileStringA
SetLastError
GetProfileStringA
CreateDirectoryA
GetSystemDirectoryA
EnumResourceNamesA
CopyFileA
Sleep
GetWindowsDirectoryA
GetTempPathA
GlobalMemoryStatus
Module32First
Module32Next
OpenProcess
InterlockedExchange
TerminateProcess
GetDriveTypeA
GetVolumeInformationA
GetLastError
GetFileSize
FindFirstFileA
GetFileAttributesA
SetFileAttributesA
RemoveDirectoryA
FindNextFileA
FindClose
DeleteFileA
MultiByteToWideChar
GlobalAlloc
LoadLibraryExA
FindResourceA
LoadResource
LockResource
SizeofResource
lstrcpyA
GlobalLock
GlobalSize
GlobalUnlock
GlobalFree
CreateToolhelp32Snapshot
Process32First
Process32Next
WriteFile
ReadFile
SetFilePointer
GetLocaleInfoA
GetSystemDefaultLangID
GetTimeZoneInformation
CreateFileA
DeviceIoControl
CloseHandle
lstrlenA
GetVersion
GetVersionExA
GetCurrentProcess
QueryPerformanceCounter
QueryPerformanceFrequency
TlsFree
UnhandledExceptionFilter
GlobalDeleteAtom
lstrcmpA
lstrcmpiA
VerLanguageNameA
LCMapStringA
LoadLibraryA
GetProcAddress
FreeLibrary
GetModuleFileNameA
GetCommandLineA
IsBadReadPtr
HeapFree
HeapReAlloc
HeapAlloc
ExitProcess
GetModuleHandleA
GetProcessHeap
RtlMoveMemory
VirtualAlloc
lstrcpyn
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

user32

DrawTextA
TabbedTextOutA
ClientToScreen
GetMenuCheckMarkDimensions
GetMenuState
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetFocus
GetNextDlgTabItem
GetActiveWindow
GetKeyState
CallNextHookEx
SetWindowsHookExA
GetLastActivePopup
IsWindowEnabled
EnableWindow
PostMessageA
PostQuitMessage
WindowFromPoint
GetParent
GetWindow
PtInRect
IsWindowVisible
GetWindowLongA
EnumWindows
GetWindowTextA
FindWindowExA
IsRectEmpty
GetCursorPos
SetWindowLongA
GetDlgItem
ShowWindow
UpdateWindow
SystemParametersInfoA
ChangeDisplaySettingsA
EnumDisplaySettingsA
SendMessageTimeoutA
FindWindowA
GetWindowThreadProcessId
SetCursorPos
mouse_event
keybd_event
OpenClipboard
EmptyClipboard
LoadCursorA
CloseClipboard
GetClassNameA
IsWindow
SendMessageA
GrayStringA
GetWindowRect
ReleaseCapture
SetCapture
GetSystemMetrics
LoadImageA
VkKeyScanExA
GetDC
ReleaseDC
GetKeyboardLayout
SendDlgItemMessageA
GetMenuItemCount
SetWindowTextA
GetDlgCtrlID
LoadStringA
UnregisterClassA
EndDialog
SetActiveWindow
CreateDialogIndirectParamA
LoadBitmapA
DestroyWindow
GetKeyboardState
GetMenu
GetSubMenu
GetMenuItemID
CreateWindowExA
GetClassLongA
SetPropA
GetPropA
CallWindowProcA
RemovePropA
DefWindowProcA
GetMessageTime
GetMessagePos
GetForegroundWindow
SetForegroundWindow
RegisterWindowMessageA
IsIconic
GetWindowPlacement
SetFocus
SetWindowPos
IsDialogMessageA
LoadIconA
MapWindowPoints
GetSysColor
AdjustWindowRectEx
GetClientRect
CopyRect
GetTopWindow
GetCapture
WinHelpA
GetClassInfoA
UnhookWindowsHookEx
CharUpperA
DestroyMenu
GetDesktopWindow
GetSysColorBrush
SetClipboardData
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
RegisterClassA

gdi32

GetStockObject
DeleteObject
ExtTextOutA
TextOutA
RectVisible
PtVisible
GetClipBox
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SetMapMode
CreateBitmap
SelectPalette
RealizePalette
GetDIBits
CreateDCA
CreateCompatibleBitmap
GetPixel
GetDeviceCaps
RemoveFontResourceA
AddFontResourceA
EnumFontFamiliesExA
CreateCompatibleDC
SelectObject
BitBlt
DeleteDC
GetObjectA
SaveDC
RestoreDC
SetBkColor
SetTextColor
Escape

iphlpapi

GetAdaptersInfo
SendARP

shlwapi

PathAppendA
SHDeleteValueA
SHDeleteKeyA
PathFileExistsA

mpr

WNetOpenEnumA
WNetEnumResourceA
WNetCloseEnum
WNetCancelConnection2A
WNetAddConnection2A

winmm

mciSendStringA
waveOutGetDevCapsA
waveOutGetNumDevs

ws2_32

inet_addr
gethostbyname
gethostname
inet_ntoa
gethostbyaddr
WSACleanup
closesocket
connect
sendto
socket
WSAStartup
htons

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

comdlg32

GetFileTitleA
PrintDlgA

winspool.drv

EnumPrintersA
ClosePrinter
DocumentPropertiesA
OpenPrinterA
SetPrinterA
GetPrinterA

advapi32

RegCloseKey
OpenProcessToken
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
AddAce
InitializeAcl
FreeSid
AllocateAndInitializeSid
RegGetKeySecurity
RegSetValueExA
RegCreateKeyExA
GetUserNameA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegQueryValueExA
RegOpenKeyA
RegEnumKeyA
RegQueryInfoKeyA
RegSetKeySecurity
GetLengthSid
CopySid
RegOpenKeyExA
GetTokenInformation

shell32

ShellExecuteA
SHChangeNotify
SHEmptyRecycleBinA
SHGetSpecialFolderPathA

comctl32

ord17

ole32

CoCreateInstance
CoCreateGuid

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetGetConnectedState
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA

Exports

Exports

�V��U[ۢ˱��kS[(M� ��M�wU�J ��t`b��l{A��L� �l]�� aMq�,�-��5�'UH<-w�3��)��u��'�J��Xp��`c�#�L�*��;/��u?p�G�:�~ �`/Y�q�T\�H��P� 6�.�CoD��|+�V�}� �p�$د(�� ⇟��\M5_z�nt��&Vt�2�=Ռ.1+TI}}�ʁ�"�3��˒��N��܏�6��e�Sl�8��rwZ�XZ5j28䙺~~��І�� ?ѓ�� 8��;�v��C�"�ʫ�qa/Qs4Ke'�׽�A �S��l�Y��2շN 1��@1*��߳�ڬ�m�c�gg�f4�-� ��l| ��H��mJɷG�.�n("��?d�r8��LN= ��i��+�:\!�@S��%�U��iz�1h��.7�f��g7���[�(��e��=ɻ[H�X(s�#qZ��d�Ώ��صʞ?p�Ê�π�K��GEoW��}��ga�2�i �;]p�8c�qX�L�?Y�Ep$B��:��n�&�\6Z�m o,�T1��D�=j*]�9n��p��g=G�`-�T�\)��_w�(��$�} �,1�֔�d�̼yb��~3R�O��V�y7 ��|6�k��j@e�L��'b��,��ܩOՠjg��<��i�Gh��U1B�� j�h��-��h2��S��u*u}��c9�|��g�3@וWT�{'ڞg�}p~|��Wpڝ��7��C�&��k�� ǒ1 ��~��#�6�]�n5��t��h:��"��þ�%�i��T�;��-*��49�q3�^o�7��Y�q��K�X��V�{غ˒��X� yzo[��L$��|�n��YTJH�N*r$��v��)]N�U�fR��\j��(�ù9 ��Y"֮=��Bբ`�)3U� T�ܲI�%s^��|�e�G �h��;�TXÆ�x�ƛw;b�[e��Z��#��+�M��/`JY�� M�� T6��%C�|;��=@1!$AU��>e�)] �N��1��!{|N�n�!��_�(� ͗h۩q��?vu$�f8e��̒@�wΧp�>9Fb�W7ɋK��i�p�K��4�ɼ �B=�+�b��ۘ&��˞��A�_��u�=� ?�rbYb��C@!��NM�1H��i1~�Rc�O$��=��x_,�w��ӘS @D]�yȉ��4&@ N��9{zg��~�)�ОT��,AN:�N3+�Q5��!1�=W�(t3��/�1�{�(g��{e��*�Q�˞��ӵ�Q x �A��A�lt� �7�ШP�4o�0qb�$�F�71xY�<��Ǡ~��B�C�҆�f��L��*Hݦ7Fޚ�a�3}�R��{R~D>}�1�ʢK�c�U|opj�fq~�P� g��k�%��iQT)��ڥT��'_Q�z��NP��Oޱ!�+ ^�}�΍v��ޓ{��9B�7>�*x 0�CB�d��M?��ص�c�`K_��,��m%��@-2��:G��kkfc�W��!�n�5�fd��2��eM=q��M��e�ǕQ�@c�6ӝ�Gf')�RNtS�ܓ�-��^��3a�0ո��B�FƗ�z��:a��Xh҄��}�rmI�.��8ʷ��~�pI`�Ġ��w�`D��돣�ӗ��.�� w�!Ρg`͗��Vf�LU��{E�՘Xp)�S��$��(��s'��C#^��:�2%�yt1P��ˎY�5jX�p��X�]�-��('��=��y�= @��mG��Q|��qb-�v��^�?�!�k��p^( 8 ��+o�b2�5��#M� O^,h#��I�P�)�>֜0�-��Y�!��0��"-R�<[J��Inw��P�S��R#��6l�l�-�lm�W �}�t��Ii-P��ع�ݽ,�;NJۑq)��樘\�y�q�1!�M��Y.�N�?ރ��t[��YK��څ��];��l��X�.B��{Y�:+�7�bw3�l��r��;q C�ɣn}��'�:�0"|��l`�.hgj��D�(~�6�gs{aRic��d ��Đ��;*�_vH� [�� Ƈ[zk��ˁvk��%��KX/ޠ/w�S o��+Y��e��"L��`Uü��[�*�:��뜺 �A�~$F]� /��a��̬��{��R��*ގ��պ�(Ǹ��ؓ]v��i��2�_�`�A�#z@դ� 0m��m�a@��g�Y7�M�U&I�M��KC��+Ӌ��(��9 0�gy[�k$U�Ճ��g�j��#(�S'�tQ��C��^�֪l�WZڥ�r��Ц� 6_��+�W1�_�U ��T=��J��쟻KH��t �ԅ"eƧ�6mܨ,_�Cbcۻt�$ �a��.?Y�o5@��Q�A ��EP�T7�@��7�� Yy/U�s��|�8o��BVs�9�I�L�lYl'�A��N�v�$��$��b0�u��|읮}��y��ϔ��cb?�HR��QgE��cBj�;��(��ޜ%�!p��&�V�=Q�?^V+�{x{1�Og6��͢�Z �=;a3��9��bx��èT8ǖb�0��:}��vlOq_R�\k9��(��Q#I?�}?��B��؞0��杲� ��Hٺ,@u�{��I��2ԁ��a7�<}]�#3��Z�ٗ4�a-��YxK�ܟ�"��:V��]��/��sRm7BC��Վk�U� ?Ā�-s�Y7Q��D4�� ٝ{�H��`��!*�i�Ӏ纲�g2��j-1ɰ��1Aס��Jq��HOo�U/k@��E�=%X�E�u��^~�,?��

Sections

.text
Size: 244KB - Virtual size: 240KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 160KB - Virtual size: 163KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE

.tls
Size: 4KB - Virtual size: 24B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp1
Size: 60KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

6685b39a036e7bf5b5cb74c151a0d8fb

Headers

File Characteristics

Imports

kernel32

user32

gdi32

iphlpapi

shlwapi

mpr

winmm

ws2_32

version

comdlg32

winspool.drv

advapi32

shell32

comctl32

ole32

wininet

Exports

Exports

Sections

.text Size: 244KB - Virtual size: 240KB

.rdata Size: 44KB - Virtual size: 42KB

.data Size: 160KB - Virtual size: 163KB

.vmp0 Size: 20KB - Virtual size: 17KB

.tls Size: 4KB - Virtual size: 24B

.vmp1 Size: 60KB - Virtual size: 56KB

.text
Size: 244KB - Virtual size: 240KB

.rdata
Size: 44KB - Virtual size: 42KB

.data
Size: 160KB - Virtual size: 163KB

.vmp0
Size: 20KB - Virtual size: 17KB

.tls
Size: 4KB - Virtual size: 24B

.vmp1
Size: 60KB - Virtual size: 56KB