blackmoon | f74feeb0d962353e9b6657757f269638[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

f74feeb0d962353e9b6657757f269638.bin
Size

8.4MB
MD5

2918db99b9ac76e37c7876cebbc2a3d3
SHA1

d03af7810b0c2725cb6673f348e6ca8c24a5ef4c
SHA256

a305e7d249caec872af528e22b95f844d237c009c21673c4efee6b45e317780c
SHA512

1736e6099599262c95f5266925fdd1cb9f8650afb7f6cc25334e6b32298cf53321145da042bcea10f157197b358861328b232c2d8a34b4e3720330e82ab0dfac
SSDEEP

196608:QYY97R67FZ6VvyuJYx0ELPmA17aQhN+i6j7y6mmgxJwK0hzdY52Vj/GN:CaFZ6RPA5Qif/zwbhCApGN

Score

10^/10

miner blackmoon xmrig

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/5cca39e72a29f10aea0a60c2464259ca4d05534be1fc02ce6841f2d42d797a87.unknown	family_blackmoon

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
static1/unpack001/5cca39e72a29f10aea0a60c2464259ca4d05534be1fc02ce6841f2d42d797a87.unknown	xmrig

Xmrig family
xmrig

Files

f74feeb0d962353e9b6657757f269638.bin
.zip

Password: infected
5cca39e72a29f10aea0a60c2464259ca4d05534be1fc02ce6841f2d42d797a87.unknown
.exe windows

Password: infected

eb248eb1139039af28f5f2ad4ada1499

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LeaveCriticalSection
GetModuleFileNameW
FreeLibrary
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceW
LoadLibraryExW
GetModuleHandleW
CloseHandle
WaitForSingleObject
Sleep
EnterCriticalSection
CreateEventW
GetCurrentThreadId
SetEvent
GetCommandLineW
o5
o5
(
InterlockedDecrement
InterlockedIncrement
lstrcmpiW
GetLastError
DeleteCriticalSection
InitializeCriticalSection
RaiseException
CreateThread
lstrlenW
+r�
(/
(
_
r1
~M

,M�
3M
M

+6~M
o,

,(
0

�**
0

o(

o
K

r�
(
*{K

0
Q-s
o
o
(
(
t

user32

TranslateMessage
DispatchMessageW
GetMessageW
PostThreadMessageW
CharUpperW
CharNextW

RegQuerMZ�
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
�

s program cannot be run in DOS mode. $
be run in DOS mode. $
$

�

ord6
ord7
ord162
ord161
ord2
ord186
ord163
ord277

r`;$"

h
F��q&2Y\K+�/�w�� |��5�V,~��A8"iW'|��
�V,~��A8"iW'|��
h�쉟K�eO�1��a�S�+]+%�4��(PRޏ�2O�_��ϡ<�A�r`;$"
4��(PRޏ�2O�_��ϡ<�A�r`;$"

Sections

.text
Size: 56KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 4KB - Virtual size: 539B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

eb248eb1139039af28f5f2ad4ada1499

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

�

r`;$"

Sections

.text Size: 56KB - Virtual size: 52KB

.orpc Size: 4KB - Virtual size: 539B

.rdata Size: 20KB - Virtual size: 18KB

.data Size: 8KB - Virtual size: 8KB

.rsrc Size: 8KB - Virtual size: 4KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 56KB - Virtual size: 52KB

.orpc
Size: 4KB - Virtual size: 539B

.rdata
Size: 20KB - Virtual size: 18KB

.data
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 8KB - Virtual size: 4KB

.reloc
Size: 8KB - Virtual size: 7KB