blackmoon | 664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2

Resubmissions

20-04-2023 08:22

230420-j9jsfaae7s 10

27-03-2023 09:38

230327-lmbvescg32 10

Sharing

Copy URL

Twitter E-mail

General

Target

Malz.zip
Size

41.8MB
Sample

230420-j9jsfaae7s
MD5

72d76d00f0cfa5bcf976ad2f91c31219
SHA1

631f788057a9c0c9afa5adb3634cccf49134c707
SHA256

664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2
SHA512

d6c6afacd7bf9680545cbc306361b16f8f4d41326d3e67db8fdb7d0c771362e5833d2ec09b06f09401956c30c1921e31788c9a7029591e8950f9c25b21ed8326
SSDEEP

786432:yw31BOqBbfjzQ3HoRScthZa2BLXYXWl/efKwqKVVuiaohsBtSvVLUDMC2ygvWt+:ywDxT/Q3HnMZa2ZXYX0/efbl+E5UDM1z

Score

10^/10

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2807

192.161.60.184:2807

www.yjgost.com:2807

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

ns3.hostasa.org:3307

ns4.hostasa.org:3307

ns1.hostasa.org:3307

ns2.hostasa.org:3307

ns3.hostasa.org:3308

ns4.hostasa.org:3308

ns1.hostasa.org:3308

ns2.hostasa.org:3308

ns3.hostasa.org:3309

ns4.hostasa.org:3309

ns1.hostasa.org:3309

Attributes

crc_polynomial
EDB88320

xor.plain

Targets

- Target
  
  .sshdd
- Size
  
  647KB
- MD5
  
  33229183c1a701376ef15a0af4f9dc5b
- SHA1
  
  b6a981f7d1e3141bc99e448ca5ea88e4f973463c
- SHA256
  
  4e6eb417b5598ed171d383e6d6e3f1dc861438a52cfd869bbfaebabb8905f622
- SHA512
  
  af69aabf1cb1463cf425d23fdab57d43eca545c86211c4dd7d2a14d27803f461aebebbf2108df8033b16f208e26026f5c3ae3cc578d7d893ba5487e992fbe419
- SSDEEP
  
  12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonnp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mn6wvnDWXMN
Score

7^/10

persistence
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral1
- Target
  
  261664
- Size
  
  186KB
- MD5
  
  b754622e816fb2281402b86f75fa9ccf
- SHA1
  
  be1c9842f441500bd14b8ad9ac3a6cdac77ea47d
- SHA256
  
  d8c511b7a07df74df69fd91a435a7228f7ecad477c7b6b4d23bf6fb5b04cf77d
- SHA512
  
  d8057fe16bc35bc62b1998c67385ac79513ccfbf77cef68b5c73875910725b0ad886faf49b739576cbc3e795f8cf3416d729497e8e5cd7b47e8c78796405d925
- SSDEEP
  
  3072:ilEwSaKOao1hsD4lLsCH4aNSJReEK5BQ6SnJ43aCQiqse:iOwPi4Jp4RnCk6A5
Score

8^/10

persistence
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral2
- Target
  
  32
- Size
  
  10KB
- MD5
  
  a6345ddc1e04904f4c96933e1a59730f
- SHA1
  
  5451cf4a8bf5dfae0ca21781c2dce0a9db1d4194
- SHA256
  
  33671229bcfc0cdd0c789495575b5e20a39e077bf4f80a26783a7f0598a1d1d8
- SHA512
  
  facc8b2e3692f40cddd56846717af65831bbc239dc1c1496519446cd0cc107fa9e2cd756419d6033f36118f03448d009f728e373cccd2a83733ca2c64623485d
- SSDEEP
  
  192:MdU7fsvvarONq9HX6yHRN61oNAM62+CxBQ0a6NQCxQdJV:My7AKUqxKO61oN3+CxBQ0XFxy
Score

1^/10
behavioral3
- Target
  
  36000.exe
- Size
  
  416KB
- MD5
  
  51f00e56b4ef21e6b7d6685ca3fbad1a
- SHA1
  
  c145e5e23cd95de4c0b521f0eb7ded59ba0a381e
- SHA256
  
  4209035f042bcd79fe91997c8466cfdd890e740d8cb85b3076d7a5e79891f441
- SHA512
  
  69be029f0183cf3b425703467beee190bba49a3fe78cebd06e6c54c5ff550a6b9e18c704677a4587bef9ef83ffa5a38d6879717991fc3362d3686ab9f5cfb876
- SSDEEP
  
  6144:cXVDAhO3GzujrS6DfgSf2WPpx7MZyCwc9DMypdi8UAfndbeA0u9Adqhhs56EDL0C:YauGgSqntxwpTMf8TdIqAD4
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral4 behavioral5
- Target
  
  64
- Size
  
  10KB
- MD5
  
  3ede781c8a49e64f8fe62c07e6bfda4b
- SHA1
  
  3c89dc70861685c609a8671ed1ceb452f9379779
- SHA256
  
  ade2e8a84482ff9ef0a15b471514f1c4370af1e8130b28c0bcd25382898c0b67
- SHA512
  
  e9aa8008683dea3c64a398fa38e8b85e2a86ae349e6571f81e8cf281731ac3d222b35b2bd47d4ff87fd702b221180f5b8b14495c7ffb8d96dd7a2840e93b918b
- SSDEEP
  
  192:V91LqTakK4wMaw1pWDnD5ZtpjkA6Ywt/anV6jeSXnrkLecAVgzBUi0vbuL8ZcAr0:YzwPeWP5Znj2IIdXnQLec/zKiOpcX
Score

8^/10
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral6
- Target
  
  GetPass.exe
- Size
  
  178KB
- MD5
  
  2e17ac792a4ae32ff5c9d751ab3a77e3
- SHA1
  
  d18d952b24110b83abd17e042f9deee679de6a1a
- SHA256
  
  e9cffb4773da2d46282aeafc6680e7aed8ff8537040a2a27d3c1ee3e3229d88e
- SHA512
  
  30144f1ad0b0967f29dc4628ef50485fff201234041fa4aba8fc55521ca10aa3b16f391c5c7332267438235985d9e703b6155c59b1c34f06dbb56ae0072899d9
- SSDEEP
  
  3072:EnPhSvw5JB9goXOO8Ua7o+NbUmW8NUCABqJ+iS5xqlIJPZrn1c2x45Y/32kls5xi:EnPhtfBLOn7vNbUmnWqJt4xqlIld1XxJ
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7 behavioral8
- Target
  
  NetSyst81.dll
- Size
  
  240KB
- MD5
  
  0b156ec492ea45d282cf823415ecaf12
- SHA1
  
  54ad711765e27f91a4d554e336e8a2bb04547f1d
- SHA256
  
  ac3b2cebb3f7a50fa237be97b07afa6f68be712e932f57074444e0c02e4d8342
- SHA512
  
  d29c4459ab65b42e5f31e0ecb2f077598cea177de1789fbc735e03089996f0891d9917b3c79573c2405302966f1d816a86b4698fca6891445866310871be2b60
- SSDEEP
  
  6144:SSGAi+a1Bsf81KVv19XAzKd4hDfYlY1wtNesuNrGq:SRAiP1Bsf84tJdK2Yi7GEq
Score

1^/10
behavioral10 behavioral9
- Target
  
  POP
- Size
  
  1.3MB
- MD5
  
  050f2541b0ff97734b066f33be89f53d
- SHA1
  
  a0ce2fa27c8ec790e62bf926560fe8c10956b737
- SHA256
  
  cb338967d877dff6129806568b7e201bba2b45da24943f1d5686d6b200670786
- SHA512
  
  8b78e89dcedb1fa9e505e94084295c8d9872ef02008fc074e9f266272e9243b0936150579d3b652ee1a87e3ecc18b6b34243115bafd1dfc2b9b46073f6f329e3
- SSDEEP
  
  24576:fAg0g+3YAqKbwt6Mleiv8x7HBruOmjqD0rV8T5KWs2/wgLg6Yvz1VVbBHpusVmMS:og01IAqHtZleikDuOGqYrVy5Kd2/hJYw
Score

1^/10
behavioral11
- Target
  
  SAY123
- Size
  
  551KB
- MD5
  
  a62bd401421253c27fc38aa8803f1451
- SHA1
  
  955d7153ae275b3b1cbef1f6d9fedf463de06e08
- SHA256
  
  977750a1f015f1ffa51edfeeae498a82e979b1644f70bec9170db96247c6e371
- SHA512
  
  9137448dde857b2f2b74fbd4488c6d00cc275da57d542d88a3b785d97257c232231fa13e792a124fef7cc5fcc36a18f7c82504944f3c3b324d3f3186ac09fe3b
- SSDEEP
  
  12288:/ocX0ds1H10GyzD9GCsQoD5umHxqKhHEwPTXdGFwMI:Qck61eGk9lzotuO1hHEwLHj
Score

5^/10
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral12
- Target
  
  SAY456
- Size
  
  639KB
- MD5
  
  467771cc496a8764e143c772d3585072
- SHA1
  
  3233613081abf60ebd8bb04a97c9d9eeded025df
- SHA256
  
  c453e0d47de8106884381fcc0db2bf7927f714fc480fe31356809fff629c8a33
- SHA512
  
  c5cfad7c857a377850398df29190522bac911271bed4b2f6d17f91522173834f17daa38c53bdeb7c82796384aa21ea149abe18639425920003076095d69b7e0f
- SSDEEP
  
  12288:8Y62/fARweXwB5QXgn19w1k1a7s+95qXtPMZCLZZgyOQPAe5UyojTucN44XML:VdAywwBMgV1ux9cPM6LZJIu8N44o
Score

8^/10
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Reads CPU attributes
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral13
- Target
  
  TomDog_Result.html
- Size
  
  704B
- MD5
  
  ad877860d464ab42abdd05de03866bd1
- SHA1
  
  bd2487ccb213802ff8f40e9632342ecd45324ff8
- SHA256
  
  c3d3c1612ed44202eaa7c64b69b07774e522e0d9125faa2dde0ada217440735f
- SHA512
  
  df90395c677840859d12b68b6b97fa646e8fceba8acf1ede661460167c342c09660e09add14eb091fe442edc44cd2e4b81e1ac03cf49ab78659678264b4eb08b
Score

1^/10
behavioral14 behavioral15
- Target
  
  a06
- Size
  
  611KB
- MD5
  
  3c49b5160b981f06bd5242662f8d0a54
- SHA1
  
  c50933e1f8a194e608049839707d8d698dd5caa5
- SHA256
  
  c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc
- SHA512
  
  d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e
- SSDEEP
  
  12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tikx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhkfNiGQl/91h
Score

9^/10

persistence
- Writes file to system bin folder
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral16
- Target
  
  a07
- Size
  
  611KB
- MD5
  
  bcb6b83a4e6e20ffe0ce3c750360ddf5
- SHA1
  
  d88755b78834e87418aa3cb3bfee5de5c378bd2f
- SHA256
  
  61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521
- SHA512
  
  f3be44f45eb0c453192b0ddeb7d37f3335499b41b46cc3190e918ac2909f048b3857d2496ebd33fa79ddce4024a1b47a5e44867ff576c18eb998c7e4f87914ca
- SSDEEP
  
  12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiZx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhZfNiGQl/91h
Score

9^/10

persistence
- Writes file to system bin folder
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral17
- Target
  
  a08
- Size
  
  611KB
- MD5
  
  a99c10cb9713770b9e7dda376cddee3a
- SHA1
  
  1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98
- SHA256
  
  92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86
- SHA512
  
  1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79
- SSDEEP
  
  12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiOx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhOfNiGQl/91h
Score

9^/10

persistence
- Writes file to system bin folder
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral18
- Target
  
  a09
- Size
  
  611KB
- MD5
  
  d1b5b4b4b5a118e384c7ff487e14ac3f
- SHA1
  
  038b7e9406fe5cb0a0be8f95ac935923c6d83c28
- SHA256
  
  0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b
- SHA512
  
  20885f782beeca1712924d6dec7fa474fb2fa7f926d7cbdbdd5f7fa18f6a3ac2bcd5dbd771a80c13c3403cbad05f2cda86ffefdc8170d6cc0f0b4b01a5baec74
- SSDEEP
  
  12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiLx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhLfNiGQl/91h
Score

9^/10

persistence
- Writes file to system bin folder
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral19
- Target
  
  a10
- Size
  
  611KB
- MD5
  
  83eea5625ca2affd3e841d3b374e88eb
- SHA1
  
  dca946f677a1be95fb3ef6adc950730b4736a405
- SHA256
  
  fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34
- SHA512
  
  a856a78004812a5aa75f52ecaa3690d5edfc98179b4c34f23434cd9d60e0a0ea7dc6e3ab30e311f7da088267de026552155c9a46cc3c3dda99544e67969e3a1c
- SSDEEP
  
  12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tipx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhpfNiGQl/91h
Score

9^/10

persistence
- Writes file to system bin folder
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral20
- Target
  
  banner313.pl
- Size
  
  26KB
- MD5
  
  c9553c06f2118d8c7cf8d641e306b17f
- SHA1
  
  b262a8f0fd3a8317087b25d069f47bae39c8a8a9
- SHA256
  
  d5f918b0d11d5674727ef7b11ece8bb93e8845a23ce471f6e8c700a608c85e26
- SHA512
  
  c9133726c2f7e7a13d9fe6af1cdb49d5fd6804949c4c6f486b46c3e2b48c017b554957ed4a7c6669f5f5d1fd39dcf77b7616c01496e021642e7418756cbfb1b2
- SSDEEP
  
  384:8z9Yikph+AaZKmalkVQmjthmft1wVSE4ol6/c50Ilmu6ovAwfJ:s9nkph+0RkV/qPwVSvzIlOx+
Score

1^/10
behavioral21 behavioral22 behavioral23 behavioral24
- Target
  
  f.sh
- Size
  
  518B
- MD5
  
  cac62e5664152a357145747ba5dbe0a2
- SHA1
  
  8402c68d0b57b04eb19f52c18fc57edbe716f0da
- SHA256
  
  919bce738726efdfd08aa43552e095851c52c7452ef4c6c03d2b4c08cbceda76
- SHA512
  
  6e19b9dbf0e3cff0397c6cdf1774bdd08070b509be2520c32a3148daa0211cf74a728f2e163199e789d5bbead4f9cd246853483e65526ddef1b14a62bdb6d52f
Score

5^/10
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral25 behavioral26 behavioral27 behavioral28
- Target
  
  g3m.pl
- Size
  
  9KB
- MD5
  
  2e455776b59e5005f5a0d8bf894d5577
- SHA1
  
  55dc947790e180564247d8573211dc413996a142
- SHA256
  
  f2585f17a1dc14c15de5ef5d7964c3d64a29825450ae76b8124448258f99b397
- SHA512
  
  3d4818d9e7444aadef5d634ff131ac658a087d6f52f045b15037ec49e03189325035fd815f31024436ea786ac64344386bf33319152b264bc99046d9fff89be2
- SSDEEP
  
  96:3N+3KCnHmzxq1eqRUSdC10Wpv84uip83Ik37xzni/YS2s/bCbeCbovm:s3Czxq1eFPGZ4oYMQYSNzCbeCbovm
Score

1^/10
behavioral29 behavioral30 behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Defense Evasion

Hijack Execution Flow

T1574

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Creates/modifies Cron job

Modifies rc script

Unexpected DNS network traffic destination

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

Modifies hosts file

Writes DNS configuration

Modifies rc script

Reads runtime system information

UPX packed file

Modifies hosts file

Writes DNS configuration

Reads system network configuration

Reads runtime system information

UPX packed file

Reads runtime system information

Writes file to tmp directory

Writes DNS configuration

Reads CPU attributes

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

Writes file to system bin folder

Creates/modifies Cron job

Modifies init.d

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

Writes file to system bin folder

Creates/modifies Cron job

Modifies init.d

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

Writes file to system bin folder

Creates/modifies Cron job

Modifies init.d

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

Writes file to system bin folder

Creates/modifies Cron job

Modifies init.d

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

Writes file to system bin folder

Creates/modifies Cron job

Modifies init.d

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

Writes file to tmp directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12