blackmoon | tmp

Sharing

Copy URL

Twitter E-mail

General

Target

tmp
Size

7.3MB
MD5

d3bf474de7039be1758918653d179d54
SHA1

49b3c66dd93ba512e3dc423339d77a15b79efc05
SHA256

81061ca8835f361cb6554ce48c1dac634e40486b3d9b36dc00448f40dc0a9a7c
SHA512

8ba871edf781bd3ea6f27dc43e5a783b6475874d34438a364d80d9dfcda1faa8271a3e15d22de2159354fca0bafff7e4ce9443210cfce83fb254b528e688ee00
SSDEEP

196608:EiNibKiPyg8KD0fJHPcgAL9fvbmEB5Rxg0nb:EiwPp0xHPahvbbrb

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon
Detect Blackmoon payload 1 IoCs

Processes:

resource yara_rule

sample family_blackmoon
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

tmp

resource	yara_rule
sample	family_blackmoon

resource
tmp

Files

tmp
.exe windows x86

2d86806f5d90dcc4c25b51eba8047115

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateToolhelp32Snapshot
Module32Next
GlobalMemoryStatusEx
GetDiskFreeSpaceExA
CreateFileA
Process32First
Process32Next
GetCurrentProcessId
OpenFileMappingA
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
CreateWaitableTimerA
SetWaitableTimer
CreateMutexA
OpenEventA
CreateEventA
GetModuleHandleA
GetProcAddress
Wow64DisableWow64FsRedirection
LoadLibraryA
Wow64RevertWow64FsRedirection
CreateDirectoryA
MoveFileA
RtlMoveMemory
FreeLibrary
lstrcpynA
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
Sleep
WriteFile
GetStdHandle
ReadConsoleA
SetFileAttributesA
GetTickCount
GetFileAttributesA
FindNextFileA
DeleteFileA
RemoveDirectoryA
FindFirstFileA
GetCommandLineA
GetModuleFileNameA
LCMapStringA
GetConsoleMode
SetConsoleMode
ReadConsoleInputA
VirtualProtect
VirtualFree
VirtualAlloc
IsDebuggerPresent
FlushFileBuffers
SetStdHandle
IsBadCodePtr
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
GetOEMCP
GetACP
GetCPInfo
LCMapStringW
SetFilePointer
RaiseException
IsBadWritePtr
CloseHandle
FindClose
CreateThread
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetVersionExA
GetLastError
GetCurrentProcess
MultiByteToWideChar
WideCharToMultiByte
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetVersion
RtlUnwind
InterlockedDecrement
InterlockedIncrement
TerminateProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
GetEnvironmentVariableA
HeapDestroy
HeapCreate

user32

IsWindowVisible
GetWindowTextA
GetClassNameA
CreateWindowStationA
GetWindowThreadProcessId
FindWindowA
GetClientRect
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetAsyncKeyState
ClientToScreen
IsWindow

shell32

ShellExecuteA
SHGetSpecialFolderPathA

ws2_32

getsockname
ntohs
WSAAsyncSelect
gethostbyname
WSACleanup
inet_addr
connect
send
select
recv
WSAStartup
closesocket
socket
htons

shlwapi

PathFileExistsA

Sections

.text
Size: 312KB - Virtual size: 311KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7.0MB - Virtual size: 7.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

2d86806f5d90dcc4c25b51eba8047115

Headers

File Characteristics

Imports

kernel32

user32

shell32

ws2_32

shlwapi

Sections

.text Size: 312KB - Virtual size: 311KB

.rdata Size: 12KB - Virtual size: 8KB

.data Size: 7.0MB - Virtual size: 7.0MB

.text
Size: 312KB - Virtual size: 311KB

.rdata
Size: 12KB - Virtual size: 8KB

.data
Size: 7.0MB - Virtual size: 7.0MB