blackmoon | 11001782136[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

11001782136.zip
Size

74KB
MD5

8e0f8a4851081362990ec5ab6600c73e
SHA1

1c9267985db3391d92687eeb6a31181d4f577670
SHA256

16d531f4f8ed1f7bc659261037d5d75ac45ee4eb0018200be3a49723c0d144c2
SHA512

72cf4ce049119b58a22a17ec4ef4d7946af39395171907b4fa65401702635e5bd2a4a01ba68b6e89bc882c03a36f19f19b8ea59dc276ae01b349ad52e0ded6cb
SSDEEP

1536:0yBVIbJx2+6ztODsP+6Gzg5m7BVzVoizSN9jFqpH5Gj6FyyJCI3gScu:dBWtxqztRP+62XBV2+STjUMuyyJ13vcu

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/e11772eedc0cf9814fc153a69fcc83506073f98ee0b46a23aa139fa8b6d1fdc4	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/e11772eedc0cf9814fc153a69fcc83506073f98ee0b46a23aa139fa8b6d1fdc4

Files

11001782136.zip
.zip

Password: infected
e11772eedc0cf9814fc153a69fcc83506073f98ee0b46a23aa139fa8b6d1fdc4
.exe windows x86

9aa5e69a5af2ca0342d9296e41445546

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalFree
IsBadReadPtr
IsBadCodePtr
CreateDirectoryA
MoveFileA
RtlMoveMemory
CreateToolhelp32Snapshot
Process32First
CloseHandle
Process32Next
CreatePipe
WriteFile
CreateProcessA
WaitForSingleObject
GetExitCodeProcess
PeekNamedPipe
ReadFile
CreateWaitableTimerA
SetWaitableTimer
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
GetTickCount
GetModuleFileNameA
CreateFileA
GetUserDefaultLCID
FindClose
FindNextFileA
DeleteFileA
RemoveDirectoryA
FindFirstFileA
GetCommandLineA
LocalAlloc
GetProcAddress
LoadLibraryA
LCMapStringA
GetCurrentThreadId
DeleteCriticalSection
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
IsDebuggerPresent
lstrcatA
GetEnvironmentStrings
FreeEnvironmentStringsW
MultiByteToWideChar
WideCharToMultiByte
FlushFileBuffers
SetStdHandle
FreeEnvironmentStringsA
TlsSetValue
UnhandledExceptionFilter
TerminateProcess
RtlUnwind
GetVersion
GetStartupInfoA
GetCurrentProcess
GetLastError
GetVersionExA
GetWindowsDirectoryA
GetSystemDirectoryA
GetTempPathA
GetTempPathW
FreeLibrary
lstrlenW
TlsAlloc
SetLastError
TlsGetValue
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
LCMapStringW
SetUnhandledExceptionFilter
SetFilePointer
GetStringTypeW
RaiseException
GetStringTypeA
InterlockedIncrement
InterlockedDecrement
GetOEMCP
GetACP
GetCPInfo
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualAlloc

user32

MsgWaitForMultipleObjects
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA

shell32

SHGetSpecialFolderPathW
SHGetSpecialFolderPathA

ole32

CoInitializeSecurity
CoInitialize
CLSIDFromProgID
OleRun
IIDFromString
CoCreateInstance
CoSetProxyBlanket
CoUninitialize
CLSIDFromString

ws2_32

inet_addr

iphlpapi

SendARP

oleaut32

VariantCopy
VariantTimeToSystemTime
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
SafeArrayCreate
VariantChangeType
VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
SafeArrayDestroy
SysAllocString
VariantClear
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
SysFreeString

winhttp

WinHttpCloseHandle
WinHttpSetCredentials
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpOpen
WinHttpCrackUrl
WinHttpCheckPlatform
WinHttpSetOption
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
WinHttpAddRequestHeaders

wininet

InternetOpenA
HttpQueryInfoA
InternetReadFile
HttpSendRequestA
InternetSetOptionA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA

shlwapi

PathFileExistsA

Sections

.text
Size: 148KB - Virtual size: 145KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 696B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

9aa5e69a5af2ca0342d9296e41445546

Headers

File Characteristics

Imports

kernel32

user32

shell32

ole32

ws2_32

iphlpapi

oleaut32

winhttp

wininet

shlwapi

Sections

.text Size: 148KB - Virtual size: 145KB

.rdata Size: 8KB - Virtual size: 6KB

.data Size: 20KB - Virtual size: 98KB

.rsrc Size: 4KB - Virtual size: 696B

.text
Size: 148KB - Virtual size: 145KB

.rdata
Size: 8KB - Virtual size: 6KB

.data
Size: 20KB - Virtual size: 98KB

.rsrc
Size: 4KB - Virtual size: 696B