blackmoon | b1f1527469e16b5e5a0d2a40d428d7c15a6805ca2c1eeb8a21df28e66a2e187b

Sharing

Copy URL Twitter E-mail

General

Target

b1f1527469e16b5e5a0d2a40d428d7c15a6805ca2c1eeb8a21df28e66a2e187b
Size

5.7MB
MD5

2bb4a66ad0be270225aa2f073de8744c
SHA1

e84fd94f9d08e45655ae55d61d4b9342df2e3d93
SHA256

b1f1527469e16b5e5a0d2a40d428d7c15a6805ca2c1eeb8a21df28e66a2e187b
SHA512

6db80568357976e211cc3f49e683804ab6097abeee2313c42eeba64c2fe93fd62c434bcb036fb679473867dbf6f0dd8780113285d67bdc9725d8aa6d586bab14
SSDEEP

98304:9l3RnKrsi2WPjSxbZa56hfPvdjxrFodXe:fRn02WPL56BDC

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b1f1527469e16b5e5a0d2a40d428d7c15a6805ca2c1eeb8a21df28e66a2e187b

Files

b1f1527469e16b5e5a0d2a40d428d7c15a6805ca2c1eeb8a21df28e66a2e187b
.exe windows x86

b4e35465df263bb48b046653b6a1145f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

IsDebuggerPresent
MultiByteToWideChar
IsBadReadPtr
IsBadCodePtr
lstrlenW
WideCharToMultiByte
lstrcpyn
FindFirstFileW
FindClose
lstrlenA
CreateWaitableTimerA
SetWaitableTimer
QueryDosDeviceW
GetLocaleInfoA
GetDateFormatA
GetTimeFormatA
GetLocalTime
CreateMutexA
HeapReAlloc
ReleaseMutex
TerminateProcess
GetLogicalDriveStringsA
QueryDosDeviceA
VirtualQueryEx
ReadProcessMemory
VirtualFreeEx
VirtualProtect
GetProcessId
Module32First
Thread32First
Thread32Next
OpenThread
GlobalFree
lstrcpynA
FreeLibrary
HeapDestroy
RtlZeroMemory
HeapCreate
lstrcmpW
GetTempPathW
GetSystemDirectoryA
GlobalUnlock
GlobalSize
CreateEventA
GetSystemInfo
GetModuleHandleA
ExitProcess
GetProcAddress
WriteFile
CreateFileA
GetModuleFileNameA
ReadFile
GetFileSize
CreateDirectoryA
WritePrivateProfileStringA
GetUserDefaultLCID
GlobalLock
GlobalAlloc
FormatMessageA
GetTickCount
SetFilePointer
CreateProcessA
GetStartupInfoA
GetPrivateProfileStringA
FindNextFileA
FindFirstFileA
Sleep
DeleteFileA
GetEnvironmentVariableA
LCMapStringA
GetCommandLineA
LoadLibraryA
VirtualFree
InitializeCriticalSection
LeaveCriticalSection
CreateThread
VirtualAlloc
WriteProcessMemory
GetCurrentProcessId
CopyFileA
InterlockedCompareExchange
AreFileApisANSI
CreateFileW
CreateFileMappingW
CreateMutexW
DeleteFileW
FormatMessageW
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetFileAttributesA
GetFileAttributesW
GetFileAttributesExW
GetFullPathNameA
GetFullPathNameW
GetSystemTime
GetSystemTimeAsFileTime
GetTempPathA
HeapSize
HeapValidate
LoadLibraryW
LockFile
LockFileEx
SetEndOfFile
SystemTimeToFileTime
UnlockFile
UnlockFileEx
FlushFileBuffers
SetStdHandle
LCMapStringW
SetUnhandledExceptionFilter
InterlockedIncrement
InterlockedDecrement
GetStringTypeW
GetStringTypeA
GetOEMCP
GetACP
GetCPInfo
RaiseException
IsBadWritePtr
GetVersionExA
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
DeleteCriticalSection
GetFileType
GetStdHandle
SetHandleCount
GetLastError
TlsGetValue
SetLastError
TlsFree
TlsAlloc
TlsSetValue
GetCurrentThreadId
RtlUnwind
GetVersion
CreateFileMappingA
UnmapViewOfFile
MapViewOfFile
OpenFileMappingA
TerminateThread
GetExitCodeThread
GetComputerNameA
GetWindowsDirectoryA
GetVolumeInformationA
DeviceIoControl
QueryPerformanceFrequency
QueryPerformanceCounter
WaitForSingleObject
CreateRemoteThread
RtlMoveMemory
Process32Next
Process32First
CreateToolhelp32Snapshot
HeapFree
HeapAlloc
GetProcessHeap
CloseHandle
LocalFree
LocalAlloc
OpenProcess
EnterCriticalSection
GetCurrentProcess

advapi32

RegCloseKey
RegOpenKeyA
RegQueryValueExA

oleaut32

SystemTimeToVariantTime
VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SysFreeString
VariantTimeToSystemTime
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
SafeArrayGetElemsize
VarR8FromCy
VariantChangeType
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
VariantCopy
VarR8FromBool

user32

SetWindowPos
SwitchToThisWindow
IsZoomed
GetWindowDC
ReleaseDC
GetDlgItem
ChildWindowFromPointEx
GetDC
SetActiveWindow
WindowFromPoint
GetMenuBarInfo
FindWindowExA
GetAncestor
GetWindowRect
RedrawWindow
EnableMenuItem
IsWindowEnabled
ShowWindow
IsIconic
MessageBoxA
MsgWaitForMultipleObjects
GetWindowInfo
EnumWindows
GetWindowThreadProcessId
GetWindowTextLengthW
GetWindowTextW
GetClassNameA
IsWindowVisible
ShowWindowAsync
SendMessageA
IsWindow
SetWindowTextA
RegisterRawInputDevices
GetRawInputData
GetCursorInfo
CallWindowProcA
PeekMessageA
TranslateMessage
GetSystemMetrics
GetCursorPos
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
GetMessageA
wsprintfA
FillRect
WindowFromDC
EnumDisplaySettingsA
DrawIcon
UnhookWinEvent
SetWinEventHook
GetAsyncKeyState
SendInput
RegisterWindowMessageA
SetWindowLongA
GetInputState
SetKeyboardState
AttachThreadInput
MapVirtualKeyA
MessageBoxTimeoutW
MoveWindow
GetMenuStringA
GetMenuItemID
GetSubMenu
GetMenu
GetScrollInfo
GetLastActivePopup
EnableWindow
DrawIconEx
DispatchMessageA

ntdll

LdrGetProcedureAddress
NtQueryInformationProcess
LdrLoadDll
LdrUnloadDll
LdrGetDllHandleEx
RtlGetNtVersionNumbers
ZwClearEvent
ZwSetEvent
ZwClose
ZwQueryInformationProcess
ZwDuplicateObject
ZwQuerySystemInformation
ZwOpenProcess
RtlAdjustPrivilege
ZwQueryInformationThread
RtlDecompressBuffer

winhttp

WinHttpConnect
WinHttpOpenRequest
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpSetTimeouts
WinHttpOpen
WinHttpCrackUrl
WinHttpCheckPlatform
WinHttpQueryHeaders
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpSetOption

ole32

CLSIDFromProgID
CLSIDFromString
OleRun
CreateStreamOnHGlobal
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitialize

shlwapi

PathFileExistsA
StrToIntW
StrToIntExW
StrTrimW
PathFindFileNameA
PathFindExtensionA
StrToInt64ExA
PathIsDirectoryW

wininet

InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
HttpQueryInfoA
InternetReadFile
InternetCloseHandle

shell32

SHGetSpecialFolderPathW
SHGetFileInfo
ShellExecuteA
SHAppBarMessage

psapi

GetProcessImageFileNameW
GetModuleInformation

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

gdi32

CreateBitmap
GetTextExtentPoint32A
CreateDIBitmap
GetStockObject
GetCurrentObject
BitBlt
CreateDIBSection
CreateSolidBrush
CreateCompatibleDC
Rectangle
StretchBlt
GetDIBits
SelectObject

gdiplus

GdipDeleteBrush
GdipCreateBitmapFromStream
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipDeleteGraphics
GdipDrawImageRectRect
GdipFillRectangle
GdipGetImageGraphicsContext
GdipCreateBitmapFromScan0
GdipGetImageHeight
GdipGetImageWidth
GdipCreateSolidFill
GdiplusStartup

ws2_32

WSACleanup

msvcrt

memmove
realloc
malloc
strstr
strrchr
rand
strtod
free
_atoi64
atof
strchr
_CIfmod
_CIpow
floor
modf
??2@YAPAXI@Z
strncmp
??3@YAXPAX@Z
strncpy
_ftol
atoi
_stricmp
sprintf
fclose
fopen
vsprintf
localtime
wcstombs
setlocale
mbstowcs
wcslen

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3.6MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 86KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

b4e35465df263bb48b046653b6a1145f

Headers

File Characteristics

Imports

kernel32

advapi32

oleaut32

user32

ntdll

winhttp

ole32

shlwapi

wininet

shell32

psapi

version

gdi32

gdiplus

ws2_32

msvcrt

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 32KB - Virtual size: 32KB

.data Size: 3.6MB - Virtual size: 3.7MB

.rsrc Size: 86KB - Virtual size: 85KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 32KB - Virtual size: 32KB

.data
Size: 3.6MB - Virtual size: 3.7MB

.rsrc
Size: 86KB - Virtual size: 85KB