blackmoon | 85ea21bd03b24ed95424769182b9ef226c0aa247d8ba8f52fddca6279fee4994

Sharing

Copy URL Twitter E-mail

General

Target

85ea21bd03b24ed95424769182b9ef226c0aa247d8ba8f52fddca6279fee4994
Size

372KB
MD5

ae8532867e33d21e82b372beaa6678ec
SHA1

e14f6dcd1014c221cf8aa26340db9e64d43ce9f3
SHA256

85ea21bd03b24ed95424769182b9ef226c0aa247d8ba8f52fddca6279fee4994
SHA512

733390febd0c50ab69d442b077ede3793ed0361b845c2ddcb6420b6fe753bc60eb052f7c7ae9f08b9c5042d5c2af9a35f604d1b180629182284a65d0642b8b4b
SSDEEP

6144:xl+pFyh2SCSzy23i/7kKITjsaNg6LRX40l2BYST43:xl+XS+23cqXsaNLlyf

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
85ea21bd03b24ed95424769182b9ef226c0aa247d8ba8f52fddca6279fee4994

Files

85ea21bd03b24ed95424769182b9ef226c0aa247d8ba8f52fddca6279fee4994
.dll windows x86

ecdaa42c30181620d90f113cf1c8611d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetFilePointer
GetTickCount
GetCommandLineA
GetModuleFileNameA
LCMapStringA
EnterCriticalSection
WriteFile
LeaveCriticalSection
DeleteCriticalSection
CreateThread
CreateFileA
GetFileSize
ReadFile
CloseHandle
Sleep
HeapReAlloc
ExitProcess
LocalSize
GetProcessHeap
GetModuleHandleA
HeapFree
RtlMoveMemory
HeapAlloc
IsBadWritePtr
IsBadReadPtr
VirtualProtect
VirtualAlloc
OutputDebugStringA
FreeLibrary
WriteProcessMemory
LoadLibraryA
GetProcAddress
InitializeCriticalSection

user32

GetSystemMetrics
GetMenu
SetMenu
DrawMenuBar
DestroyWindow
RegisterHotKey
UnregisterHotKey
SetActiveWindow
RegisterClassExA
CreateMenu
CreatePopupMenu
GetSystemMenu
LoadMenuA
DestroyMenu
AppendMenuA
GetMenuItemCount
InsertMenuA
SetMenuInfo
GetSubMenu
GetMenuItemID
CheckMenuRadioItem
SetForegroundWindow
TrackPopupMenu
GetMenuStringA
GetMenuItemInfoA
GetMenuItemRect
GetMenuState
GetMenuInfo
IsZoomed
MenuItemFromPoint
RemoveMenu
CheckMenuItem
SetMenuItemInfoA
SetMenuItemBitmaps
SetMenuDefaultItem
wsprintfA
PeekMessageA
GetSysColor
DestroyIcon
SetClassLongA
GetClassLongA
SetRect
SetWindowRgn
RemovePropA
GetPropA
SetPropA
MessageBoxA
SetWindowTextA
GetWindowTextA
GetWindowTextLengthA
EnableWindow
IsWindowEnabled
ShowWindow
IsWindowVisible
SetParent
PostMessageA
IsIconic
FillRect
ReleaseCapture
GetMenuDefaultItem
SetCapture
SetWindowPos
MoveWindow
UpdateWindow
ValidateRect
InvalidateRect
GetClientRect
SetFocus
GetClassNameA
GetDlgItem
GetWindowLongA
CreateWindowExA
DestroyCursor
SetWindowLongA
TrackMouseEvent
SetCursor
LoadCursorA
ReleaseDC
ScreenToClient
GetWindowRect
GetDC
DefMDIChildProcA
DefWindowProcA
CallWindowProcA
EndPaint
BeginPaint
IsWindow
DispatchMessageA
TranslateMessage
IsDialogMessageA
TranslateAcceleratorA
SendMessageA
GetParent
IsChild
GetFocus
GetMessageA
PostQuitMessage
MsgWaitForMultipleObjects
GetAsyncKeyState
FindWindowA
LoadIconA
RegisterWindowMessageA

gdi32

CreatePatternBrush
StretchBlt
SetStretchBltMode
CreateSolidBrush
CreateRoundRectRgn
CombineRgn
ExtCreateRegion
SelectObject
DeleteDC
CreateDIBSection
CreateCompatibleDC
GetObjectA
GetStockObject
DeleteObject
SetBkColor
BitBlt
SetBkMode
SetTextColor

shell32

DragAcceptFiles
DragFinish
DragQueryFileA
Shell_NotifyIconA

comctl32

InitCommonControlsEx

atl

ord42

msvcrt

??2@YAPAXI@Z
??3@YAXPAX@Z
atof
malloc
free
sprintf
_CIfmod
_ftol
atoi
_CIpow
strrchr
strchr
realloc
modf
strncmp
__CxxFrameHandler
memmove
calloc

Exports

Exports

DbgHelpCreateUserDump
DbgHelpCreateUserDumpW
EnumDirTree
EnumDirTreeW
EnumerateLoadedModules
EnumerateLoadedModules64
EnumerateLoadedModulesEx
EnumerateLoadedModulesExW
EnumerateLoadedModulesW64
ExtensionApiVersion
FindDebugInfoFile
FindDebugInfoFileEx
FindDebugInfoFileExW
FindExecutableImage
FindExecutableImageEx
FindExecutableImageExW
FindFileInPath
FindFileInSearchPath
GetSymLoadError
GetTimestampForLoadedLibrary
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageNtHeader
ImageRvaToSection
ImageRvaToVa
ImagehlpApiVersion
ImagehlpApiVersionEx
Initialize
MakeSureDirectoryPathExists
MapDebugInformation
MiniDumpReadDumpStream
MiniDumpWriteDump
RangeMapAddPeImageSections
RangeMapCreate
RangeMapFree
RangeMapRead
RangeMapRemove
RangeMapWrite
RemoveInvalidModuleList
ReportSymbolLoadSummary
SearchTreeForFile
SearchTreeForFileW
SetCheckUserInterruptShared
SetSymLoadError
StackWalk
StackWalk64
StackWalkEx
SymAddSourceStream
SymAddSourceStreamA
SymAddSourceStreamW
SymAddSymbol
SymAddSymbolW
SymAddrIncludeInlineTrace
SymAllocDiaString
SymCleanup
SymCompareInlineTrace
SymDeleteSymbol
SymDeleteSymbolW
SymEnumLines
SymEnumLinesW
SymEnumProcesses
SymEnumSourceFileTokens
SymEnumSourceFiles
SymEnumSourceFilesW
SymEnumSourceLines
SymEnumSourceLinesW
SymEnumSym
SymEnumSymbols
SymEnumSymbolsEx
SymEnumSymbolsExW
SymEnumSymbolsForAddr
SymEnumSymbolsForAddrW
SymEnumSymbolsW
SymEnumTypes
SymEnumTypesByName
SymEnumTypesByNameW
SymEnumTypesW
SymEnumerateModules
SymEnumerateModules64
SymEnumerateModulesW64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindDebugInfoFile
SymFindDebugInfoFileW
SymFindExecutableImage
SymFindExecutableImageW
SymFindFileInPath
SymFindFileInPathW
SymFreeDiaString
SymFromAddr
SymFromAddrW
SymFromIndex
SymFromIndexW
SymFromInlineContext
SymFromInlineContextW
SymFromName
SymFromNameW
SymFromToken
SymFromTokenW
SymFunctionTableAccess
SymFunctionTableAccess64
SymFunctionTableAccess64AccessRoutines
SymGetDiaSession
SymGetExtendedOption
SymGetFileLineOffsets64
SymGetHomeDirectory
SymGetHomeDirectoryW
SymGetLineFromAddr
SymGetLineFromAddr64
SymGetLineFromAddrW64
SymGetLineFromInlineContext
SymGetLineFromInlineContextW
SymGetLineFromName
SymGetLineFromName64
SymGetLineFromNameW64
SymGetLineNext
SymGetLineNext64
SymGetLineNextW64
SymGetLinePrev
SymGetLinePrev64
SymGetLinePrevW64
SymGetModuleBase
SymGetModuleBase64
SymGetModuleInfo
SymGetModuleInfo64
SymGetModuleInfoW
SymGetModuleInfoW64
SymGetOmapBlockBase
SymGetOmaps
SymGetOptions
SymGetScope
SymGetScopeW
SymGetSearchPath
SymGetSearchPathW
SymGetSourceFile
SymGetSourceFileChecksum
SymGetSourceFileChecksumW
SymGetSourceFileFromToken
SymGetSourceFileFromTokenW
SymGetSourceFileToken
SymGetSourceFileTokenW
SymGetSourceFileW
SymGetSourceVarFromToken
SymGetSourceVarFromTokenW
SymGetSymFromAddr
SymGetSymFromAddr64
SymGetSymFromName
SymGetSymFromName64
SymGetSymNext
SymGetSymNext64
SymGetSymPrev
SymGetSymPrev64
SymGetSymbolFile
SymGetSymbolFileW
SymGetTypeFromName
SymGetTypeFromNameW
SymGetTypeInfo
SymGetTypeInfoEx
SymGetUnwindInfo
SymInitialize
SymInitializeW
SymLoadModule
SymLoadModule64
SymLoadModuleEx
SymLoadModuleExW
SymMatchFileName
SymMatchFileNameW
SymMatchString
SymMatchStringA
SymMatchStringW
SymNext
SymNextW
SymPrev
SymPrevW
SymQueryInlineTrace
SymRefreshModuleList
SymRegisterCallback
SymRegisterCallback64
SymRegisterCallbackW64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallback64
SymSearch
SymSearchW
SymSetContext
SymSetDiaSession
SymSetExtendedOption
SymSetHomeDirectory
SymSetHomeDirectoryW
SymSetOptions
SymSetParentWindow
SymSetScopeFromAddr
SymSetScopeFromIndex
SymSetScopeFromInlineContext
SymSetSearchPath
SymSetSearchPathW
SymSrvDeltaName
SymSrvDeltaNameW
SymSrvGetFileIndexInfo
SymSrvGetFileIndexInfoW
SymSrvGetFileIndexString
SymSrvGetFileIndexStringW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
SymSrvGetSupplement
SymSrvGetSupplementW
SymSrvIsStore
SymSrvIsStoreW
SymSrvStoreFile
SymSrvStoreFileW
SymSrvStoreSupplement
SymSrvStoreSupplementW
SymUnDName
SymUnDName64
SymUnloadModule
SymUnloadModule64
UnDecorateSymbolName
UnDecorateSymbolNameW
UnmapDebugInformation
WinDbgExtensionDllInit
_EFN_DumpImage
block
chksym
dbghelp
dh
fptr
homedir
inlinedbg
itoldyouso
lmi
lminfo
omap
optdbgdump
optdbgdumpaddr
srcfiles
stack_force_ebp
stackdbg
sym
symsrv
vc7fpo

Sections

.text
Size: 164KB - Virtual size: 160KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 176KB - Virtual size: 237KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ecdaa42c30181620d90f113cf1c8611d

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comctl32

atl

msvcrt

Exports

Exports

Sections

.text Size: 164KB - Virtual size: 160KB

.rdata Size: 16KB - Virtual size: 14KB

.data Size: 176KB - Virtual size: 237KB

.rsrc Size: 4KB - Virtual size: 664B

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 164KB - Virtual size: 160KB

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 176KB - Virtual size: 237KB

.rsrc
Size: 4KB - Virtual size: 664B

.reloc
Size: 8KB - Virtual size: 7KB