blackmoon | 96ce0fca7e692232f4e5f2b853a43cd3080c7a7ec1f16982b3ff67d2eaf852fc

Sharing

Copy URL Twitter E-mail

General

Target

96ce0fca7e692232f4e5f2b853a43cd3080c7a7ec1f16982b3ff67d2eaf852fc
Size

2.4MB
MD5

1f5026390d24b8b4b818c8e64d225b4f
SHA1

3eca3c2fbd1b34ae6fc22c2e407bd0fadfc8703b
SHA256

96ce0fca7e692232f4e5f2b853a43cd3080c7a7ec1f16982b3ff67d2eaf852fc
SHA512

35c02979481d78be47583fa30459bf723668829b8164e837baf6bbfd39fe4d426f825b90e1fc7eba0c89dc332455b77464174c08dfdbc6a7e7a04e73e61bba6d
SSDEEP

24576:HcFRsMDyZV8dQYbpNhUwgrHO4tqVqUPQeUIEz+uzM7k3wJmOKMCmLW2NCcoKV9:HgdzhIdz53wJWqW2NgK7

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
96ce0fca7e692232f4e5f2b853a43cd3080c7a7ec1f16982b3ff67d2eaf852fc

Files

96ce0fca7e692232f4e5f2b853a43cd3080c7a7ec1f16982b3ff67d2eaf852fc
.dll windows x86

79e53b9c7f5c3facb50b89d875561cd4

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
MultiByteToWideChar
GetCurrentProcess
ReadProcessMemory
WriteProcessMemory
GetLogicalDriveStringsA
QueryDosDeviceA
GetCurrentThreadId
ResumeThread
CreateRemoteThread
OpenThread
GetProcAddress
OpenProcess
CreateToolhelp32Snapshot
Thread32First
Thread32Next
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
MulDiv
GetDiskFreeSpaceA
GetCurrentDirectoryA
ReadFile
WideCharToMultiByte
CreateFileA
DeleteFileA
GetModuleFileNameA
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
FlushFileBuffers
SetStdHandle
LCMapStringW
IsBadCodePtr
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
GetSystemDirectoryA
GetTempFileNameA
VirtualAllocEx
CopyFileA
InterlockedIncrement
InterlockedDecrement
GetTempPathA
GetFileSize
GetVersionExA
SetFilePointer
GetOEMCP
GetACP
GetCPInfo
IsBadWritePtr
VirtualAlloc
RaiseException
WriteFile
VirtualFree
HeapCreate
HeapDestroy
GetEnvironmentVariableA
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
GetLastError
TlsGetValue
SetLastError
TlsFree
TlsAlloc
TlsSetValue
TerminateProcess
RtlUnwind
GetVersion
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateThread
IsBadWritePtr
VirtualAlloc
VirtualFree
HeapDestroy
GetEnvironmentVariableA
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetFileType
GetStdHandle
SetHandleCount
TlsGetValue
MultiByteToWideChar
GetTempPathA
GetSystemDirectoryA
GetTempFileNameA
CopyFileA
DuplicateHandle
VirtualProtect
WriteProcessMemory
VirtualAllocEx
lstrcmpiW
GetModuleHandleA
IsWow64Process
OpenProcess
CloseHandle
lstrcpynW
WideCharToMultiByte
GetWindowsDirectoryA
GetProcAddress
SetLastError
TlsFree
TlsAlloc
TlsSetValue
TerminateProcess
InterlockedIncrement
InterlockedDecrement
RtlUnwind
RaiseException
SetFilePointer
LCMapStringW
GetCPInfo
GetACP
GetOEMCP
GetStringTypeA
GetStringTypeW
SetUnhandledExceptionFilter
IsBadCodePtr
SetStdHandle
FlushFileBuffers
LoadLibraryA
GetCommandLineA
FindClose
FindFirstFileA
FindNextFileA
GetStartupInfoA
SetCurrentDirectoryA
GetLastError
SetFileAttributesA
WaitForSingleObject
RtlMoveMemory
LoadLibraryExA
FreeLibrary
VirtualFreeEx
TerminateThread
GetNativeSystemInfo
CreateWaitableTimerA
SetWaitableTimer
VirtualQuery
CreateToolhelp32Snapshot
Process32First
Process32Next
CreateRemoteThread
GetExitCodeThread
Module32First
GetCurrentDirectoryA
GetProcessHeap
GetDiskFreeSpaceExA
lstrcpynA
GetUserDefaultLCID
GetModuleFileNameA
GetTickCount
LCMapStringA
DeleteFileA
GetFileSize
ReadFile
WriteFile
IsBadReadPtr
HeapReAlloc
ExitProcess
Module32Next
OpenThread
LeaveCriticalSection
GetVersionExA
GetCurrentProcess
HeapCreate
ReadProcessMemory
VirtualQueryEx
CreateFileA
DeviceIoControl
CreateProcessA
PeekNamedPipe
lstrlenW
lstrcpyA
InitializeCriticalSection
GetCurrentThreadId
SetProcessAffinityMask
EnterCriticalSection
DeleteCriticalSection
RtlZeroMemory
HeapAlloc
HeapFree
lstrcmpW
GetVersion
lstrcpyn

shlwapi

PathFindFileNameA
PathFileExistsA
PathFindFileNameA
StrToIntExW
StrToIntW
PathFindExtensionA
StrToIntExA

user32

GetParent
IsWindowVisible
GetWindowThreadProcessId
GetAncestor
EnumWindows
PostThreadMessageA
MsgWaitForMultipleObjects
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
RegisterWindowMessageA
GetAsyncKeyState
PeekMessageA
GetMessageA
ClientToScreen
IsWindowVisible
GetWindowThreadProcessId
GetWindowTextA
GetClassNameA
MsgWaitForMultipleObjects
GetForegroundWindow
RegisterWindowMessageA
GetParent
GetAncestor
CallWindowProcA
PeekMessageA
TranslateMessage
DispatchMessageA
wsprintfA
GetMessageA
EnumWindows
ShowWindow
MessageBoxA
FindWindowA
GetCursorPos
WindowFromPoint
SendMessageA
GetDlgItem

advapi32

LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken
RegQueryValueExA
DeleteService
ControlService
StartServiceA
CloseServiceHandle
OpenServiceA
CreateServiceA
OpenSCManagerA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CryptGetHashParam
CryptHashData
RegOpenKeyA
RegCloseKey

psapi

GetMappedFileNameA
GetModuleInformation

ws2_32

WSACleanup
htons
WSAStartup

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

shell32

SHGetSpecialFolderPathA

ole32

CoCreateInstance
CoInitialize
CoUninitialize
OleRun
CLSIDFromString
CLSIDFromProgID

oleaut32

SafeArrayGetDim
SafeArrayGetUBound
VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
SafeArrayAccessData
VariantCopy
SafeArrayGetElemsize
SysFreeString
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
SafeArrayCreate
SysAllocString
VariantClear
SafeArrayDestroy
VariantChangeType
SafeArrayGetLBound
SafeArrayUnaccessData

Exports

Exports

Hello
ִ��߳�

Sections

.text
Size: 820KB - Virtual size: 817KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

79e53b9c7f5c3facb50b89d875561cd4

Headers

File Characteristics

Imports

kernel32

shlwapi

user32

advapi32

psapi

ws2_32

version

shell32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 820KB - Virtual size: 817KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 1.6MB - Virtual size: 1.6MB

.rsrc Size: 4KB - Virtual size: 664B

.reloc Size: 32KB - Virtual size: 30KB

.text
Size: 820KB - Virtual size: 817KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 1.6MB - Virtual size: 1.6MB

.rsrc
Size: 4KB - Virtual size: 664B

.reloc
Size: 32KB - Virtual size: 30KB