blackmoon | 6ec32505c6bfc7fbc39be3ab0847517afd4a7ffe67b55c6f4097d8f98c5e1546

Sharing

Copy URL Twitter E-mail

General

Target

6ec32505c6bfc7fbc39be3ab0847517afd4a7ffe67b55c6f4097d8f98c5e1546
Size

2.4MB
MD5

e4f28ec880f11d973af458bd1fd9438d
SHA1

22f860c4e1fe856554bdf50242292b06fc786b67
SHA256

6ec32505c6bfc7fbc39be3ab0847517afd4a7ffe67b55c6f4097d8f98c5e1546
SHA512

1509ba44d6d221820739b024eb89fa602ea4ae7910043991dc030f96b931a146e37ed60bbd13356e98cfc9d92dbf73983e6fc157152317f8168435c5bec62f43
SSDEEP

24576:F/YLv6Qd9e0A0pJWVSQnXtd27B9nkO2AQKuzM7k3wJmOKMCmLW2NCd7qV:FmeWWeAz53wJWqW2Niq

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6ec32505c6bfc7fbc39be3ab0847517afd4a7ffe67b55c6f4097d8f98c5e1546

Files

6ec32505c6bfc7fbc39be3ab0847517afd4a7ffe67b55c6f4097d8f98c5e1546
.dll windows x86

ac117cdb83f62247b1a4d97c6fa6a407

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

WideCharToMultiByte
MultiByteToWideChar
GetCurrentProcess
ReadProcessMemory
WriteProcessMemory
GetLogicalDriveStringsA
QueryDosDeviceA
GetCurrentThreadId
ResumeThread
CreateRemoteThread
OpenThread
GetProcAddress
OpenProcess
CreateToolhelp32Snapshot
Thread32First
Thread32Next
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
GetSystemDirectoryA
IsBadReadPtr
MulDiv
GetDiskFreeSpaceA
GetCurrentDirectoryA
ReadFile
GetFileSize
CreateFileA
DeleteFileA
GetModuleFileNameA
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
DeleteCriticalSection
CreateThread
GetTempFileNameA
VirtualAllocEx
CopyFileA
CloseHandle
GetTempPathA
HeapFree
GetVersionExA
HeapReAlloc
IsBadReadPtr
WriteFile
ReadFile
GetFileSize
DeleteFileA
LCMapStringA
GetTickCount
GetModuleFileNameA
GetUserDefaultLCID
lstrcpynA
GetDiskFreeSpaceExA
GetCurrentDirectoryA
SetFileAttributesA
GetLastError
SetCurrentDirectoryA
GetStartupInfoA
FindNextFileA
FindFirstFileA
FindClose
GetCommandLineA
LoadLibraryA
FlushFileBuffers
SetStdHandle
IsBadCodePtr
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
GetOEMCP
GetACP
GetCPInfo
LCMapStringW
SetFilePointer
RaiseException
IsBadWritePtr
VirtualAlloc
VirtualFree
HeapDestroy
GetEnvironmentVariableA
TerminateThread
ExitProcess
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetFileType
GetStdHandle
SetHandleCount
TlsGetValue
MultiByteToWideChar
GetTempPathA
GetSystemDirectoryA
GetTempFileNameA
CopyFileA
DuplicateHandle
VirtualProtect
WriteProcessMemory
VirtualAllocEx
lstrcpyn
GetModuleHandleA
IsWow64Process
OpenProcess
CloseHandle
lstrcpynW
WideCharToMultiByte
GetWindowsDirectoryA
GetProcAddress
SetLastError
TlsFree
TlsAlloc
TlsSetValue
TerminateProcess
InterlockedIncrement
InterlockedDecrement
RtlUnwind
GetVersion
GetProcessHeap
lstrcmpiW
lstrcmpW
GetEnvironmentStringsW
HeapFree
HeapAlloc
RtlZeroMemory
DeleteCriticalSection
EnterCriticalSection
SetProcessAffinityMask
GetCurrentThreadId
InitializeCriticalSection
lstrcpyA
lstrlenW
PeekNamedPipe
CreateProcessA
DeviceIoControl
CreateFileA
VirtualQueryEx
ReadProcessMemory
HeapCreate
WaitForSingleObject
RtlMoveMemory
LoadLibraryExA
FreeLibrary
VirtualFreeEx
GetCurrentProcess
GetVersionExA
LeaveCriticalSection
OpenThread
Module32Next
Module32First
GetExitCodeThread
CreateRemoteThread
Process32Next
Process32First
CreateToolhelp32Snapshot
VirtualQuery
SetWaitableTimer
CreateWaitableTimerA
GetEnvironmentStrings
GetNativeSystemInfo

shlwapi

PathFindFileNameA
StrToIntExA
PathFileExistsA
StrToIntW
PathFindFileNameA
PathFindExtensionA
StrToIntExW

user32

GetParent
IsWindowVisible
GetWindowThreadProcessId
GetAncestor
EnumWindows
PostThreadMessageA
MsgWaitForMultipleObjects
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
RegisterWindowMessageA
GetAsyncKeyState
PeekMessageA
GetMessageA
GetMessageA
MsgWaitForMultipleObjects
WindowFromPoint
GetClassNameA
GetWindowTextA
GetWindowThreadProcessId
SendMessageA
RegisterWindowMessageA
GetParent
GetAncestor
CallWindowProcA
PeekMessageA
TranslateMessage
DispatchMessageA
wsprintfA
GetDlgItem
EnumWindows
ShowWindow
MessageBoxA
FindWindowA
GetCursorPos
GetForegroundWindow
ClientToScreen
IsWindowVisible

advapi32

LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken
RegOpenKeyA
CryptHashData
CryptGetHashParam
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenSCManagerA
CreateServiceA
RegQueryValueExA
RegCloseKey
DeleteService
ControlService
StartServiceA
OpenServiceA
CloseServiceHandle

psapi

GetMappedFileNameA
GetModuleInformation

ws2_32

WSAStartup
WSACleanup
htons

version

GetFileVersionInfoSizeA
VerQueryValueA
GetFileVersionInfoA

shell32

SHGetSpecialFolderPathA

ole32

CoCreateInstance
CoUninitialize
OleRun
CLSIDFromProgID
CLSIDFromString
CoInitialize

oleaut32

SafeArrayAccessData
VariantInit
SafeArrayGetDim
VariantCopy
SafeArrayAllocData
SafeArrayGetUBound
SafeArrayAllocDescriptor
SafeArrayUnaccessData
SafeArrayGetLBound
VariantChangeType
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
VarR8FromBool
VarR8FromCy
SysFreeString
SafeArrayGetElemsize

msvcrt

??3@YAXPAX@Z
realloc
strchr
strrchr
modf
memmove
strncmp
__CxxFrameHandler
malloc
free
floor
_ftol
atoi
_CIfmod
sprintf
_stricmp

Exports

Exports

Hello
ִ��߳�

Sections

.text
Size: 780KB - Virtual size: 778KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ac117cdb83f62247b1a4d97c6fa6a407

Headers

File Characteristics

Imports

kernel32

shlwapi

user32

advapi32

psapi

ws2_32

version

shell32

ole32

oleaut32

msvcrt

Exports

Exports

Sections

.text Size: 780KB - Virtual size: 778KB

.rdata Size: 20KB - Virtual size: 17KB

.data Size: 1.6MB - Virtual size: 1.6MB

.rsrc Size: 4KB - Virtual size: 664B

.reloc Size: 28KB - Virtual size: 26KB

.text
Size: 780KB - Virtual size: 778KB

.rdata
Size: 20KB - Virtual size: 17KB

.data
Size: 1.6MB - Virtual size: 1.6MB

.rsrc
Size: 4KB - Virtual size: 664B

.reloc
Size: 28KB - Virtual size: 26KB