blackmoon | bd04edcb3ce4cbe27ed80184c9e410a7e9b08f020420fbc7196a2348016d3bd9[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

bd04edcb3ce4cbe27ed80184c9e410a7e9b08f020420fbc7196a2348016d3bd9.zip
Size

19.5MB
MD5

810f787ab48684a64de2261d84367f50
SHA1

410e6729e47f421054b4d20cf0665b30cab6674b
SHA256

0180f11d4205815c4939c6ad876d9765bd452685ac997828a38463522afdcb17
SHA512

334bdb457a1b44ee5f8cc44b7aa1c89a50ea58d4b765fd6d57f72fb12056cfeddbf9dfa9cd0cbd0b8a583caf7d4aac9596003697eb107d665e1836da3d63c344
SSDEEP

393216:Z14Yyb+mE2fMPzAYs/XOEdKJvoy36Ouq9bfJIfLTH3bB/0EN:XrmE2EPUY6KJAIf5JIfH3t/hN

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/bd04edcb3ce4cbe27ed80184c9e410a7e9b08f020420fbc7196a2348016d3bd9	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/bd04edcb3ce4cbe27ed80184c9e410a7e9b08f020420fbc7196a2348016d3bd9

Files

bd04edcb3ce4cbe27ed80184c9e410a7e9b08f020420fbc7196a2348016d3bd9.zip
.zip

Password: threatbook
bd04edcb3ce4cbe27ed80184c9e410a7e9b08f020420fbc7196a2348016d3bd9
.exe windows x86

Password: threatbook

8a3163c49e51bb85f4c3ce90f1a5e608

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

MoveFileExA
CreateFileA
LocalAlloc
LocalFree
GetModuleHandleA
GetSystemWow64DirectoryA
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetModuleFileNameA
CreateProcessA
GetStartupInfoA
CreateDirectoryA
Sleep
WritePrivateProfileStringA
DeleteFileA
VirtualFreeEx
FreeLibrary
FindFirstFileA
FindClose
SetFileAttributesA
RemoveDirectoryA
GetPrivateProfileStringA
GetTickCount
GetTempPathA
GetCommandLineA
LoadLibraryA
LCMapStringA
WaitForSingleObject
VirtualAllocEx
GetWindowsDirectoryA
GetSystemDirectoryA
GetProcAddress
FindNextFileA
LoadLibraryExA
FileTimeToSystemTime
GetProcessTimes
GetCurrentProcess
Module32First
Process32Next
Process32First
RtlMoveMemory
lstrcpyn
TerminateProcess
OpenProcess
GetCurrentProcessId
IsBadStringPtrA
CloseHandle
Process32NextW
Process32FirstW
MultiByteToWideChar
CreateToolhelp32Snapshot
WriteFile

user32

GetMessageA
GetClassNameA
GetWindowTextA
IsWindowVisible
wsprintfA
GetDesktopWindow
ShowWindow
DispatchMessageA
MessageBoxA
TranslateMessage
PeekMessageA
GetWindowThreadProcessId
GetWindowTextLengthA
GetWindow

advapi32

RegEnumKeyA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegEnableReflectionKey
RegDisableReflectionKey
RegOpenKeyExA
RegCloseKey
RegQueryValueExA
RegOpenKeyA
CreateProcessWithTokenW
DuplicateTokenEx
OpenProcessToken
LookupAccountSidA
RegCreateKeyA
RegSetValueExA
RegQueryInfoKeyA

shell32

SHGetSpecialFolderPathA
SHFreeNameMappings
SHFileOperationW
ShellExecuteA

shlwapi

PathIsDirectoryW
PathFileExistsA

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesA

msvcrt

_stricmp
sprintf
strtod
??3@YAXPAX@Z
??2@YAPAXI@Z
atoi
_ftol
floor
qsort
strncpy
strrchr
strchr
free
realloc
malloc
strstr

oleaut32

VariantTimeToSystemTime

Sections

.text
Size: 119KB - Virtual size: 119KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20.2MB - Virtual size: 20.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: threatbook

Password: threatbook

8a3163c49e51bb85f4c3ce90f1a5e608

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

shlwapi

wtsapi32

msvcrt

oleaut32

Sections

.text Size: 119KB - Virtual size: 119KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 20.2MB - Virtual size: 20.3MB

.text
Size: 119KB - Virtual size: 119KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 20.2MB - Virtual size: 20.3MB