blackmoon | JC_738c296bfadbac8f93e4c3f1a8edc5c394753296536474989ac8952c7a4dd397

Sharing

Copy URL

Twitter E-mail

General

Target

JC_738c296bfadbac8f93e4c3f1a8edc5c394753296536474989ac8952c7a4dd397
Size

412KB
MD5

da527981ea52459b448d4acae02808f1
SHA1

be863985d050d652b4b12cacf805bd32b8bff891
SHA256

738c296bfadbac8f93e4c3f1a8edc5c394753296536474989ac8952c7a4dd397
SHA512

3d70b944399c78ac196dcfec9ba23670c030c7480ad8c4b6a0c9054717189bf657511314eab115d53327ae3ba0b509404a5af5795a5f74c8ad38cb5926aa54d7
SSDEEP

6144:3zD/TfzEtNDqMuY3BZgCxWAGvn9jryjv+/I9ZdETM:DDzzEt2Y3BZlxTGvhK+w

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
JC_738c296bfadbac8f93e4c3f1a8edc5c394753296536474989ac8952c7a4dd397

Files

JC_738c296bfadbac8f93e4c3f1a8edc5c394753296536474989ac8952c7a4dd397
.dll windows x86

7f38025e84abef14e0ec88ed64f30654

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetCurrentProcess
GetVersionExA
TerminateProcess
OpenProcess
lstrcpyA
lstrlenA
MultiByteToWideChar
GlobalAlloc
SetLastError
lstrcatA
GetCurrentThreadId
GetCurrentThread
lstrcmpiA
lstrcmpA
GlobalDeleteAtom
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte
LocalFree
FlushFileBuffers
lstrcpynA
LocalAlloc
TlsAlloc
GlobalHandle
TlsFree
GlobalReAlloc
TlsSetValue
LocalReAlloc
TlsGetValue
SetErrorMode
GlobalFlags
WritePrivateProfileStringA
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetProcessVersion
GetCPInfo
GetOEMCP
RtlUnwind
RaiseException
HeapSize
GetACP
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
VirtualFree
VirtualAlloc
IsBadWritePtr
LCMapStringW
SetUnhandledExceptionFilter
GetStringTypeA
GetStringTypeW
IsBadCodePtr
SetStdHandle
InterlockedExchange
GetLastError
GlobalLock
GlobalUnlock
GlobalFree
Process32First
Process32Next
DeleteCriticalSection
LeaveCriticalSection
InitializeCriticalSection
EnterCriticalSection
LCMapStringA
LoadLibraryA
GetProcAddress
FreeLibrary
GetCommandLineA
WriteFile
SetFilePointer
Sleep
GetEnvironmentVariableA
CreateFileA
GetFileSize
ReadFile
GetTickCount
GetModuleFileNameA
IsBadReadPtr
HeapReAlloc
ExitProcess
GetModuleHandleA
GetProcessHeap
WaitForSingleObject
ResetEvent
CreateEventA
PostQueuedCompletionStatus
SetEvent
CreateIoCompletionPort
Module32First
CreateToolhelp32Snapshot
GetCurrentProcessId
HeapValidate
LocalSize
lstrcpyn
GetQueuedCompletionStatus
GetSystemInfo
HeapDestroy
HeapFree
CloseHandle
CreateThread
RtlMoveMemory
HeapAlloc
HeapCreate
LoadResource
SizeofResource
FindResourceA
GetVersion

user32

SetWindowPos
SetFocus
GetWindowPlacement
IsIconic
RegisterWindowMessageA
SetForegroundWindow
GetForegroundWindow
GetMessagePos
GetMessageTime
DefWindowProcA
RemovePropA
CallWindowProcA
GetPropA
SetPropA
GetClassLongA
CreateWindowExA
GetMenuItemID
GetSubMenu
GetMenu
RegisterClassA
GetClassInfoA
WinHelpA
GetCapture
GetTopWindow
CopyRect
GetClientRect
AdjustWindowRectEx
GetSysColor
MapWindowPoints
LoadIconA
LoadCursorA
GetSysColorBrush
DestroyMenu
GetMenuItemCount
SetWindowTextA
GetDlgCtrlID
UnregisterClassA
DestroyWindow
UnhookWindowsHookEx
GetMenuCheckMarkDimensions
LoadBitmapA
GetMenuState
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetFocus
GetNextDlgTabItem
GetActiveWindow
GetKeyState
CallNextHookEx
ValidateRect
SetWindowsHookExA
GetLastActivePopup
IsWindowEnabled
EnableWindow
SetCursor
PostMessageA
PostQuitMessage
GetParent
GetWindow
PtInRect
IsWindowVisible
GetWindowLongA
GetCursorPos
SetWindowLongA
GetDlgItem
ShowWindow
SystemParametersInfoA
GetDC
ReleaseDC
FindWindowA
GetWindowThreadProcessId
SendMessageA
GetWindowRect
GetSystemMetrics
GrayStringA
DrawTextA
TabbedTextOutA
ClientToScreen
LoadStringA
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetClassNameA
GetWindowTextA
EnumWindows

iphlpapi

GetExtendedTcpTable

ws2_32

WSACleanup
WSAStartup
recvfrom
sendto
accept
recv
WSAGetLastError
gethostbyname
ioctlsocket
__WSAFDIsSet
select
connect
WSASetLastError
htonl
getpeername
send
inet_ntoa
ntohs
getsockname
WSASocketA
listen
bind
inet_addr
htons
socket
WSARecv
shutdown
WSAIoctl
setsockopt
closesocket

gdi32

SaveDC
RestoreDC
SetBkColor
SetTextColor
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
GetClipBox
CreateBitmap
GetDeviceCaps
SelectObject
DeleteDC
DeleteObject
PtVisible
RectVisible
GetObjectA
GetStockObject
TextOutA
ExtTextOutA
Escape

winmm

timeKillEvent
timeSetEvent

winspool.drv

OpenPrinterA
DocumentPropertiesA
ClosePrinter

advapi32

RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegCreateKeyExA

comctl32

ord17

Exports

Exports

start

Sections

.text
Size: 300KB - Virtual size: 297KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 48KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7f38025e84abef14e0ec88ed64f30654

Headers

File Characteristics

Imports

kernel32

user32

iphlpapi

ws2_32

gdi32

winmm

winspool.drv

advapi32

comctl32

Exports

Exports

Sections

.text Size: 300KB - Virtual size: 297KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 48KB - Virtual size: 169KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 32KB - Virtual size: 30KB

.text
Size: 300KB - Virtual size: 297KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 48KB - Virtual size: 169KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 32KB - Virtual size: 30KB