blackmoon | 1c5aee71d1c756b81e6d0100e52a0f8f647b3df2f8dd5c6b470682f9c87f3f52

Sharing

Copy URL Twitter E-mail

General

Target

1c5aee71d1c756b81e6d0100e52a0f8f647b3df2f8dd5c6b470682f9c87f3f52
Size

3.6MB
MD5

241ab0e71e4ec5ae6673ec1994bd03cf
SHA1

27319697265e8bc1f708200b971740cfe4b72739
SHA256

1c5aee71d1c756b81e6d0100e52a0f8f647b3df2f8dd5c6b470682f9c87f3f52
SHA512

7435f9c0639cba747805fe1dc2c792eafbb56ef1f650f379aa4e8d2825c59bedb05f1f2d6496638a0e9b44bb14bb24afa116edcbad10ef63a22d269dfb052c7b
SSDEEP

98304:gezH2FaD+S8tAM3/bXOmsVVsDcJ4Ai1YdQwpDaFJmle3qyNoMY7GB:lH2sd8tAMD+XvfC1oQADoH3tNoMv

Score

10^/10

vmprotect blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1c5aee71d1c756b81e6d0100e52a0f8f647b3df2f8dd5c6b470682f9c87f3f52

Files

1c5aee71d1c756b81e6d0100e52a0f8f647b3df2f8dd5c6b470682f9c87f3f52
.exe windows x86

d9a81f9ae46e3133503fd8997dea5385

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileA
Sleep
WaitForSingleObject
CreateProcessA
IsBadReadPtr
GetCommandLineA
GetModuleFileNameA
HeapFree
HeapReAlloc
HeapAlloc
ExitProcess
GetModuleHandleA
GetStartupInfoA
GetProcessHeap
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
CloseHandle
GetLastError
GetCurrentProcess
MultiByteToWideChar
WideCharToMultiByte
WriteFile
RtlUnwind
TerminateProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
GetProcAddress
LoadLibraryA
SetUnhandledExceptionFilter
IsBadCodePtr
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
InterlockedDecrement
InterlockedIncrement
GetVersionExA
GetVersion
GetCurrentProcess
FreeLibrary
TerminateProcess
GetSystemInfo
CreateToolhelp32Snapshot
Thread32First
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
GetTickCount
GetLocalTime
GlobalFree
GetProcAddress
LocalAlloc
LoadLibraryA
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
FlushFileBuffers
GetCurrentProcessId
GetLastError
GetModuleFileNameW
CreateEventA
GetModuleHandleA
GetSystemTimeAsFileTime
VirtualQuery
LocalFree
CreateFileA
ReadFile
GetCommandLineA
RaiseException
RtlUnwind
HeapFree
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
HeapDestroy
QueryPerformanceCounter
HeapReAlloc
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
InitializeCriticalSectionAndSpinCount
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW

user32

TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetMessageA
PeekMessageA
CharUpperBuffW
MessageBoxW

shell32

SHGetSpecialFolderPathA

wtsapi32

WTSSendMessageW

advapi32

RegQueryValueExA
RegCloseKey
RegOpenKeyExA
CloseServiceHandle
QueryServiceConfigW
OpenServiceW
EnumServicesStatusExW
OpenSCManagerW

Sections

.text
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 632B - Virtual size: 632B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.l1
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

d9a81f9ae46e3133503fd8997dea5385

Headers

File Characteristics

Imports

kernel32

user32

shell32

wtsapi32

advapi32

Sections

.text Size: 24KB - Virtual size: 24KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 108KB - Virtual size: 108KB

.vmp0 Size: 1.7MB - Virtual size: 1.7MB

.vmp1 Size: 1.8MB - Virtual size: 1.8MB

.reloc Size: 4KB - Virtual size: 4KB

.rsrc Size: 632B - Virtual size: 632B

.l1 Size: 8KB - Virtual size: 8KB

.text
Size: 24KB - Virtual size: 24KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 108KB - Virtual size: 108KB

.vmp0
Size: 1.7MB - Virtual size: 1.7MB

.vmp1
Size: 1.8MB - Virtual size: 1.8MB

.reloc
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 632B - Virtual size: 632B

.l1
Size: 8KB - Virtual size: 8KB