blackmoon | f07800e0abc2562bf808546528a3d2bbfdb56531c370349e5fbec5759171aea7

Sharing

Copy URL

Twitter E-mail

General

Target

f07800e0abc2562bf808546528a3d2bbfdb56531c370349e5fbec5759171aea7
Size

8.8MB
MD5

6b8e73430e36c6549bccdf05cce94eb4
SHA1

dc31e788987a4fd3d529615cb30e72267ab2d647
SHA256

f07800e0abc2562bf808546528a3d2bbfdb56531c370349e5fbec5759171aea7
SHA512

42cd587e041b9a3a6737a086618f1c4f8e27ef9e27ecbf32dd016784b13e185028a076742fdbb955a0c49cbcfdf295106f959b30d1acfd91e0a519f19ed9a02e
SSDEEP

98304:AXIYklPpJiPDC+kAEycvDXGsUgG1/Q/g+ZLCUrdPLS0R0AdHs6uipQMONK1+ZdSf:n7grnkJ1DZHFg+ZGyNBBs6IikC

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f07800e0abc2562bf808546528a3d2bbfdb56531c370349e5fbec5759171aea7

Files

f07800e0abc2562bf808546528a3d2bbfdb56531c370349e5fbec5759171aea7
.exe windows x86

4306dbe975ed937a99e99d1ac2b10e39

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LCMapStringA
LoadLibraryA
GetCommandLineA
SetFilePointer
RemoveDirectoryA
CopyFileA
MoveFileA
FormatMessageA
GetUserDefaultLCID
SetFileAttributesA
GetStartupInfoA
DeleteFileA
FindFirstFileA
FindNextFileA
GetTickCount
WriteFile
CreateFileA
GetFileSize
ReadFile
CreateDirectoryA
WritePrivateProfileStringA
GetPrivateProfileStringA
GetModuleFileNameA
HeapReAlloc
ExitProcess
lstrcmpiW
lstrcmpW
HeapCreate
HeapDestroy
InterlockedDecrement
InterlockedIncrement
InterlockedExchangeAdd
IsWow64Process
RtlZeroMemory
HeapAlloc
HeapFree
GetProcessHeap
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFreeEx
lstrcpyA
FreeLibrary
LoadLibraryW
GetModuleHandleW
FileTimeToSystemTime
FileTimeToLocalFileTime
GetProcessTimes
VirtualQueryEx
lstrcpyn
GetCurrentThreadId
TerminateThread
GetExitCodeThread
SetWaitableTimer
CreateWaitableTimerA
CreateDirectoryW
FindNextFileW
DeleteFileW
GetLocaleInfoA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GetTimeFormatA
GetDateFormatA
IsBadReadPtr
FindClose
FindFirstFileW
QueryDosDeviceW
Process32Next
Process32First
CreateToolhelp32Snapshot
IsBadCodePtr
LocalFree
LocalAlloc
CreateFileMappingA
OpenFileMappingA
UnmapViewOfFile
MapViewOfFile
VirtualFree
GetLocalTime
GlobalMemoryStatusEx
Sleep
WideCharToMultiByte
lstrlenW
GetCurrentProcessId
CreateThread
lstrlenA
MultiByteToWideChar
OpenProcess
GetCurrentProcess
VirtualAlloc
GetProcAddress
GetModuleHandleA
AddVectoredExceptionHandler
TerminateProcess
GetEnvironmentVariableA
CloseHandle
WaitForSingleObject
ResumeThread
SetThreadContext
VirtualProtectEx
WriteProcessMemory
VirtualAllocEx
ReadProcessMemory
GetThreadContext
CreateProcessA
RtlMoveMemory
LocalSize
InterlockedExchange
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetStringTypeW
GetStringTypeA
SetUnhandledExceptionFilter
LCMapStringW
IsBadWritePtr
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
GetFileType
SetStdHandle
HeapSize
GetACP
RaiseException
GetSystemTime
RtlUnwind
GetOEMCP
GetCPInfo
SetErrorMode
GetProcessVersion
GlobalGetAtomNameA
GlobalAddAtomA
GlobalFindAtomA
GlobalFlags
TlsGetValue
LocalReAlloc
TlsSetValue
GlobalReAlloc
TlsFree
GlobalHandle
TlsAlloc
lstrcpynA
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetVersionExA
GetLastError
DeleteCriticalSection
SetLastError
lstrcatA
LockResource
LoadResource
FindResourceA
GetTimeZoneInformation
GetVersion
GetCurrentThread
lstrcmpiA
lstrcmpA
GlobalDeleteAtom
MulDiv
FlushFileBuffers

user32

GetWindow
SetWindowTextA
PostQuitMessage
PostMessageA
GetLastActivePopup
SetWindowsHookExA
ValidateRect
CallNextHookEx
GetKeyState
GetNextDlgTabItem
GetFocus
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
LoadBitmapA
GetMenuCheckMarkDimensions
RegisterClipboardFormatA
ClientToScreen
TabbedTextOutA
DrawTextA
GrayStringA
DestroyWindow
CreateDialogIndirectParamA
EndDialog
GetDlgCtrlID
GetMenuItemCount
GetClientRect
SendDlgItemMessageA
IsDialogMessageA
SetFocus
GetWindowPlacement
IsIconic
GetMessagePos
GetMessageTime
DefWindowProcA
RemovePropA
GetClassLongA
CreateWindowExA
PtInRect
GetMenuItemID
GetSubMenu
GetMenu
RegisterClassA
GetClassInfoA
WinHelpA
GetCapture
GetTopWindow
CopyRect
AdjustWindowRectEx
GetSysColor
MapWindowPoints
LoadIconA
GetSysColorBrush
LoadStringA
UnregisterClassA
PostThreadMessageA
DestroyMenu
TranslateMessage
DispatchMessageA
ShowWindow
EnumDisplayDevicesW
EnumDisplaySettingsW
MessageBoxA
wsprintfA
ReleaseDC
GetWindowRect
GetDC
PeekMessageA
GetSystemMetrics
GetCursorPos
GetPropA
SetPropA
CreateIconFromResource
SendMessageA
GetDlgItem
UpdateWindow
SystemParametersInfoA
SetActiveWindow
GetActiveWindow
GetForegroundWindow
FindWindowExA
SetWindowLongA
GetDesktopWindow
SetForegroundWindow
SetWindowPos
PostMessageW
MsgWaitForMultipleObjects
UnhookWindowsHookEx
GetKeyNameTextA
MapVirtualKeyA
IsWindowEnabled
GetParent
EnableWindow
UnregisterHotKey
GetMessageA
RegisterHotKey
SetCursor
LoadCursorA
SetTimer
KillTimer
GetWindowInfo
GetWindowThreadProcessId
IsWindow
CallWindowProcA
FindWindowA
RegisterWindowMessageA
SetLayeredWindowAttributes
CreateWindowStationA
GetClassNameA
GetWindowTextA
IsWindowVisible
GetWindowLongA

advapi32

RegOpenKeyA
CryptAcquireContextA
CryptCreateHash
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
RegOpenKeyExA
RegSetValueExA
RegFlushKey
RegCloseKey
RegQueryValueExA
RegCreateKeyExA

shell32

SHAppBarMessage
SHGetSpecialFolderPathA
Shell_NotifyIconA
ShellExecuteA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetMalloc

ole32

OleIsCurrentClipboard
OleFlushClipboard
CoRevokeClassObject
CoRegisterMessageFilter
CoFreeUnusedLibraries
OleUninitialize
OleInitialize
IIDFromString
CLSIDFromString
CreateStreamOnHGlobal
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
OleRun
CLSIDFromProgID
CoInitialize

shlwapi

PathIsURLA
StrToIntExW
StrToIntW
PathFileExistsA
PathIsDirectoryW

ws2_32

WSAStartup
closesocket
socket
inet_addr
ntohs
connect
WSAAsyncSelect
select
gethostbyname
inet_ntoa
htons
WSACleanup
send
recv
getsockname

gdi32

GetDeviceCaps
CreateBitmap
SaveDC
RestoreDC
SetBkColor
SetTextColor
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
AddFontResourceA
DeleteObject
DeleteDC
GetDIBits
GetObjectA
StretchBlt
SetStretchBltMode
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
GetStockObject
SetWindowExtEx
ScaleWindowExtEx
GetClipBox
Escape
ExtTextOutA
TextOutA
RectVisible
PtVisible

wininet

InternetOpenA
InternetConnectA
InternetCloseHandle
HttpOpenRequestA
InternetSetOptionA
HttpSendRequestA
InternetReadFile
HttpQueryInfoA
InternetGetConnectedState
InternetOpenUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA

psapi

GetProcessImageFileNameW

winhttp

WinHttpSendRequest
WinHttpCloseHandle
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSetCredentials
WinHttpOpenRequest
WinHttpConnect
WinHttpSetTimeouts
WinHttpOpen
WinHttpCrackUrl
WinHttpCheckPlatform
WinHttpQueryHeaders

oleaut32

VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
VarR8FromCy
VarR8FromBool
VariantChangeType
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
VariantCopy
SafeArrayCreate
SysAllocString
VariantClear
SafeArrayDestroy
SystemTimeToVariantTime
VariantTimeToSystemTime
SysFreeString

gdiplus

GdipLoadImageFromFile
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GdipGetImageWidth
GdipLoadImageFromStream

oledlg

ord8

winspool.drv

OpenPrinterA
ClosePrinter
DocumentPropertiesA

comctl32

ord17

rasapi32

RasGetConnectStatusA
RasHangUpA

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7.4MB - Virtual size: 7.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

4306dbe975ed937a99e99d1ac2b10e39

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

shlwapi

ws2_32

gdi32

wininet

psapi

winhttp

oleaut32

gdiplus

oledlg

winspool.drv

comctl32

rasapi32

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 32KB - Virtual size: 30KB

.data Size: 7.4MB - Virtual size: 7.6MB

.rsrc Size: 8KB - Virtual size: 6KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 32KB - Virtual size: 30KB

.data
Size: 7.4MB - Virtual size: 7.6MB

.rsrc
Size: 8KB - Virtual size: 6KB