blackmoon | 8874edf19b28a401230182de600cb31c7f323d3748d033c9ff6a40edfff44ed1

Sharing

Copy URL Twitter E-mail

General

Target

8874edf19b28a401230182de600cb31c7f323d3748d033c9ff6a40edfff44ed1
Size

2.6MB
MD5

a2f77bdc2fb05912902dafcabe088e05
SHA1

f907c31ea7c20602a23eea1bb94f1e241edd780c
SHA256

8874edf19b28a401230182de600cb31c7f323d3748d033c9ff6a40edfff44ed1
SHA512

d3818d5b143e7a1bbdc9ef6604b89d36b53ab2b77b1635ddfee724b7fe32ffabfeaaf4a81c265673b1744928250f5e3a17b27eb443981fadb9079b72254e3692
SSDEEP

24576:CGXQxtBHxkYsiKLvXVM7pcig2pw1BzAfCfXV52NC2LuzM7k3wJmOKMCmL:CG+6iWp952N0z53wJWq

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8874edf19b28a401230182de600cb31c7f323d3748d033c9ff6a40edfff44ed1

Files

8874edf19b28a401230182de600cb31c7f323d3748d033c9ff6a40edfff44ed1
.dll windows:4 windows x86

6e1b6e0b72c6c5622d9d6eda1d4a9faf

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

ReadProcessMemory
lstrcpyn
GetCurrentThreadId
CopyFileA
GetTempFileNameA
GetTempPathA
GetSystemDirectoryA
MultiByteToWideChar
ResumeThread
CreateRemoteThread
OpenThread
GetVersionExA
GetLogicalDriveStringsA
QueryDosDeviceA
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
Sleep
ReadFile
GetFileSize
CreateFileA
DeleteFileA
MulDiv
GetDiskFreeSpaceA
VirtualAllocEx
GetCommandLineA
GetModuleFileNameA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
VirtualAlloc
VirtualFree
GetVersion
RtlUnwind
InterlockedDecrement
InterlockedIncrement
TerminateProcess
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
WriteProcessMemory
WideCharToMultiByte
DuplicateHandle
GetProcessHandleCount
GetCurrentProcess
CloseHandle
GetCurrentDirectoryA
GetLastError
FlushFileBuffers
SetStdHandle
IsBadCodePtr
SetUnhandledExceptionFilter
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
LCMapStringW
SetFilePointer
RaiseException
IsBadWritePtr
WriteFile
HeapCreate
HeapDestroy
GetEnvironmentVariableA
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
CreateThread
GetACP
GetCPInfo
LCMapStringW
SetFilePointer
IsBadWritePtr
VirtualAlloc
RaiseException
VirtualFree
HeapDestroy
GetEnvironmentVariableA
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetFileType
GetStdHandle
SetHandleCount
WaitForSingleObject
lstrcpynW
lstrcpynA
GetCommandLineA
WriteProcessMemory
VirtualAllocEx
lstrcpyn
WideCharToMultiByte
OpenThread
OpenProcess
GetTickCount
CloseHandle
GetLastError
TlsGetValue
SetLastError
TlsFree
TlsAlloc
TlsSetValue
TerminateProcess
InterlockedIncrement
GetOEMCP
RtlUnwind
GetVersion
HeapCreate
VirtualFreeEx
GetModuleHandleA
VirtualQuery
LoadLibraryExA
FreeLibrary
IsWow64Process
CreateToolhelp32Snapshot
Process32First
Process32Next
CreateRemoteThread
GetExitCodeThread
GetWindowsDirectoryA
RtlMoveMemory
Module32First
Module32Next
GetNativeSystemInfo
TerminateThread
DuplicateHandle
CopyFileA
GetTempFileNameA
GetTempPathA
GetSystemDirectoryA
MultiByteToWideChar
CreateWaitableTimerA
SetWaitableTimer
LeaveCriticalSection
GetCurrentProcess
GetVersionExA
CreateProcessA
PeekNamedPipe
lstrlenW
lstrcpyA
ReadProcessMemory
VirtualQueryEx
GetStringTypeA
GetStringTypeW
SetUnhandledExceptionFilter
IsBadCodePtr
SetStdHandle
FlushFileBuffers
LoadLibraryA
InterlockedDecrement
InitializeCriticalSection
GetCurrentThreadId
SetProcessAffinityMask
EnterCriticalSection
DeleteCriticalSection
VirtualProtect
RtlZeroMemory
HeapAlloc
HeapFree
lstrcmpW
lstrcmpiW
GetProcessHeap
ExitProcess
HeapReAlloc
IsBadReadPtr
LCMapStringA
WriteFile
CreateFileA
ReadFile
GetFileSize
DeleteFileA
GetProcAddress
GetUserDefaultLCID
GetDiskFreeSpaceExA
GetCurrentDirectoryA
SetCurrentDirectoryA
GetStartupInfoA
FindNextFileA
FindFirstFileA
FindClose
GetModuleFileNameA

shlwapi

PathFindFileNameA
StrToIntW
StrToIntExW
PathFindExtensionA
PathFindFileNameA
PathFileExistsA

user32

PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetAncestor
IsWindowVisible
GetParent
EnumWindows
RegisterWindowMessageA
MsgWaitForMultipleObjects
PostThreadMessageA
CallWindowProcA
SetWindowLongA
GetWindowLongA
GetWindowThreadProcessId
ClientToScreen
IsWindowVisible
GetWindowThreadProcessId
GetWindowTextA
GetClassNameA
MsgWaitForMultipleObjects
RegisterWindowMessageA
EnumWindows
GetParent
GetAncestor
CallWindowProcA
PeekMessageA
TranslateMessage
DispatchMessageA
wsprintfA
GetMessageA
MessageBoxA
GetForegroundWindow
FindWindowA
GetDlgItem
WindowFromPoint
GetCursorPos
SendMessageA
ShowWindow

advapi32

LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken
CryptHashData
CryptGetHashParam
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCloseKey
RegQueryValueExA
RegOpenKeyA

ws2_32

WSACleanup
WSAStartup
htons

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

shell32

SHGetSpecialFolderPathA

ole32

CoInitialize
CLSIDFromProgID
CoCreateInstance
OleRun
CoUninitialize
CLSIDFromString

oleaut32

SafeArrayDestroy
VariantChangeType
VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
VariantCopy
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
SysFreeString
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
SafeArrayCreate
SysAllocString
VariantClear

Exports

Exports

True

Sections

.text
Size: 976KB - Virtual size: 975KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.5MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 624B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 44KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6e1b6e0b72c6c5622d9d6eda1d4a9faf

Headers

File Characteristics

Imports

kernel32

shlwapi

user32

advapi32

ws2_32

version

shell32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 976KB - Virtual size: 975KB

.rdata Size: 32KB - Virtual size: 30KB

.data Size: 1.5MB - Virtual size: 1.6MB

.rsrc Size: 4KB - Virtual size: 624B

.reloc Size: 44KB - Virtual size: 40KB

.text
Size: 976KB - Virtual size: 975KB

.rdata
Size: 32KB - Virtual size: 30KB

.data
Size: 1.5MB - Virtual size: 1.6MB

.rsrc
Size: 4KB - Virtual size: 624B

.reloc
Size: 44KB - Virtual size: 40KB