blackmoon | d5ef1a5d883d909b12e9986648cc3813f063b2ab8f4a96ffe405f299f08138bd

Sharing

Copy URL Twitter E-mail

General

Target

d5ef1a5d883d909b12e9986648cc3813f063b2ab8f4a96ffe405f299f08138bd
Size

5.0MB
MD5

b449b134b5751e3b28376cd85d6f0f57
SHA1

20a3540cfb7a586ef6158e5e26a586d60cbd2462
SHA256

d5ef1a5d883d909b12e9986648cc3813f063b2ab8f4a96ffe405f299f08138bd
SHA512

eb16ddc8f74ea7a05ffd40030552d65cdae42733457647b92d4f9badb765a903773b2c50906e5fecb336911ab4e4a2d74a2dd00804d0582d9f1d24702312387d
SSDEEP

98304:nxPJ1VJpdAGgTqfAvwRuRPKgeEP353L/:9bVXdAZGfAvwRuRKEP3h

Score

10^/10

vmprotect blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d5ef1a5d883d909b12e9986648cc3813f063b2ab8f4a96ffe405f299f08138bd

Files

d5ef1a5d883d909b12e9986648cc3813f063b2ab8f4a96ffe405f299f08138bd
.exe windows:5 windows x86

99aa4d5374d0bff1e6e58dd4834adac3

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

DuplicateHandle
GetProcessHandleCount
WideCharToMultiByte
GetCurrentProcessId
Thread32First
Thread32Next
OpenThread
TerminateThread
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
GetModuleHandleA
ExitProcess
HeapReAlloc
HeapFree
IsBadReadPtr
WriteProcessMemory
TerminateProcess
Sleep
GetUserDefaultLCID
GetTickCount
WriteFile
DeleteFileA
GetCommandLineA
GetModuleFileNameA
FreeLibrary
LoadLibraryA
LCMapStringA
GetProcAddress
ReadProcessMemory
GetPrivateProfileStringA
CreateProcessA
OpenProcess
VirtualFreeEx
VirtualAllocEx
GetCurrentProcess
MultiByteToWideChar
GetProcessHeap
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
DeviceIoControl
Process32Next
CloseHandle
lstrlenA
Process32First
CreateToolhelp32Snapshot
CreateFileA
RtlMoveMemory
HeapAlloc
WritePrivateProfileStringA
GetVersionExA

user32

PeekMessageA
GetMessageA
DispatchMessageA
wsprintfA
MessageBoxA
IsWindowVisible
GetWindowThreadProcessId
GetClassNameA
GetWindowTextA
EnumWindows
FindWindowExA
GetAsyncKeyState
TranslateMessage

advapi32

RegDeleteKeyA
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegDeleteValueA
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
OpenProcessToken

wininet

HttpOpenRequestA
HttpSendRequestA
InternetConnectA
InternetCloseHandle
InternetOpenUrlA
HttpQueryInfoA
InternetOpenA
InternetReadFile

ws2_32

inet_ntoa
ntohs
WSAStartup

psapi

GetMappedFileNameA

msvcrt

strncmp
__CxxFrameHandler
memmove
realloc
modf
_atoi64
strrchr
rand
srand
strncpy
malloc
free
strtod
strchr
_CIfmod
??2@YAPAXI@Z
??3@YAXPAX@Z
_ftol
atoi
sprintf

shlwapi

PathFileExistsA

ole32

CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CoInitialize
CLSIDFromProgID

oleaut32

LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
VariantInit
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
VariantCopy
SafeArrayCreate
SysAllocString
VariantClear
SafeArrayDestroy
VariantChangeType
VarR8FromBool
VarR8FromCy
SafeArrayGetElemsize

Sections

.text
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 455B - Virtual size: 455B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.l1
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

99aa4d5374d0bff1e6e58dd4834adac3

Headers

File Characteristics

Imports

kernel32

user32

advapi32

wininet

ws2_32

psapi

msvcrt

shlwapi

ole32

oleaut32

Sections

.text Size: 180KB - Virtual size: 180KB

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 1.1MB - Virtual size: 1.1MB

.vmp0 Size: 1.1MB - Virtual size: 1.1MB

.vmp1 Size: 2.6MB - Virtual size: 2.6MB

.reloc Size: 4KB - Virtual size: 4KB

.rsrc Size: 455B - Virtual size: 455B

.l1 Size: 5KB - Virtual size: 5KB

.text
Size: 180KB - Virtual size: 180KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 1.1MB - Virtual size: 1.1MB

.vmp0
Size: 1.1MB - Virtual size: 1.1MB

.vmp1
Size: 2.6MB - Virtual size: 2.6MB

.reloc
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 455B - Virtual size: 455B

.l1
Size: 5KB - Virtual size: 5KB