blackmoon | 017ebfcbf9f5261fc8174c36700d0bf32b78e8e5884090f69c42b7ee0703dc80

Sharing

Copy URL Twitter E-mail

General

Target

017ebfcbf9f5261fc8174c36700d0bf32b78e8e5884090f69c42b7ee0703dc80
Size

1008KB
MD5

d7393b4ad889b295369160fc47b1a66d
SHA1

8d6ff86cfa947b14b9841908a36f91571e7f3fe9
SHA256

017ebfcbf9f5261fc8174c36700d0bf32b78e8e5884090f69c42b7ee0703dc80
SHA512

d3b6ea5a404547d1c980a901c62b9a2cbc300b92ae8a74bad2847ef5f988b5e3eecf24a8e6f3281850f7e7b8b5ad690c597e45ba12d080ff90daccbdee5c91ee
SSDEEP

24576:Q6yYyX0uARTDNYAz91BmL8MK4Woj2VIs2R6H4bB:Q6yPXbCDW6XB2hxeSR6H4

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
017ebfcbf9f5261fc8174c36700d0bf32b78e8e5884090f69c42b7ee0703dc80

Files

017ebfcbf9f5261fc8174c36700d0bf32b78e8e5884090f69c42b7ee0703dc80
.dll windows:4 windows x86

e40c88b71c794c7c5bc9466f6920b64e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetUserDefaultLCID
GetPrivateProfileStringA
CloseHandle
WriteFile
CreateFileA
SetFileAttributesA
GetTickCount
FindClose
FindNextFileA
DeleteFileA
RemoveDirectoryA
FindFirstFileA
GetCommandLineA
GetModuleFileNameA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
WideCharToMultiByte
Sleep
IsBadReadPtr
HeapFree
HeapReAlloc
HeapAlloc
ExitProcess
GetModuleHandleA
GetProcessHeap
MultiByteToWideChar
GetLastError
FlushFileBuffers
SetStdHandle
IsBadCodePtr
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
GetOEMCP
GetACP
GetCPInfo
LCMapStringW
SetFilePointer
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
IsBadWritePtr
VirtualAlloc
RaiseException
VirtualFree
HeapCreate
MoveFileA
CreateDirectoryA
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetVersionExA
GetCurrentProcess
GetVersion
RtlUnwind
InterlockedDecrement
InterlockedIncrement
TerminateProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
HeapDestroy

user32

PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetAsyncKeyState
IsWindow
GetWindowThreadProcessId

advapi32

RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegCloseKey

ole32

CLSIDFromString
OleRun
CoUninitialize
CLSIDFromProgID
CoCreateInstance
CoInitialize

oleaut32

VariantCopy
VariantClear
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
SysAllocString
SafeArrayCreate
SafeArrayDestroy

shlwapi

PathFileExistsA

shell32

SHGetSpecialFolderPathA
ShellExecuteA

Exports

Exports

PTDujiawz

Sections

.text
Size: 84KB - Virtual size: 80KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 896KB - Virtual size: 986KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e40c88b71c794c7c5bc9466f6920b64e

Headers

File Characteristics

Imports

kernel32

user32

advapi32

ole32

oleaut32

shlwapi

shell32

Exports

Exports

Sections

.text Size: 84KB - Virtual size: 80KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 896KB - Virtual size: 986KB

.rsrc Size: 4KB - Virtual size: 900B

.reloc Size: 12KB - Virtual size: 9KB

.text
Size: 84KB - Virtual size: 80KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 896KB - Virtual size: 986KB

.rsrc
Size: 4KB - Virtual size: 900B

.reloc
Size: 12KB - Virtual size: 9KB