blackmoon | 808a77e12a5fcce6836b4e4c611c21c225ba25472ea1c471b37eb03773c75b9d

Sharing

Copy URL

Twitter E-mail

General

Target

808a77e12a5fcce6836b4e4c611c21c225ba25472ea1c471b37eb03773c75b9d
Size

1.8MB
MD5

e8bfcb7b3abf07400a9c600903d7e1c3
SHA1

620c6540bdf57c2fdbcaff37e303ce72dc483446
SHA256

808a77e12a5fcce6836b4e4c611c21c225ba25472ea1c471b37eb03773c75b9d
SHA512

f077b1e74bb1299724d341e5961fd579be13cfaa0a6fc702329b1c13622b513c9a51fb4a1833af26dd5e79573f96b789ba009560f080d8e73b87719a99fb9a28
SSDEEP

24576:wwKru4K7kOUtQEpJck/7gRg5BMsXYQFbC3A+EtDvy7ZazyMHsAP3jPKexyloZpSI:wDrAmtQqMsXYQJClcpjHnrP+l98CFrA

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
808a77e12a5fcce6836b4e4c611c21c225ba25472ea1c471b37eb03773c75b9d

Files

808a77e12a5fcce6836b4e4c611c21c225ba25472ea1c471b37eb03773c75b9d
.exe windows:4 windows x86

6b158b9381ef0f0a8613886094ef55e3

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Process32Next
TerminateProcess
CreateWaitableTimerA
SetWaitableTimer
RtlMoveMemory
DeleteFileA
WaitForSingleObject
GetCurrentDirectoryW
CreateFileW
GetFileSize
ReadFile
ReadProcessMemory
WriteProcessMemory
VirtualAllocEx
DeleteFileW
FindNextFileW
TerminateThread
WriteFile
CreateThread
GetLocalTime
lstrcpyn
VirtualAlloc
HeapFree
GetModuleHandleA
GlobalFree
GlobalAlloc
GlobalLock
GlobalUnlock
lstrcpynA
GlobalSize
VirtualQueryEx
lstrcmpA
GetFileSizeEx
VirtualProtectEx
VirtualFreeEx
RtlZeroMemory
lstrcmpW
lstrcmpiW
ExitProcess
HeapReAlloc
IsBadReadPtr
GetModuleFileNameA
Process32First
GetUserDefaultLCID
WritePrivateProfileStringA
CreateFileA
SetFileAttributesA
SetFilePointer
GetTickCount
MoveFileA
Sleep
GetCommandLineA
LoadLibraryA
LCMapStringA
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
GetVersionExA
DeviceIoControl
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetLastError
GetStartupInfoA
FlushFileBuffers
SetStdHandle
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
GetOEMCP
GetACP
GetCPInfo
CreateToolhelp32Snapshot
WideCharToMultiByte
lstrlenW
FindClose
FindFirstFileW
HeapAlloc
GetProcessHeap
GetCurrentProcessId
CloseHandle
LocalAlloc
LocalFree
OpenProcess
GetCurrentProcess
IsBadCodePtr
MultiByteToWideChar
lstrlenA
FreeLibrary
GetProcAddress
LoadLibraryW
GetPrivateProfileStringA
GetModuleHandleW
GetVersion
RtlUnwind
InterlockedDecrement
InterlockedIncrement
UnhandledExceptionFilter
LCMapStringW
RaiseException
IsBadWritePtr
VirtualFree
FreeEnvironmentStringsA
HeapCreate
HeapDestroy
GetEnvironmentVariableA
TlsGetValue
SetLastError
TlsAlloc
TlsSetValue
GetCurrentThreadId
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
DeleteCriticalSection

user32

GetWindowTextW
GetClassNameA
ShowWindow
IsWindowVisible
LoadImageA
FindWindowExA
SendMessageW
EnableMenuItem
CheckMenuItem
SetMenuItemInfoW
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA
GetSystemMetrics
GetCursorPos
MessageBoxA
MsgWaitForMultipleObjects
GetDC
ReleaseDC
EnumWindows
GetWindowTextLengthW
GetWindowThreadProcessId

gdi32

DeleteDC
DeleteObject
GetBitmapBits
StretchBlt
GetDIBColorTable
SelectObject
CreateDIBSection
CreateCompatibleDC

advapi32

LookupPrivilegeValueA
OpenProcessToken
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges

shell32

SHGetPathFromIDListW
SHBrowseForFolderW
ShellExecuteW
ShellExecuteExW
ShellExecuteA
SHGetSpecialFolderPathA

ole32

CoUninitialize
CoTaskMemFree
CreateStreamOnHGlobal
CoCreateInstance
CLSIDFromProgID
CLSIDFromString
CoInitialize
OleRun

shlwapi

PathFindFileNameA
StrToIntExA
StrToIntW
StrToIntExW
PathFileExistsA
PathFindExtensionA

wininet

InternetOpenA
InternetConnectA
InternetCloseHandle
HttpOpenRequestA
InternetSetOptionA
HttpSendRequestA
InternetReadFile
HttpQueryInfoA

oleaut32

SysAllocStringByteLen
VariantTimeToSystemTime
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VariantCopy
RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
VariantChangeType
VarR8FromBool
VarR8FromCy
SysFreeString
SafeArrayGetElemsize
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetDim
SafeArrayAllocData
SafeArrayAllocDescriptor
VariantInit

psapi

EnumProcesses

gdiplus

GdipLoadImageFromFile
GdipSaveImageToStream
GdipSaveImageToFile
GdipGetImageWidth
GdipGetImageHeight
GdipCreateBitmapFromScan0
GdipGetImageGraphicsContext
GdipCreateBitmapFromStream
GdiplusStartup
GdipDisposeImage
GdipCreateSolidFill
GdipDeleteBrush
GdipDeleteGraphics
GdipDrawImageRectRect
GdipFillRectangle

Sections

.text
Size: 676KB - Virtual size: 672KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 132KB - Virtual size: 223KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 984KB - Virtual size: 981KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

6b158b9381ef0f0a8613886094ef55e3

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

shlwapi

wininet

oleaut32

psapi

gdiplus

Sections

.text Size: 676KB - Virtual size: 672KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 132KB - Virtual size: 223KB

.vmp0 Size: 984KB - Virtual size: 981KB

.rsrc Size: 12KB - Virtual size: 11KB

.text
Size: 676KB - Virtual size: 672KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 132KB - Virtual size: 223KB

.vmp0
Size: 984KB - Virtual size: 981KB

.rsrc
Size: 12KB - Virtual size: 11KB