blackmoon | qvlnk[.]7z

Sharing

Copy URL Twitter E-mail

General

Target

qvlnk.7z
Size

28KB
MD5

77b47b6508f91ec05f7aa248005530c5
SHA1

63cb4b3d8a1bb6065716b0e1aa5c5468bc38e9d9
SHA256

07ff6c186fbcada4dcc4903d3c398d44ed2c7a5eadde6114558619d397ba4118
SHA512

2a0234319a219276bf35f266f6960accf507108af5aae3715fa26402b6e2939042d456212bb33d4cf7af31a4fb2907efac91c1b74b6e46e0a7eaf57dae4a206e
SSDEEP

768:HjgFssvsBP7Jtehe0zBhBaOx17vvb6U/WNzVa:HYtUBP7feDhpx17v2tzU

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/qvlnk.dll	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/qvlnk.dll

Files

qvlnk.7z
.7z

Password: infected
qvlnk.dll
.dll windows:4 windows x86

Password: infected

0c9c3ace37c0802299c7e0ee31fb2871

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetModuleFileNameA
GetTickCount
FindClose
FindNextFileA
DeleteFileA
RemoveDirectoryA
FindFirstFileA
ReadFile
GetFileSize
CreateFileA
ExitProcess
GetCommandLineA
GetModuleHandleA
GetProcessHeap
CloseHandle
GetLastError
GetCurrentProcess
RtlZeroMemory
WTSGetActiveConsoleSessionId
IsBadCodePtr
SetUnhandledExceptionFilter
GetStringTypeW
GetStringTypeA
MoveFileA
WriteFile
CreateDirectoryA
FlushFileBuffers
SetStdHandle
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
GetVersion
InterlockedDecrement
InterlockedIncrement
RtlUnwind
TerminateProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
GetProcAddress
VirtualAlloc
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetFilePointer
LCMapStringA
LCMapStringW
GetCPInfo
GetACP
GetOEMCP
LoadLibraryA

user32

GetMessageA
DispatchMessageA
wsprintfA
MessageBoxA
TranslateMessage
PeekMessageA

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueA
CreateProcessAsUserA
OpenProcessToken
SetTokenInformation
DuplicateTokenEx

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

shlwapi

PathFileExistsA

oleaut32

VariantTimeToSystemTime

shell32

SHGetSpecialFolderPathA

Exports

Exports

init

Sections

.text
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

0c9c3ace37c0802299c7e0ee31fb2871

Headers

File Characteristics

Imports

kernel32

user32

advapi32

wtsapi32

userenv

shlwapi

oleaut32

shell32

Exports

Exports

Sections

.text Size: 44KB - Virtual size: 42KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 16KB - Virtual size: 56KB

.rsrc Size: 4KB - Virtual size: 664B

.reloc Size: 8KB - Virtual size: 4KB

.text
Size: 44KB - Virtual size: 42KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 16KB - Virtual size: 56KB

.rsrc
Size: 4KB - Virtual size: 664B

.reloc
Size: 8KB - Virtual size: 4KB