moon[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

moon.exe
Size

16.7MB
MD5

2d0fe36099038d46fd8c181ce4cef20b
SHA1

ca7f967b6336d87b69d6986c0ceb848fe8410ad7
SHA256

c37a2d5e45280adf57edf7eab100b3357148a2d49a83fa372e1712e993ba1431
SHA512

8ef85db05a62d185137be5513ba0e771443d500fcd13c076a4aaeba5a6e3b7d3605b3352e985f8bb848940e876c5592e2fca7cdbc59646f996015b6d69b9937c
SSDEEP

98304:Vmd09odLpTthHIpUmJB/sE1zOP0xA65QAr31IIybN1z1fHeM08tfecQIZIc9x8+U:h4phNYsE1o0GiFeZHeMpUcD3LrU

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
moon.exe

Files

moon.exe
.exe windows:6 windows x64 arch:x64

cced2145925778ab32ba58c1a9e4edda

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LockFileEx
MultiByteToWideChar
WriteConsoleW
GetCurrentDirectoryW
GetEnvironmentVariableW
GetModuleHandleW
FormatMessageW
GetTempPathW
GetModuleFileNameW
GetCommandLineW
GetFullPathNameW
FlushFileBuffers
SetFileInformationByHandle
SetFilePointerEx
FindNextFileW
CreateDirectoryW
FindFirstFileW
WideCharToMultiByte
ReadConsoleW
SetFileTime
lstrlenW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetConsoleCursorInfo
SetHandleInformation
GetSystemInfo
SetConsoleCursorInfo
SetConsoleCursorPosition
FillConsoleOutputAttribute
FillConsoleOutputCharacterA
ReadConsoleInputW
GetNumberOfConsoleInputEvents
GetFileInformationByHandleEx
SystemTimeToTzSpecificLocalTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
CreateNamedPipeW
CreateThread
ReadFileEx
WakeConditionVariable
WriteFileEx
WaitForMultipleObjects
GetOverlappedResult
CreateEventW
CancelIo
ReadFile
ExitProcess
QueryPerformanceCounter
CopyFileExW
DeleteFileW
MoveFileExW
DeviceIoControl
CreateSymbolicLinkW
CreateHardLinkW
SystemTimeToFileTime
SetFileAttributesW
PostQueuedCompletionStatus
UnregisterWaitEx
RegisterWaitForSingleObject
TerminateProcess
SetConsoleCtrlHandler
GetCurrentThreadId
PeekNamedPipe
SwitchToFiber
RtlDeleteFunctionTable
VirtualProtect
FlushInstructionCache
RtlAddFunctionTable
VirtualFree
VirtualAlloc
UnmapViewOfFile
FindClose
GetEnvironmentVariableA
FreeLibrary
LoadLibraryExA
RtlVirtualUnwind
WriteFile
FlsAlloc
FlsSetValue
FlsFree
GetProcessTimes
QueryPerformanceFrequency
GetCurrentProcessorNumber
VirtualQuery
GetLargePageMinimum
ReOpenFile
GetNumaHighestNodeNumber
RemoveDirectoryW
GetNumaNodeProcessorMask
WriteConsoleA
GetFileType
GetQueuedCompletionStatusEx
Sleep
GetModuleHandleA
IsProcessorFeaturePresent
CreateIoCompletionPort
InitializeSListHead
SetLastError
UnlockFile
CreateFileW
GetFinalPathNameByHandleW
SleepEx
GetFileInformationByHandle
RtlCaptureContext
GetCurrentThread
GetProcAddress
RtlLookupFunctionEntry
ReleaseMutex
GetCurrentProcess
CreateMutexA
GetCurrentProcessId
LoadLibraryA
WaitForSingleObjectEx
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
SetConsoleMode
GetConsoleMode
SetFileCompletionNotificationModes
SetThreadStackGuarantee
AddVectoredExceptionHandler
GetStdHandle
GetExitCodeProcess
WaitForSingleObject
TryAcquireSRWLockExclusive
IsDebuggerPresent
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
AcquireSRWLockShared
SwitchToThread
CloseHandle
GetLastError
WakeAllConditionVariable
GetSystemTimeAsFileTime
SleepConditionVariableSRW
SetEnvironmentVariableW
ReleaseSRWLockShared

ws2_32

WSAStartup
WSACleanup
select
getpeername
bind
setsockopt
ioctlsocket
WSASocketW
getaddrinfo
recv
WSARecv
WSASend
getsockname
WSADuplicateSocketW
accept
send
WSAGetLastError
WSAIoctl
shutdown
listen
freeaddrinfo
getsockopt
connect
closesocket

ntdll

NtCreateFile
RtlNtStatusToDosError
NtDeviceIoControlFile
NtReadFile
NtCancelIoFileEx
NtWriteFile

shell32

SHGetKnownFolderPath

ole32

CoTaskMemFree

bcrypt

BCryptGenRandom

advapi32

LookupPrivilegeValueA
RegOpenKeyExW
SystemFunction036
OpenProcessToken
RegCloseKey
RegQueryValueExW
AdjustTokenPrivileges

secur32

DeleteSecurityContext
FreeCredentialsHandle
EncryptMessage
AcceptSecurityContext
FreeContextBuffer
DecryptMessage
ApplyControlToken
QueryContextAttributesW
AcquireCredentialsHandleA
InitializeSecurityContextW

crypt32

CertFreeCertificateChain
CryptStringToBinaryA
CertGetCertificateChain
CertOpenStore
CertGetEnhancedKeyUsage
CertVerifyTimeValidity
CertFreeCertificateContext
CertDuplicateCertificateContext
CertDuplicateCertificateChain
CertCreateCertificateContext
CertDuplicateStore
CertCloseStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertVerifyCertificateChainPolicy

vcruntime140

strstr
memcpy
memmove
memcmp
__CxxFrameHandler3
__C_specific_handler
__intrinsic_setjmp
memset
__current_exception
__current_exception_context
longjmp

api-ms-win-crt-math-l1-1-0

truncf
round
trunc
pow
floor
ceil
fma
__setusermatherr
fmaf
ceilf
floorf
fmod

api-ms-win-crt-string-l1-1-0

strlen

api-ms-win-crt-heap-l1-1-0

_set_new_mode
malloc
free

api-ms-win-crt-utility-l1-1-0

_rotl64

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_exit
__p___argc
__p___argv
_cexit
_errno
_register_thread_local_exe_atexit_callback
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_set_app_type
_initialize_onexit_table
_register_onexit_function
exit
_crt_atexit
_wassert
terminate
_seh_filter_exe
_c_exit

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-stdio-l1-1-0

__p__commode
__acrt_iob_func
__stdio_common_vsprintf
fputs
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Exports

Exports

__jit_debug_descriptor
__jit_debug_register_code

Sections

.text
Size: 11.8MB - Virtual size: 11.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 37KB - Virtual size: 241KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 273KB - Virtual size: 273KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 1024B - Virtual size: 752B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 188KB - Virtual size: 187KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cced2145925778ab32ba58c1a9e4edda

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ws2_32

ntdll

shell32

ole32

bcrypt

advapi32

secur32

crypt32

vcruntime140

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 11.8MB - Virtual size: 11.8MB

.rdata Size: 4.3MB - Virtual size: 4.3MB

.data Size: 37KB - Virtual size: 241KB

.pdata Size: 273KB - Virtual size: 273KB

.eh_fram Size: 1024B - Virtual size: 752B

.reloc Size: 188KB - Virtual size: 187KB

.text
Size: 11.8MB - Virtual size: 11.8MB

.rdata
Size: 4.3MB - Virtual size: 4.3MB

.data
Size: 37KB - Virtual size: 241KB

.pdata
Size: 273KB - Virtual size: 273KB

.eh_fram
Size: 1024B - Virtual size: 752B

.reloc
Size: 188KB - Virtual size: 187KB