blackmoon | 11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988.exe
Size

4.5MB
MD5

35f88b4ddcfa1ad111af4c95807a64b5
SHA1

b524a0b67990fadc2f952592d2fe969e46f4f800
SHA256

11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988
SHA512

57352f99225b90c0072862905fec3e239d65ca9da5ceaf99d3de33dd75cc8366cf3e7c073db4f226b5a7871ce03b8da4a86ccc0572cbd4f882e76a3213f7aed6
SSDEEP

49152:BLLM4pYVSRTzW3x71kjLtbRz53wJWqD2NRmXNT08+C3looYM2sdIYOxrPFS:Rg4pfTzWhJglZEWNkloq91O

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

UPX dump on OEP (original entry point) 1 IoCs

resource	yara_rule
sample	UPX

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988.exe

Files

11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988.exe
.exe windows:4 windows x86 arch:x86

0699e3870e208d7c8b967949b3d04eeb

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegQueryValueA
RegQueryValueExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
CryptHashData
CryptGetHashParam
RegCloseKey
RegOpenKeyA
RegQueryValueExA

comctl32

ImageList_BeginDrag
ImageList_Create
ImageList_Destroy
ImageList_DragEnter
ImageList_DragLeave
ImageList_DragMove
ImageList_DragShowNolock
ImageList_EndDrag
InitCommonControls
ImageList_Add
ImageList_BeginDrag

gdi32

LineTo
MoveToEx
ExcludeClipRect
GetClipBox
ScaleWindowExtEx
SetWindowExtEx
SetWindowOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SetMapMode
SetTextColor
SetROP2
SetPolyFillMode
SetBkMode
RestoreDC
SaveDC
CreateFontIndirectA
GetStockObject
ExtSelectClipRgn
GetViewportExtEx
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GetTextMetricsA
EndPage
EndDoc
CreateSolidBrush
FillRgn
CreateRectRgn
CombineRgn
PatBlt
CreatePen
GetObjectA
SelectObject
TranslateCharsetInfo
CreateFontA
SetBkColor
CreateRectRgnIndirect
SetStretchBltMode
GetClipRgn
CreatePolygonRgn
GetDIBits
StretchBlt
GetViewportOrgEx
GetWindowOrgEx
BeginPath
EndPath
PathToRegion
CreateEllipticRgn
CreateRoundRectRgn
GetTextColor
GetBkMode
DeleteDC
StartDocA
StartPage
Ellipse
Rectangle
LPtoDP
DPtoLP
GetCurrentObject
RoundRect
GetTextExtentPoint32A
GetBkColor
GetROP2
GetStretchBltMode
GetPolyFillMode
DeleteObject
SelectClipRgn
GetWindowExtEx
LineTo

kernel32

GetSystemTime
RtlUnwind
GetStartupInfoA
GetOEMCP
GetCPInfo
GetProcessVersion
SetErrorMode
GlobalFlags
GetCurrentThread
GetLocalTime
GetFileTime
TlsGetValue
RaiseException
HeapSize
GetACP
UnhandledExceptionFilter
FreeEnvironmentStringsA
LocalReAlloc
TlsSetValue
TlsFree
GlobalHandle
TlsAlloc
LocalAlloc
lstrcmp
GlobalGetAtomNameA
GlobalAddAtomA
GlobalFindAtomA
GlobalDeleteAtom
lstrcmpi
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
DuplicateHandle
lstrcpyn
FileTimeToLocalFileTime
FileTimeToSystemTime
LocalFree
InterlockedDecrement
InterlockedIncrement
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
SetEnvironmentVariableA
LCMapStringA
LCMapStringW
VirtualAlloc
IsBadWritePtr
SetUnhandledExceptionFilter
GetStringTypeA
GetStringTypeW
CompareStringA
CompareStringW
IsBadReadPtr
IsBadCodePtr
CloseHandle
WaitForSingleObject
GetTickCount
GetCommandLineA
MulDiv
GetDiskFreeSpaceA
GetModuleHandleA
GetVolumeInformationA
SetCurrentDirectoryA
GetCurrentDirectoryA
FindClose
FindFirstFileA
GlobalUnlock
GlobalLock
GlobalAlloc
Sleep
CreateEventA
CreateThread
GetPrivateProfileStringA
WritePrivateProfileStringA
GetVersionExA
GetLastError
LoadLibraryA
FreeLibrary
GetFullPathNameA
HeapAlloc
GetProcessHeap
HeapReAlloc
HeapFree
GlobalReAlloc
FindNextFileA
lstrcpy
WinExec
lstrlen
lstrcat
InitializeCriticalSection
DeleteCriticalSection
GlobalFree
GlobalSize
ExitProcess
GetCurrentThreadId
MultiByteToWideChar
WideCharToMultiByte
GetModuleFileNameA
ReadFile
LockResource
LoadResource
FindResourceA
SetEvent
WaitForMultipleObjects
WriteFile
GetProfileStringA
LeaveCriticalSection
EnterCriticalSection
ReleaseSemaphore
ResumeThread
CreateSemaphoreA
SetFilePointer
GetFileSize
GetCurrentProcess
TerminateProcess
SetLastError
GetTimeZoneInformation
GetVersion
SetStdHandle
InterlockedExchange
GetCurrentProcess
GetWindowsDirectoryA
CreateWaitableTimerA
SetWaitableTimer
TerminateThread
RtlMoveMemory
CreateToolhelp32Snapshot
Module32First
Module32Next
lstrcpynW
VirtualQuery
Process32First
ReadFile
GetFileSize
GetTickCount
WriteFile
WideCharToMultiByte
GetUserDefaultLCID
OpenProcess
GetCurrentDirectoryA
SetCurrentDirectoryA
GetStartupInfoA
HeapFree
FindNextFileA
FindFirstFileA
FindClose
GetSystemDirectoryA
GetTempPathA
GetTempFileNameA
LCMapStringA
VirtualProtect
lstrcpyn
GetCommandLineA
LoadLibraryA
FlushFileBuffers
SetStdHandle
IsBadCodePtr
Process32Next
GetDiskFreeSpaceExA
IsWow64Process
IsBadReadPtr
HeapReAlloc
ExitProcess
GetProcessHeap
lstrcmpiW
lstrcmpW
LeaveCriticalSection
CreateRemoteThread
GetExitCodeThread
OpenThread
DuplicateHandle
MultiByteToWideChar
HeapCreate
SetUnhandledExceptionFilter
GetVersionExA
ReadProcessMemory
VirtualQueryEx
PeekNamedPipe
lstrlenW
lstrcpy
InitializeCriticalSection
GetCurrentThreadId
SetProcessAffinityMask
EnterCriticalSection
DeleteCriticalSection
RtlZeroMemory
HeapAlloc
GetVersion
RtlUnwind
InterlockedDecrement
InterlockedIncrement
TerminateProcess
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
VirtualAllocEx
GetModuleFileNameA
WriteProcessMemory
VirtualFreeEx
GetModuleHandleA
WaitForSingleObject
CloseHandle
LoadLibraryExA
lstrcpyn
FreeLibrary
GetNativeSystemInfo
GetLastError
SetHandleCount
GetStdHandle
GetFileType
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
HeapDestroy
VirtualFree
RaiseException
VirtualAlloc
IsBadWritePtr
SetFilePointer
LCMapStringW
GetCPInfo
GetACP
GetOEMCP
GetStringTypeA
GetStringTypeW
RtlMoveMemory
ReadProcessMemory
ReadProcessMemory
GetModuleFileNameA
VirtualProtectEx
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
GetSystemTime

oleaut32

LoadTypeLib
RegisterTypeLib
UnRegisterTypeLib
VariantInit
SysFreeString
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
RegisterTypeLib
LHashValOfNameSys
SafeArrayAllocDescriptor
LoadTypeLib
VariantChangeType
SafeArrayAllocData
VariantCopy
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
VarR8FromCy
VarR8FromI2
VariantInit
LoadTypeLib

shell32

DragQueryFile
DragFinish
DragAcceptFiles
Shell_NotifyIcon
ShellExecuteA
SHGetSpecialFolderPathA
SHGetSpecialFolderPathA
DragQueryFile

user32

SetMenu
GetMenu
DeleteMenu
GetSystemMenu
DefWindowProcA
GetClassInfoA
IsZoomed
PostQuitMessage
CopyAcceleratorTableA
GetKeyState
TranslateAccelerator
IsWindowEnabled
ShowWindow
SystemParametersInfoA
LoadImageA
ClientToScreen
EnableMenuItem
GetSubMenu
GetDlgCtrlID
UnregisterClassA
CreateMenu
ModifyMenuA
AppendMenuA
CreatePopupMenu
DrawIconEx
CreateIconFromResource
CreateIconFromResourceEx
RegisterWindowMessageA
SetRectEmpty
DispatchMessageA
GetMessageA
WindowFromPoint
DrawFocusRect
DrawEdge
DrawFrameControl
TranslateMessage
LoadIconA
CallWindowProcA
CreateWindowExA
RegisterHotKey
UnregisterHotKey
GetDesktopWindow
GetClassNameA
GetDlgItem
GetWindowTextA
PeekMessageA
GetForegroundWindow
SetScrollPos
SetRect
InflateRect
IntersectRect
DestroyIcon
PtInRect
OffsetRect
IsWindowVisible
EnableWindow
GetWindowLongA
SetWindowLongA
GetSysColor
SetActiveWindow
SetCursorPos
LoadCursorA
SetCursor
FillRect
IsRectEmpty
IsChild
DestroyMenu
SetForegroundWindow
DestroyAcceleratorTable
EqualRect
UpdateWindow
ValidateRect
InvalidateRect
GetClientRect
GetFocus
GetParent
GetTopWindow
PostMessageA
IsWindow
SetParent
DestroyIcon
SendMessageA
SetWindowPos
MessageBoxA
GetCursorPos
GetSystemMetrics
EmptyClipboard
SetClipboardData
OpenClipboard
GetClipboardData
CloseClipboard
wsprintfA
IsIconic
SetFocus
GetActiveWindow
GetWindow
GetWindowTextLengthA
CharUpperA
BeginPaint
EndPaint
TabbedTextOutA
DrawTextA
GrayStringA
CreateDialogIndirectParamA
EndDialog
GetNextDlgTabItem
GetWindowPlacement
RegisterWindowMessageA
GetLastActivePopup
GetMessageTime
RemovePropA
GetPropA
UnhookWindowsHookEx
SetPropA
GetClassLongA
CallNextHookEx
SetWindowsHookExA
GetMenuItemID
GetMenuItemCount
RegisterClassA
GetScrollPos
AdjustWindowRectEx
MapWindowPoints
SendDlgItemMessageA
ScrollWindowEx
IsDialogMessage
SetWindowTextA
MoveWindow
CheckMenuItem
SetMenuItemBitmaps
GetMenuState
GetMenuCheckMarkDimensions
LoadStringA
SetWindowRgn
GetMessagePos
ScreenToClient
ChildWindowFromPointEx
CopyRect
LoadBitmapA
WinHelpA
KillTimer
SetTimer
ReleaseCapture
GetCapture
SetCapture
GetScrollRange
GetWindowRect
SetScrollRange
GetSysColorBrush
CreateAcceleratorTableA
GetWindowTextA
GetWindowThreadProcessId
GetClassNameA
ShowWindow
GetCursorPos
GetForegroundWindow
MsgWaitForMultipleObjects
WindowFromPoint
SendMessageA
MessageBoxA
EnumWindows
GetParent
GetAncestor
CallWindowProcA
PeekMessageA
TranslateMessage
DispatchMessageA
wsprintfA
GetMessageA
IsWindowVisible
FindWindowA
ClientToScreen
RegisterWindowMessageA
GetDlgItem
GetSystemMetrics
MonitorFromWindow
MonitorFromRect
MonitorFromPoint
GetMonitorInfoA
EnumDisplayMonitors
GetWindowTextA
SetMenu

winmm

waveOutClose
waveOutReset
waveOutPause
waveOutWrite
waveOutPrepareHeader
waveOutGetNumDevs
waveOutOpen
midiOutUnprepareHeader
midiStreamOpen
midiStreamProperty
midiStreamOut
midiStreamStop
midiOutReset
midiStreamClose
midiStreamRestart
waveOutUnprepareHeader
midiOutPrepareHeader
waveOutClose

winspool.drv

OpenPrinterA
DocumentPropertiesA
ClosePrinter
OpenPrinterA

ws2_32

recvfrom
ioctlsocket
recv
getpeername
accept
inet_ntoa
WSACleanup
closesocket
WSAAsyncSelect
WSAStartup
WSACleanup
htons
WSAStartup
recvfrom

comdlg32

ChooseColorA
GetSaveFileNameA
GetOpenFileNameA
GetFileTitleA
ChooseColorA

ole32

OleRun
CoInitialize
OleUninitialize
OleInitialize
OleRun

combase

CLSIDFromProgID
CoCreateInstance
CoUninitialize
CLSIDFromString
CLSIDFromString

psapi

GetModuleInformation
GetModuleInformation

shlwapi

StrToIntExW
PathFindFileNameA
PathFileExistsA
StrToIntExA
PathFindExtensionA
StrToIntW
StrToIntExW

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

ntdll

NtQueryInformationProcess
RtlMoveMemory
NtQueryVirtualMemory
NtdllDefWindowProc_A

Sections

.nsp0
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.nsp1
Size: 988KB - Virtual size: 988KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.nsp2
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

0699e3870e208d7c8b967949b3d04eeb

Headers

File Characteristics

Imports

advapi32

comctl32

gdi32

kernel32

oleaut32

shell32

user32

winmm

winspool.drv

ws2_32

comdlg32

ole32

combase

psapi

shlwapi

version

ntdll

Sections

.nsp0 Size: 3.5MB - Virtual size: 3.5MB

.nsp1 Size: 988KB - Virtual size: 988KB

.nsp2 Size: 29KB - Virtual size: 29KB

.nsp0
Size: 3.5MB - Virtual size: 3.5MB

.nsp1
Size: 988KB - Virtual size: 988KB

.nsp2
Size: 29KB - Virtual size: 29KB