blackmoon | 6708da536c54a1898ef5a945212359f4[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

6708da536c54a1898ef5a945212359f4.bin
Size

45KB
MD5

a5fd6d2e15a87bf6fc3eb9577da20a68
SHA1

16b2607432e019b0584285b8c112ee81c81300f7
SHA256

55aa5ee2d9a76fcaa9a46fb51357b0fab7619f5f8a675847f363eea3924944c5
SHA512

51ba15549e2267d5a219705b8f9a1f8ec1a95c05f4cfe51c986fa5b59029c964b2760425116d30d5055311d93b505228e8f6783db7c1e1b004bb263376722211
SSDEEP

768:OIbVd1p3SJg9/CPpg+cUC7hq2RgsUuGHJWDt6wSKqf/c9FIDwBLej:lZdz3sU+I7hqNsUuGADt6w7xF6iej

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/6f3039407660591048262796a25d25a03c811d45dc973dae85ee7f136067439f.exe	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/6f3039407660591048262796a25d25a03c811d45dc973dae85ee7f136067439f.exe

Files

6708da536c54a1898ef5a945212359f4.bin
.zip

Password: infected
6f3039407660591048262796a25d25a03c811d45dc973dae85ee7f136067439f.exe
.exe windows:4 windows x86 arch:x86

Password: infected

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

RtlMoveMemory
GetComputerNameA
GetModuleHandleA
GetProcAddress
GetCurrentProcess
GetCurrentProcessId
MultiByteToWideChar
WideCharToMultiByte
CreateThread
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
IsBadReadPtr
CloseHandle
ReadFile
GetFileSize
CreateFileA
WriteFile
lstrcpynA
CreateProcessA
GetStartupInfoA
DeleteFileA
GetTickCount
Sleep
FindClose
FindNextFileA
RemoveDirectoryA
FindFirstFileA
SetFileAttributesA
GetUserDefaultLCID
FreeLibrary
LoadLibraryA
LCMapStringA
CreateEventA
OpenEventA
MoveFileA
CreateDirectoryA
GetTempPathA
GetCommandLineA
GetModuleFileNameA
WaitForSingleObject
ExitProcess

user32

wsprintfA
TranslateMessage
GetMessageA
PeekMessageA
GetDC
DispatchMessageA
MessageBoxA
GetDesktopWindow
ReleaseDC

advapi32

RegCloseKey
RegQueryValueExA
RegOpenKeyA
CreateProcessAsUserA

wininet

InternetGetConnectedState

iphlpapi

GetAdaptersInfo

ws2_32

ntohs
inet_addr
bind
listen
WSACleanup
socket
htons
accept
recv
send
WSASocketA
WSAStartup
closesocket

gdi32

GetDeviceCaps

ole32

CoInitialize
CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID

shell32

SHGetPathFromIDListA
SHGetSpecialFolderLocation

msvcrt

malloc
free
modf
memmove
_ftol
atoi
strchr
strncpy
_CIfmod
floor
strrchr
__CxxFrameHandler
_strnicmp
rand
srand
tolower
??2@YAPAXI@Z
sprintf
??3@YAXPAX@Z
strncmp

shlwapi

PathFileExistsA

oleaut32

VariantClear
SysAllocString
SafeArrayCreate
SafeArrayGetDim
SafeArrayGetLBound
VariantChangeType
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
VariantInit
SafeArrayDestroy

Sections

.text
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

Imports

kernel32

user32

advapi32

wininet

iphlpapi

ws2_32

gdi32

ole32

shell32

msvcrt

shlwapi

oleaut32

Sections

.text Size: 94KB - Virtual size: 93KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 12KB - Virtual size: 73KB

.text
Size: 94KB - Virtual size: 93KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 12KB - Virtual size: 73KB