blackmoon | 01e737c4a26e39ffadbd15ff844e62b047e27ee38b255f2f55cee5f0354463ae

Sharing

Copy URL Twitter E-mail

General

Target

01e737c4a26e39ffadbd15ff844e62b047e27ee38b255f2f55cee5f0354463ae
Size

45KB
MD5

6f1d3254733291ec1b2aec0205e0680c
SHA1

a65ddc8a529ab3396d19c13af108eb3e4fb73704
SHA256

01e737c4a26e39ffadbd15ff844e62b047e27ee38b255f2f55cee5f0354463ae
SHA512

c7f69fe80440c0366c52079e39a68dfe6e6c0ba3b230ded291cb1c08ef6db576dc1b978b293abad7118af5cd56566039bcbb198e8bb2dc2d73f8b9156bf8c302
SSDEEP

768:3XrjJRxyCw0ZT2G1AqKWYhBYUVRI5RRzHYe5DgiRjkM5KiKlpvI4s1sVidWCZxB4:3bjJRACcGLKxhOUcrdfDgUkyFKlisVjV

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/c9d16bef43e551a8b97fc1e11990b60f0d3e74a81d48038a2a1455d165c879d2.exe	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/c9d16bef43e551a8b97fc1e11990b60f0d3e74a81d48038a2a1455d165c879d2.exe

Files

01e737c4a26e39ffadbd15ff844e62b047e27ee38b255f2f55cee5f0354463ae
.zip

Password: infected
c9d16bef43e551a8b97fc1e11990b60f0d3e74a81d48038a2a1455d165c879d2.exe
.exe windows:4 windows x86 arch:x86

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

RtlMoveMemory
GetComputerNameA
GetModuleHandleA
GetProcAddress
GetCurrentProcess
GetCurrentProcessId
MultiByteToWideChar
WideCharToMultiByte
CreateThread
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
IsBadReadPtr
CloseHandle
ReadFile
GetFileSize
CreateFileA
WriteFile
lstrcpynA
CreateProcessA
GetStartupInfoA
DeleteFileA
GetTickCount
Sleep
FindClose
FindNextFileA
RemoveDirectoryA
FindFirstFileA
SetFileAttributesA
GetUserDefaultLCID
FreeLibrary
LoadLibraryA
LCMapStringA
CreateEventA
OpenEventA
MoveFileA
CreateDirectoryA
GetTempPathA
GetCommandLineA
GetModuleFileNameA
WaitForSingleObject
ExitProcess

user32

wsprintfA
TranslateMessage
GetMessageA
PeekMessageA
GetDC
DispatchMessageA
MessageBoxA
GetDesktopWindow
ReleaseDC

advapi32

RegCloseKey
RegQueryValueExA
RegOpenKeyA
CreateProcessAsUserA

wininet

InternetGetConnectedState

iphlpapi

GetAdaptersInfo

ws2_32

ntohs
inet_addr
bind
listen
WSACleanup
socket
htons
accept
recv
send
WSASocketA
WSAStartup
closesocket

gdi32

GetDeviceCaps

ole32

CoInitialize
CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID

shell32

SHGetPathFromIDListA
SHGetSpecialFolderLocation

msvcrt

malloc
free
modf
memmove
_ftol
atoi
strchr
strncpy
_CIfmod
floor
strrchr
__CxxFrameHandler
_strnicmp
rand
srand
tolower
??2@YAPAXI@Z
sprintf
??3@YAXPAX@Z
strncmp

shlwapi

PathFileExistsA

oleaut32

VariantClear
SysAllocString
SafeArrayCreate
SafeArrayGetDim
SafeArrayGetLBound
VariantChangeType
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
VariantInit
SafeArrayDestroy

Sections

.text
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

Imports

kernel32

user32

advapi32

wininet

iphlpapi

ws2_32

gdi32

ole32

shell32

msvcrt

shlwapi

oleaut32

Sections

.text Size: 94KB - Virtual size: 93KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 12KB - Virtual size: 73KB

.text
Size: 94KB - Virtual size: 93KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 12KB - Virtual size: 73KB