blackmoon | c63bbc3967d4b8c548918a4216d97b7b15e339537a8a74bc180aefb93626d61f

Sharing

Copy URL Twitter E-mail

General

Target

c63bbc3967d4b8c548918a4216d97b7b15e339537a8a74bc180aefb93626d61f
Size

45KB
MD5

2667c0734011d8419b10b5e7f2cf752f
SHA1

14a075d401c924b53e70a5eac714b850e92503c2
SHA256

c63bbc3967d4b8c548918a4216d97b7b15e339537a8a74bc180aefb93626d61f
SHA512

95f635b9f7b6bedc594391975a4c171e5bcdab4b95e06c77148644a2cb5dc2de705dc199aa8d30aaf33d9483570c4b7fa498ed6779985baf1a2aac65ec0c6da9
SSDEEP

768:UoPOvZgoi30fITvFxuL1tligHb8vy9Otuj3KV4Im5QUO40mi0dhXCE9m0BlCPAiw:UoPOWv3pDHAXliF7uTKmmLsVJCAmiyAH

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/fac7f29114c71bdab56edcfecc1bdb36c65974c4e6596309695ec6c1cf3e02f5.exe	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/fac7f29114c71bdab56edcfecc1bdb36c65974c4e6596309695ec6c1cf3e02f5.exe

Files

c63bbc3967d4b8c548918a4216d97b7b15e339537a8a74bc180aefb93626d61f
.zip

Password: infected
fac7f29114c71bdab56edcfecc1bdb36c65974c4e6596309695ec6c1cf3e02f5.exe
.exe windows:4 windows x86 arch:x86

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

RtlMoveMemory
GetComputerNameA
GetModuleHandleA
GetProcAddress
GetCurrentProcess
GetCurrentProcessId
MultiByteToWideChar
WideCharToMultiByte
CreateThread
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
IsBadReadPtr
CloseHandle
ReadFile
GetFileSize
CreateFileA
WriteFile
lstrcpynA
CreateProcessA
GetStartupInfoA
DeleteFileA
GetTickCount
Sleep
FindClose
FindNextFileA
RemoveDirectoryA
FindFirstFileA
SetFileAttributesA
GetUserDefaultLCID
FreeLibrary
LoadLibraryA
LCMapStringA
CreateEventA
OpenEventA
MoveFileA
CreateDirectoryA
GetTempPathA
GetCommandLineA
GetModuleFileNameA
WaitForSingleObject
ExitProcess

user32

wsprintfA
TranslateMessage
GetMessageA
PeekMessageA
GetDC
DispatchMessageA
MessageBoxA
GetDesktopWindow
ReleaseDC

advapi32

RegCloseKey
RegQueryValueExA
RegOpenKeyA
CreateProcessAsUserA

wininet

InternetGetConnectedState

iphlpapi

GetAdaptersInfo

ws2_32

ntohs
inet_addr
bind
listen
WSACleanup
socket
htons
accept
recv
send
WSASocketA
WSAStartup
closesocket

gdi32

GetDeviceCaps

ole32

CoInitialize
CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID

shell32

SHGetPathFromIDListA
SHGetSpecialFolderLocation

msvcrt

malloc
free
modf
memmove
_ftol
atoi
strchr
strncpy
_CIfmod
floor
strrchr
__CxxFrameHandler
_strnicmp
rand
srand
tolower
??2@YAPAXI@Z
sprintf
??3@YAXPAX@Z
strncmp

shlwapi

PathFileExistsA

oleaut32

VariantClear
SysAllocString
SafeArrayCreate
SafeArrayGetDim
SafeArrayGetLBound
VariantChangeType
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
VariantInit
SafeArrayDestroy

Sections

.text
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

Imports

kernel32

user32

advapi32

wininet

iphlpapi

ws2_32

gdi32

ole32

shell32

msvcrt

shlwapi

oleaut32

Sections

.text Size: 94KB - Virtual size: 93KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 12KB - Virtual size: 73KB

.text
Size: 94KB - Virtual size: 93KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 12KB - Virtual size: 73KB