blackmoon | 9a7521c2601d0b2680e3260201c334e652ac929ccb0d132ea38999c864599f92

Sharing

Copy URL Twitter E-mail

General

Target

9a7521c2601d0b2680e3260201c334e652ac929ccb0d132ea38999c864599f92
Size

905KB
MD5

00acc0321f3a98247cd6c18a131f84a0
SHA1

d0b216023e47c788da7312e9ba8df4c7b19928e8
SHA256

9a7521c2601d0b2680e3260201c334e652ac929ccb0d132ea38999c864599f92
SHA512

169811eaf66d78fdecbc4fea9318e8929fdbda13fa78e557ba43f737bb3116c2bc917e4fecc54a265cb6218d0eaf06194928aa78dde4a965275451e409ad2c81
SSDEEP

24576:0saANzq08+2MrjT43lHucHTI8YBqmFUFuJUvCTbPPzgKktTYOA+KyU7Qvy23yb:0sa+z8+2Mrjs3lHucHTQnsEgU7o34

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
9a7521c2601d0b2680e3260201c334e652ac929ccb0d132ea38999c864599f92

Files

9a7521c2601d0b2680e3260201c334e652ac929ccb0d132ea38999c864599f92
.exe windows:4 windows x86 arch:x86

35b137d333b1d22251989079988712f4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetTickCount
DeleteFileA
RemoveDirectoryA
GetUserDefaultLCID
WriteFile
SetFileAttributesA
GetLastError
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
FindClose
FindFirstFileA
FindNextFileA
SetFilePointer
GetFileSize
ReadFile
GetModuleFileNameA
WritePrivateProfileStringA
GetPrivateProfileStringA
IsBadReadPtr
HeapFree
HeapReAlloc
HeapAlloc
ExitProcess
GetModuleHandleA
GetProcessHeap
MultiByteToWideChar
lstrcpyA
lstrcatA
MulDiv
GetWindowsDirectoryA
GetSystemDirectoryA
GetTempPathA
DeleteCriticalSection
CloseHandle
GlobalMemoryStatusEx
VirtualAlloc
VirtualFree
Sleep
GetProcAddress
GetLocalTime
IsDebuggerPresent
CreateFileA
DeviceIoControl
Wow64EnableWow64FsRedirection
WideCharToMultiByte
Thread32Next
Thread32First
CreateToolhelp32Snapshot
WriteProcessMemory
MoveFileA
SetProcessWorkingSetSize
CreateThread
TerminateProcess
GetCurrentProcess
RtlMoveMemory
GetCurrentProcessId
OpenProcess

user32

CreateDialogIndirectParamA
PeekMessageA
ReleaseDC
GetDesktopWindow
GetDC
SetWindowPos
MoveWindow
GetWindowRect
UpdateWindow
GetAsyncKeyState
GetWindowThreadProcessId
FindWindowA
CreateWindowStationA
SetLayeredWindowAttributes
SetWindowLongA
GetClassNameA
GetWindowTextA
IsWindowVisible
GetWindowLongA
MessageBoxTimeoutA
MsgWaitForMultipleObjects
IsWindow
SendMessageA
TranslateMessage
DispatchMessageA
DestroyWindow
PostQuitMessage
SetWindowTextA
GetDlgItem
ShowWindow
ScreenToClient
GetWindowTextLengthA
wsprintfA
MessageBoxA
CallWindowProcA
CreateWindowExA
GetCursorPos
GetSysColor
LoadBitmapA
RegisterHotKey
ReleaseCapture
SetCapture
UnregisterHotKey
GetSystemMetrics
GetMessageA

advapi32

CryptHashData
CryptAcquireContextA
CryptCreateHash
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
OpenSCManagerA
CreateServiceA
OpenServiceA
QueryServiceStatus
StartServiceA
CloseServiceHandle

ole32

CLSIDFromProgID
CLSIDFromString
CoCreateInstance
OleRun
CoUninitialize
CoInitialize

gdi32

CreateFontA
GetDeviceCaps
TranslateCharsetInfo
DeleteDC
GetDIBits
GetObjectA
StretchBlt
SetStretchBltMode
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
DeleteObject

wsock32

htons
inet_addr
gethostbyname
WSACleanup
select
WSAAsyncSelect
ntohs
WSAStartup
closesocket
socket
ioctlsocket
getsockname
connect
send
recv

shlwapi

PathFileExistsA

msvcrt

_except_handler3
calloc
strstr
malloc
realloc
free
strrchr
strchr
srand
strtod
_CIfmod
rand
modf
strncmp
strncpy
_CIpow
floor
_ftol
??3@YAXPAX@Z
??2@YAPAXI@Z
sprintf
_atoi64
atof
atoi

oleaut32

SafeArrayUnaccessData
VariantCopy
SystemTimeToVariantTime
VariantTimeToSystemTime
VariantInit
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayCreate
SafeArrayGetElemsize
SysAllocString
VariantClear
SafeArrayDestroy
RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
VariantChangeType
VarR8FromBool
VarR8FromCy

shell32

SHGetSpecialFolderPathA
DragFinish
DragQueryFileA
DragAcceptFiles

comctl32

ImageList_BeginDrag
ImageList_Create
ImageList_Destroy
ImageList_DragEnter
ImageList_DragMove
ImageList_DragLeave
ImageList_DragShowNolock
ImageList_EndDrag
ord17
ImageList_Add

Sections

.text
Size: 525KB - Virtual size: 524KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 369KB - Virtual size: 459KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 668B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

35b137d333b1d22251989079988712f4

Headers

File Characteristics

Imports

kernel32

user32

advapi32

ole32

gdi32

wsock32

shlwapi

msvcrt

oleaut32

shell32

comctl32

Sections

.text Size: 525KB - Virtual size: 524KB

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 369KB - Virtual size: 459KB

.rsrc Size: 1024B - Virtual size: 668B

.text
Size: 525KB - Virtual size: 524KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 369KB - Virtual size: 459KB

.rsrc
Size: 1024B - Virtual size: 668B