blackmoon | 7b2a2ca15aeb3c2645f67609fae68955bb1fe9491b5ce00421c89a458eb66ff9

Sharing

Copy URL

Twitter E-mail

General

Target

7b2a2ca15aeb3c2645f67609fae68955bb1fe9491b5ce00421c89a458eb66ff9
Size

165KB
MD5

8f281fbf6318e63a85d4d899889d2258
SHA1

7da2ae93b7a1efede0a8ef7f0f7000ab43390645
SHA256

7b2a2ca15aeb3c2645f67609fae68955bb1fe9491b5ce00421c89a458eb66ff9
SHA512

0084083e3844c37d08ee0f5449119785d58d3a99f85a88a52026c3cc5a636034ec0b58658de5978859b9406d29e1463be121621a771da79a3e6fec96ba4a3237
SSDEEP

3072:QG5F/vIb0ekzuNShJCtytiz/Unl1HTA6oO11g3UhA:QWF/v8ShJCtytiz/YzT5ng

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
7b2a2ca15aeb3c2645f67609fae68955bb1fe9491b5ce00421c89a458eb66ff9

Files

7b2a2ca15aeb3c2645f67609fae68955bb1fe9491b5ce00421c89a458eb66ff9
.dll windows:4 windows x86 arch:x86

df269011848cef7e651587d3478e9d92

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
DeleteFileA
WideCharToMultiByte
GetUserDefaultLCID
GetCurrentDirectoryA
SetCurrentDirectoryA
Sleep
ExitProcess
SetThreadContext
GetTickCount
SetFilePointer
MoveFileA
SetEndOfFile
GetLocalTime
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
GetModuleHandleA
GetProcessHeap
VirtualAlloc
MultiByteToWideChar
RtlMoveMemory
GetCurrentProcessId
GetEnvironmentVariableA
GetCurrentProcess
VirtualFree
GlobalMemoryStatusEx
GetComputerNameA
Process32Next
Process32First
CreateToolhelp32Snapshot
SetWaitableTimer
lstrcpyA
lstrcatA
MulDiv
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
CreateWaitableTimerA
ReadFile
ResumeThread
InitializeCriticalSection
CreateThread
WriteProcessMemory
VirtualAllocEx
TerminateProcess
GetThreadContext
CloseHandle
WTSGetActiveConsoleSessionId
CreateProcessA
ExpandEnvironmentStringsA
GetModuleFileNameA
FindClose
FindFirstFileA
CreateFileA
WaitForSingleObject
GetFileSize
GetStartupInfoA

user32

GetClassNameA
GetLastInputInfo
ExitWindowsEx
GetForegroundWindow
CallNextHookEx
GetKeyState
GetWindowTextLengthA
MessageBoxA
wsprintfA
DispatchMessageA
GetWindowTextA
FindWindowA
MsgWaitForMultipleObjects
UnregisterHotKey
SetWindowLongA
SetCapture
SendMessageA
ScreenToClient
ReleaseCapture
RegisterHotKey
PeekMessageA
SetWindowsHookExA
GetWindow
LoadBitmapA
GetMessageA
TranslateMessage
CallWindowProcA
CreateWindowExA
GetCursorPos
GetDC
GetSysColor

shell32

DragQueryFileA
DragFinish
DragAcceptFiles
SHCreateDirectoryExA
SHGetSpecialFolderPathA

gdi32

CreateFontA
DeleteObject
GetDeviceCaps
TranslateCharsetInfo

ws2_32

setsockopt
WSAIoctl
select
getsockname
recv
send
inet_ntoa
WSACleanup
ntohs
connect
getpeername
htonl
recvfrom
sendto
gethostname
__WSAFDIsSet
WSAStartup
gethostbyname
inet_addr
listen
closesocket
bind
htons
socket
accept

advapi32

CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
OpenProcessToken
AdjustTokenPrivileges
OpenSCManagerA
CreateServiceA
CloseServiceHandle
OpenServiceA
DeleteService
RegCloseKey
RegQueryValueExA
RegOpenKeyA
LookupPrivilegeValueA

ole32

CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoInitialize

oleaut32

SafeArrayCreate
VariantCopy
RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
SafeArrayDestroy
VariantClear
SysAllocString
VarR8FromCy
VarR8FromBool
VariantChangeType

shlwapi

PathFileExistsA
PathIsDirectoryA

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

msvcrt

vsprintf
_except_handler3
calloc
__dllonexit
_onexit
toupper
tolower
_stricmp
strncmp
memmove
realloc
_CIfmod
rand
srand
__CxxFrameHandler
strncpy
strrchr
malloc
free
atoi
sprintf
strchr
??2@YAPAXI@Z
??3@YAXPAX@Z
_ftol
floor
modf

comctl32

ImageList_DragEnter
ord17
ImageList_Add
ImageList_BeginDrag
ImageList_Create
ImageList_Destroy
ImageList_DragLeave
ImageList_DragMove
ImageList_DragShowNolock
ImageList_EndDrag

Exports

Exports

Fuck

Sections

.text
Size: 136KB - Virtual size: 140KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 14KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

df269011848cef7e651587d3478e9d92

Headers

File Characteristics

Imports

kernel32

user32

shell32

gdi32

ws2_32

advapi32

ole32

oleaut32

shlwapi

wtsapi32

userenv

msvcrt

comctl32

Exports

Exports

Sections

.text Size: 136KB - Virtual size: 140KB

.rdata Size: 9KB - Virtual size: 12KB

.data Size: 14KB - Virtual size: 80KB

.CRT Size: 512B - Virtual size: 4KB

.reloc Size: 4KB - Virtual size: 8KB

.text
Size: 136KB - Virtual size: 140KB

.rdata
Size: 9KB - Virtual size: 12KB

.data
Size: 14KB - Virtual size: 80KB

.CRT
Size: 512B - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 8KB