blackmoon | da087c183c2fa25119bb1addd8ede2d2934b4a2aa543730b2eb3a6fb5c122c52

Sharing

Copy URL Twitter E-mail

General

Target

da087c183c2fa25119bb1addd8ede2d2934b4a2aa543730b2eb3a6fb5c122c52
Size

1.6MB
MD5

6d0412886a2b9e34b205e8a9e239a665
SHA1

293faed7172d58434a018e8dca57e7001c16a7db
SHA256

da087c183c2fa25119bb1addd8ede2d2934b4a2aa543730b2eb3a6fb5c122c52
SHA512

d6fe7a58132a1127e1d20ec7971361621e99bc48dd931857e7edef8b0997feb661ce05e881b64b66b66b9aa38c720cc9606199ce0008ba82d9d884fea7dadc3a
SSDEEP

24576:74X6J3Xoi0d70yg/dpuyuRcApNGHvzoonsh9KzWzRono8J8CLc4Y5LBBf2B7kBEm:74X6z0xHFKF3wG5CpYM39+z3a

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
da087c183c2fa25119bb1addd8ede2d2934b4a2aa543730b2eb3a6fb5c122c52

Files

da087c183c2fa25119bb1addd8ede2d2934b4a2aa543730b2eb3a6fb5c122c52
.dll windows:4 windows x86 arch:x86

f5a98d08dccd10422e1b188ebc8f6683

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

IsBadReadPtr
IsBadCodePtr
DebugActiveProcess
WaitForDebugEvent
ContinueDebugEvent
DebugActiveProcessStop
CopyFileA
VirtualAllocEx
WideCharToMultiByte
GetTempFileNameA
GetSystemDirectoryA
VirtualAlloc
VirtualFree
CreateThread
Sleep
SetFilePointer
ReadFile
WriteFile
TerminateThread
ReadProcessMemory
GetLogicalDriveStringsA
QueryDosDeviceA
CreateDirectoryA
MoveFileA
MoveFileExA
CreateWaitableTimerA
SetWaitableTimer
lstrlenW
SystemTimeToFileTime
lstrcatA
FileTimeToLocalFileTime
FileTimeToSystemTime
lstrlenA
lstrcmpiA
GetProcessTimes
Module32Next
GetCurrentThreadId
GetThreadContext
VirtualProtect
WriteProcessMemory
CreateRemoteThread
MultiByteToWideChar
LocalSize
GetFileAttributesA
OpenProcess
GetVersionExA
GetWindowsDirectoryA
GetCurrentProcessId
GetLastError
ExitProcess
HeapReAlloc
HeapFree
GetModuleFileNameA
FindClose
FindNextFileA
DeleteFileA
RemoveDirectoryA
FindFirstFileA
GetLocalTime
GetFileSize
MulDiv
GetDiskFreeSpaceA
GetCurrentDirectoryA
GetTickCount
CreateProcessA
GetStartupInfoA
SetLocalTime
GetEnvironmentVariableA
SetFileAttributesA
LCMapStringA
SetEndOfFile
GetCommandLineA
FreeLibrary
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
DeleteCriticalSection
GlobalFree
GlobalSize
lstrcpyn
RtlMoveMemory
VirtualQueryEx
lstrcpynA
Module32First
Process32Next
Process32First
CreateToolhelp32Snapshot
GetSystemInfo
CloseHandle
DeviceIoControl
WTSGetActiveConsoleSessionId
CreateFileA
GetDiskFreeSpaceExA
GetModuleHandleA
GetTempPathA
LocalFree
LocalAlloc
CreateFileMappingA
ReleaseMutex
WaitForSingleObject
CreateMutexA
OpenMutexA
OpenFileMappingA
UnmapViewOfFile
MapViewOfFile
GetVersion
GlobalMemoryStatusEx
RtlFillMemory
GetComputerNameA
GetUserDefaultLCID
CheckRemoteDebuggerPresent
IsDebuggerPresent
IsWow64Process
GetCurrentProcess
GetProcAddress
HeapAlloc
GetProcessHeap
LoadLibraryA
QueueUserAPC

user32

MoveWindow
UpdateLayeredWindow
GetWindowRect
UpdateWindow
ShowWindow
GetParent
SetWindowPos
SetWindowLongA
PostMessageA
CallWindowProcA
FindWindowA
GetMessageW
DispatchMessageW
wvsprintfA
RegisterWindowMessageA
MessageBoxA
wsprintfA
GetMessageA
PeekMessageA
CreateDialogIndirectParamA
SendMessageA
DestroyWindow
PostQuitMessage
SetWindowTextA
GetDlgItem
MsgWaitForMultipleObjects
GetWindow
ScreenToClient
EnumWindows
GetDesktopWindow
GetClientRect
GetForegroundWindow
GetWindowThreadProcessId
SendMessageTimeoutA
GetWindowTextLengthA
GetSubMenu
GetMenuStringA
GetMenuItemCount
MessageBoxTimeoutA
CreateWindowStationA
GetSystemMetrics
IsWindowVisible
GetWindowTextA
GetClassNameA
EnumDisplaySettingsA
GetDC
ReleaseDC
TranslateMessage
DispatchMessageA
GetWindowLongA
GetMenu

gdi32

DeleteDC
DeleteObject
StretchBlt
SelectObject
CreateCompatibleDC

advapi32

QueryServiceStatus
RegOpenKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegSetValueExA
RegOpenKeyA
RegQueryValueExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
LookupAccountSidA
AllocateAndInitializeSid
GetTokenInformation
InitializeAcl
AddAccessDeniedAce
AddAccessAllowedAce
SetSecurityInfo
FreeSid
GetNamedSecurityInfoA
SetNamedSecurityInfoA
BuildExplicitAccessWithNameA
SetEntriesInAclA
OpenSCManagerA
OpenServiceA
CloseServiceHandle
ChangeServiceConfigA
StartServiceA
EnumServicesStatusA
EnumServicesStatusExA
ControlService
DeleteService
RegCloseKey

shell32

SHEmptyRecycleBinA
SHGetFolderLocation
ShellExecuteA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHGetFileInfoA

ole32

CoTaskMemFree
CoCreateInstance
OleRun
CLSIDFromProgID
CLSIDFromString
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize

ws2_32

inet_addr
gethostbyname
WSACleanup
inet_ntoa
socket
closesocket
shutdown
htons
bind
listen
recv
accept
connect
WSAStartup
send
recvfrom
ntohs
sendto
setsockopt
getsockopt
ioctlsocket
getpeername
select

shlwapi

PathFileExistsA
PathFindFileNameA
PathFindExtensionA
PathIsDirectoryA

sensapi

IsNetworkAlive

gdiplus

GdipCreateBitmapFromHBITMAP
GdipSaveImageToStream
GdipDisposeImage
GdiplusShutdown
GdipLoadImageFromStream
GdipGetImageWidth
GdipCreateHBITMAPFromBitmap
GdipGetImageDimension
GdipDrawImageRect
GdipDeleteGraphics
GdipLoadImageFromFile
GdipSaveImageToFile
GdipCreateBitmapFromScan0
GdipGetImageGraphicsContext
GdipCreateBitmapFromStream
GdipGetImageHeight
GdiplusStartup
GdipFillRectangle
GdipDrawImageRectRect
GdipCreateSolidFill
GdipCreateFromHDC
GdipDeleteBrush

psapi

EnumProcesses
GetProcessMemoryInfo
GetProcessImageFileNameA

iphlpapi

GetTcpTable
IcmpCreateFile

wininet

InternetOpenUrlA
InternetGetConnectedState
DeleteUrlCacheEntryA
InternetSetCookieA
HttpQueryInfoA
InternetReadFile
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

oleaut32

VariantTimeToSystemTime
SystemTimeToVariantTime
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VariantCopy
RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
VariantChangeType
VarR8FromBool
VarR8FromCy
SysFreeString

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

msvcrt

_stricmp
sprintf
free
malloc
floor
_CIfmod
??2@YAPAXI@Z
??3@YAXPAX@Z
strchr
_atoi64
_ftol
modf
strncpy
atoi
strncmp
_CIpow
strrchr
__CxxFrameHandler
srand
rand
strtod
atof
realloc
memmove
calloc

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 320KB - Virtual size: 402KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 232KB - Virtual size: 231KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 40KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 455B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

f5a98d08dccd10422e1b188ebc8f6683

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

ws2_32

shlwapi

sensapi

gdiplus

psapi

iphlpapi

wininet

version

oleaut32

wtsapi32

msvcrt

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 16KB - Virtual size: 12KB

.data Size: 320KB - Virtual size: 402KB

.vmp0 Size: 232KB - Virtual size: 231KB

.reloc Size: 40KB - Virtual size: 38KB

.rsrc Size: 4KB - Virtual size: 455B

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 16KB - Virtual size: 12KB

.data
Size: 320KB - Virtual size: 402KB

.vmp0
Size: 232KB - Virtual size: 231KB

.reloc
Size: 40KB - Virtual size: 38KB

.rsrc
Size: 4KB - Virtual size: 455B