blackmoon | 73b164e375d63fcd63502b668ac6bc10_NeikiAnalytics[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

73b164e375d63fcd63502b668ac6bc10_NeikiAnalytics.exe
Size

113KB
MD5

73b164e375d63fcd63502b668ac6bc10
SHA1

299631fb338bce0e9c9d783dd7b8cd4ebf960e08
SHA256

a5f6b788149b4d18fd23abc42f3177b8f0e985243c13f5e586f526e64059fc74
SHA512

df09a7e9fe7a1a854f53bcfe2350f946d3a91be83d5e7bfb6f76db695051ad824a70f38ad81b856120c43d4f2a65e38e621bd2b2cf958495ba48ff6a399e7701
SSDEEP

1536:bViMsvI+AQX1OdBaKpVllHG/fdt+fV3JbB5OPnDE5+QDJ4rh27qbr:bav9OdPx8wJ4rY7q

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
73b164e375d63fcd63502b668ac6bc10_NeikiAnalytics.exe

Files

73b164e375d63fcd63502b668ac6bc10_NeikiAnalytics.exe
.exe windows:4 windows x86 arch:x86

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

RtlMoveMemory
GetComputerNameA
GetModuleHandleA
GetProcAddress
GetCurrentProcess
GetCurrentProcessId
MultiByteToWideChar
WideCharToMultiByte
CreateThread
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
IsBadReadPtr
CloseHandle
ReadFile
GetFileSize
CreateFileA
WriteFile
lstrcpynA
CreateProcessA
GetStartupInfoA
DeleteFileA
GetTickCount
Sleep
FindClose
FindNextFileA
RemoveDirectoryA
FindFirstFileA
SetFileAttributesA
GetUserDefaultLCID
FreeLibrary
LoadLibraryA
LCMapStringA
CreateEventA
OpenEventA
MoveFileA
CreateDirectoryA
GetTempPathA
GetCommandLineA
GetModuleFileNameA
WaitForSingleObject
ExitProcess

user32

wsprintfA
TranslateMessage
GetMessageA
PeekMessageA
GetDC
DispatchMessageA
MessageBoxA
GetDesktopWindow
ReleaseDC

advapi32

RegCloseKey
RegQueryValueExA
RegOpenKeyA
CreateProcessAsUserA

wininet

InternetGetConnectedState

iphlpapi

GetAdaptersInfo

ws2_32

ntohs
inet_addr
bind
listen
WSACleanup
socket
htons
accept
recv
send
WSASocketA
WSAStartup
closesocket

gdi32

GetDeviceCaps

ole32

CoInitialize
CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID

shell32

SHGetPathFromIDListA
SHGetSpecialFolderLocation

msvcrt

malloc
free
modf
memmove
_ftol
atoi
strchr
strncpy
_CIfmod
floor
strrchr
__CxxFrameHandler
_strnicmp
rand
srand
tolower
??2@YAPAXI@Z
sprintf
??3@YAXPAX@Z
strncmp

shlwapi

PathFileExistsA

oleaut32

VariantClear
SysAllocString
SafeArrayCreate
SafeArrayGetDim
SafeArrayGetLBound
VariantChangeType
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
LoadTypeLi
LHashValOfNameSys
RegisterTypeLi
VariantInit
SafeArrayDestroy

Sections

.text
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

e5ac0f9205c73a7dd3d8c67873453d3c

Headers

File Characteristics

Imports

kernel32

user32

advapi32

wininet

iphlpapi

ws2_32

gdi32

ole32

shell32

msvcrt

shlwapi

oleaut32

Sections

.text Size: 94KB - Virtual size: 93KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 12KB - Virtual size: 73KB

.text
Size: 94KB - Virtual size: 93KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 12KB - Virtual size: 73KB