blackmoon | 952fbbcb67bc15c48c0f6b1510f1609c20ca5600ba7afbdde59547e0edc3cd83

Sharing

Copy URL Twitter E-mail

General

Target

952fbbcb67bc15c48c0f6b1510f1609c20ca5600ba7afbdde59547e0edc3cd83
Size

202KB
MD5

5358ed7cdcc6248d6308b625caa01899
SHA1

c86cbe1fa12aea6fec0d9a4b066ed50686d49df6
SHA256

952fbbcb67bc15c48c0f6b1510f1609c20ca5600ba7afbdde59547e0edc3cd83
SHA512

de74c8467ae3acca8b32b6d368ae80aeaabc8a0090e1ece07f2de030330201df885b2ad2fb4d0339985890d85d5f29a481493c81b1f3a585d7b5a0e217e17903
SSDEEP

6144:Y9exgHUj3xw23jtMeX4vdBuF0dGCWZVonj:YAxgHUj3xwmjtMeX4VBuF0dG5M

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
952fbbcb67bc15c48c0f6b1510f1609c20ca5600ba7afbdde59547e0edc3cd83

Files

952fbbcb67bc15c48c0f6b1510f1609c20ca5600ba7afbdde59547e0edc3cd83
.exe windows:4 windows x86 arch:x86

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalAlloc
LocalFree
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetTickCount
CreateDirectoryA
GetPrivateProfileStringA
GetModuleFileNameA
WriteFile
CreateFileA
GetLocalTime
WritePrivateProfileStringA
ReadFile
GetFileSize
MoveFileA
GetTempPathA
WaitForSingleObject
CreateProcessA
GetProcessTimes
DeleteFileA
FindNextFileA
FindFirstFileA
FindClose
MultiByteToWideChar
GetUserDefaultLCID
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
TerminateThread
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateThread
GetSystemInfo
TerminateProcess
GetDiskFreeSpaceExA
Sleep
QueryDosDeviceA
GetLogicalDriveStringsA
Module32First
VirtualQueryEx
lstrcpyn
WideCharToMultiByte
OpenProcess
IsWow64Process
GetProcAddress
GetModuleHandleA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentProcessId
CreateEventA
OpenEventA
CloseHandle
GetStartupInfoA

ws2_32

setsockopt
gethostbyname
htonl
connect
ntohs
getpeername
send
recv
gethostname
sendto
htons
inet_ntoa
recvfrom
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
bind
inet_addr
closesocket
getsockname
WSAEventSelect
WSACloseEvent
socket
WSACleanup
WSACreateEvent
WSAStartup
listen
accept
__WSAFDIsSet
select

psapi

GetProcessImageFileNameA
GetModuleFileNameExA

shell32

SHGetSpecialFolderPathA
ExtractIconA
ShellExecuteA

advapi32

CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyA
CryptReleaseContext

wininet

InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetOpenA
InternetReadFile

shlwapi

PathIsDirectoryA
PathFileExistsA

user32

ShowWindow
wsprintfA
GetSystemMetrics
DispatchMessageA
TranslateMessage
GetMessageA
GetParent
SetWindowPos
IsWindowVisible
FindWindowExA
DestroyIcon
ReleaseDC
DrawIconEx
GetDC
GetIconInfo
IsWindow
GetWindowThreadProcessId
MessageBoxA
PeekMessageA
GetClassNameA

gdi32

CreateCompatibleDC
SelectObject
CreateDIBSection
BitBlt
DeleteObject
DeleteDC
CreateCompatibleBitmap

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

ole32

CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoInitialize

msvcrt

__CxxFrameHandler
realloc
memmove
strchr
strtod
srand
modf
_onexit
__dllonexit
strncmp
strncpy
floor
sprintf
_CIfmod
rand
??2@YAPAXI@Z
strrchr
??3@YAXPAX@Z
_ftol
atoi
malloc
free

oleaut32

VariantCopy
RegisterTypeLi
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys

Sections

.text
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

Imports

kernel32

ws2_32

psapi

shell32

advapi32

wininet

shlwapi

user32

gdi32

version

ole32

msvcrt

oleaut32

Sections

.text Size: 187KB - Virtual size: 187KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 8KB - Virtual size: 57KB

.CRT Size: 512B - Virtual size: 4B

.text
Size: 187KB - Virtual size: 187KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 8KB - Virtual size: 57KB

.CRT
Size: 512B - Virtual size: 4B