blackmoon | 40beffb033612a2b18f7303dc8f72cd380e03c6dd40adce9f1f1709d43755db3

Sharing

Copy URL Twitter E-mail

General

Target

40beffb033612a2b18f7303dc8f72cd380e03c6dd40adce9f1f1709d43755db3
Size

202KB
MD5

4ea712115c367cd9e7023d00fa8943ee
SHA1

838a6cd9a58f1577da4c2d20727a0f6439a6583b
SHA256

40beffb033612a2b18f7303dc8f72cd380e03c6dd40adce9f1f1709d43755db3
SHA512

c1cf1f69e0595d240a04bd12e85542cb6e4bfe9e9dc7f83fe9409c3e7622fc6f436a192f116548a7fbeffa1bea7ee9c889f977c9ac2aa14eead480265d8129be
SSDEEP

6144:Y9exgHUj3xw23jtMeX4vdBuF0dGCWZVonC:YAxgHUj3xwmjtMeX4VBuF0dG5N

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
40beffb033612a2b18f7303dc8f72cd380e03c6dd40adce9f1f1709d43755db3

Files

40beffb033612a2b18f7303dc8f72cd380e03c6dd40adce9f1f1709d43755db3
.exe windows:4 windows x86 arch:x86

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalAlloc
LocalFree
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetTickCount
CreateDirectoryA
GetPrivateProfileStringA
GetModuleFileNameA
WriteFile
CreateFileA
GetLocalTime
WritePrivateProfileStringA
ReadFile
GetFileSize
MoveFileA
GetTempPathA
WaitForSingleObject
CreateProcessA
GetProcessTimes
DeleteFileA
FindNextFileA
FindFirstFileA
FindClose
MultiByteToWideChar
GetUserDefaultLCID
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
TerminateThread
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateThread
GetSystemInfo
TerminateProcess
GetDiskFreeSpaceExA
Sleep
QueryDosDeviceA
GetLogicalDriveStringsA
Module32First
VirtualQueryEx
lstrcpyn
WideCharToMultiByte
OpenProcess
IsWow64Process
GetProcAddress
GetModuleHandleA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentProcessId
CreateEventA
OpenEventA
CloseHandle
GetStartupInfoA

ws2_32

setsockopt
gethostbyname
htonl
connect
ntohs
getpeername
send
recv
gethostname
sendto
htons
inet_ntoa
recvfrom
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
bind
inet_addr
closesocket
getsockname
WSAEventSelect
WSACloseEvent
socket
WSACleanup
WSACreateEvent
WSAStartup
listen
accept
__WSAFDIsSet
select

psapi

GetProcessImageFileNameA
GetModuleFileNameExA

shell32

SHGetSpecialFolderPathA
ExtractIconA
ShellExecuteA

advapi32

CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyA
CryptReleaseContext

wininet

InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetOpenA
InternetReadFile

shlwapi

PathIsDirectoryA
PathFileExistsA

user32

ShowWindow
wsprintfA
GetSystemMetrics
DispatchMessageA
TranslateMessage
GetMessageA
GetParent
SetWindowPos
IsWindowVisible
FindWindowExA
DestroyIcon
ReleaseDC
DrawIconEx
GetDC
GetIconInfo
IsWindow
GetWindowThreadProcessId
MessageBoxA
PeekMessageA
GetClassNameA

gdi32

CreateCompatibleDC
SelectObject
CreateDIBSection
BitBlt
DeleteObject
DeleteDC
CreateCompatibleBitmap

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

ole32

CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoInitialize

msvcrt

__CxxFrameHandler
realloc
memmove
strchr
strtod
srand
modf
_onexit
__dllonexit
strncmp
strncpy
floor
sprintf
_CIfmod
rand
??2@YAPAXI@Z
strrchr
??3@YAXPAX@Z
_ftol
atoi
malloc
free

oleaut32

VariantCopy
RegisterTypeLi
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys

Sections

.text
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

Imports

kernel32

ws2_32

psapi

shell32

advapi32

wininet

shlwapi

user32

gdi32

version

ole32

msvcrt

oleaut32

Sections

.text Size: 187KB - Virtual size: 187KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 8KB - Virtual size: 57KB

.CRT Size: 512B - Virtual size: 4B

.text
Size: 187KB - Virtual size: 187KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 8KB - Virtual size: 57KB

.CRT
Size: 512B - Virtual size: 4B