blackmoon | 6eb48c3210162e7fac45cb9457419a874861bf69537d5a55c3523d33d09c0935

Sharing

Copy URL Twitter E-mail

General

Target

6eb48c3210162e7fac45cb9457419a874861bf69537d5a55c3523d33d09c0935
Size

202KB
MD5

5310f55299e504add93b0d46eab38a6a
SHA1

3ea462532ba5b97c4d404c558a6a6bc354e248e6
SHA256

6eb48c3210162e7fac45cb9457419a874861bf69537d5a55c3523d33d09c0935
SHA512

fe0c5477f40318f35cff50047539f054fa656d57b4abc4db24b74cf398bbf086699ee00d73c6a2f46b0d6f12ced0b39a16c090a329610241876408983dc7a29b
SSDEEP

6144:Y9exgHUj3xw23jtMeX4vdBuF0dGCWZVond:YAxgHUj3xwmjtMeX4VBuF0dG56

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6eb48c3210162e7fac45cb9457419a874861bf69537d5a55c3523d33d09c0935

Files

6eb48c3210162e7fac45cb9457419a874861bf69537d5a55c3523d33d09c0935
.exe windows:4 windows x86 arch:x86

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalAlloc
LocalFree
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetTickCount
CreateDirectoryA
GetPrivateProfileStringA
GetModuleFileNameA
WriteFile
CreateFileA
GetLocalTime
WritePrivateProfileStringA
ReadFile
GetFileSize
MoveFileA
GetTempPathA
WaitForSingleObject
CreateProcessA
GetProcessTimes
DeleteFileA
FindNextFileA
FindFirstFileA
FindClose
MultiByteToWideChar
GetUserDefaultLCID
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
TerminateThread
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateThread
GetSystemInfo
TerminateProcess
GetDiskFreeSpaceExA
Sleep
QueryDosDeviceA
GetLogicalDriveStringsA
Module32First
VirtualQueryEx
lstrcpyn
WideCharToMultiByte
OpenProcess
IsWow64Process
GetProcAddress
GetModuleHandleA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentProcessId
CreateEventA
OpenEventA
CloseHandle
GetStartupInfoA

ws2_32

setsockopt
gethostbyname
htonl
connect
ntohs
getpeername
send
recv
gethostname
sendto
htons
inet_ntoa
recvfrom
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
bind
inet_addr
closesocket
getsockname
WSAEventSelect
WSACloseEvent
socket
WSACleanup
WSACreateEvent
WSAStartup
listen
accept
__WSAFDIsSet
select

psapi

GetProcessImageFileNameA
GetModuleFileNameExA

shell32

SHGetSpecialFolderPathA
ExtractIconA
ShellExecuteA

advapi32

CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyA
CryptReleaseContext

wininet

InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetOpenA
InternetReadFile

shlwapi

PathIsDirectoryA
PathFileExistsA

user32

ShowWindow
wsprintfA
GetSystemMetrics
DispatchMessageA
TranslateMessage
GetMessageA
GetParent
SetWindowPos
IsWindowVisible
FindWindowExA
DestroyIcon
ReleaseDC
DrawIconEx
GetDC
GetIconInfo
IsWindow
GetWindowThreadProcessId
MessageBoxA
PeekMessageA
GetClassNameA

gdi32

CreateCompatibleDC
SelectObject
CreateDIBSection
BitBlt
DeleteObject
DeleteDC
CreateCompatibleBitmap

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

ole32

CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoInitialize

msvcrt

__CxxFrameHandler
realloc
memmove
strchr
strtod
srand
modf
_onexit
__dllonexit
strncmp
strncpy
floor
sprintf
_CIfmod
rand
??2@YAPAXI@Z
strrchr
??3@YAXPAX@Z
_ftol
atoi
malloc
free

oleaut32

VariantCopy
RegisterTypeLi
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys

Sections

.text
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

Imports

kernel32

ws2_32

psapi

shell32

advapi32

wininet

shlwapi

user32

gdi32

version

ole32

msvcrt

oleaut32

Sections

.text Size: 187KB - Virtual size: 187KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 8KB - Virtual size: 57KB

.CRT Size: 512B - Virtual size: 4B

.text
Size: 187KB - Virtual size: 187KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 8KB - Virtual size: 57KB

.CRT
Size: 512B - Virtual size: 4B