blackmoon | 7f541141c405f00047dd05f9b4d1a31159ef2b199384c958116e57498f33f373

Sharing

Copy URL Twitter E-mail

General

Target

7f541141c405f00047dd05f9b4d1a31159ef2b199384c958116e57498f33f373
Size

202KB
MD5

168eb81f5825ef714c5158b074b2d754
SHA1

466653d03e35a0bf3dba4723a942c11b96abde3b
SHA256

7f541141c405f00047dd05f9b4d1a31159ef2b199384c958116e57498f33f373
SHA512

58664fc2fa3cd2eee8b0ba643be034524cec63b472d184aacfa103b058fbb0351a6d2a9d87303c130d6a81eab82cdbc9e1f57f4ce9af4e62b1247f79635c07ed
SSDEEP

6144:Y9exgHUj3xw23jtMeX4vdBuF0dGCWZVonD:YAxgHUj3xwmjtMeX4VBuF0dG5Y

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
7f541141c405f00047dd05f9b4d1a31159ef2b199384c958116e57498f33f373

Files

7f541141c405f00047dd05f9b4d1a31159ef2b199384c958116e57498f33f373
.exe windows:4 windows x86 arch:x86

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalAlloc
LocalFree
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetTickCount
CreateDirectoryA
GetPrivateProfileStringA
GetModuleFileNameA
WriteFile
CreateFileA
GetLocalTime
WritePrivateProfileStringA
ReadFile
GetFileSize
MoveFileA
GetTempPathA
WaitForSingleObject
CreateProcessA
GetProcessTimes
DeleteFileA
FindNextFileA
FindFirstFileA
FindClose
MultiByteToWideChar
GetUserDefaultLCID
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
TerminateThread
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateThread
GetSystemInfo
TerminateProcess
GetDiskFreeSpaceExA
Sleep
QueryDosDeviceA
GetLogicalDriveStringsA
Module32First
VirtualQueryEx
lstrcpyn
WideCharToMultiByte
OpenProcess
IsWow64Process
GetProcAddress
GetModuleHandleA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentProcessId
CreateEventA
OpenEventA
CloseHandle
GetStartupInfoA

ws2_32

setsockopt
gethostbyname
htonl
connect
ntohs
getpeername
send
recv
gethostname
sendto
htons
inet_ntoa
recvfrom
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
bind
inet_addr
closesocket
getsockname
WSAEventSelect
WSACloseEvent
socket
WSACleanup
WSACreateEvent
WSAStartup
listen
accept
__WSAFDIsSet
select

psapi

GetProcessImageFileNameA
GetModuleFileNameExA

shell32

SHGetSpecialFolderPathA
ExtractIconA
ShellExecuteA

advapi32

CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyA
CryptReleaseContext

wininet

InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetOpenA
InternetReadFile

shlwapi

PathIsDirectoryA
PathFileExistsA

user32

ShowWindow
wsprintfA
GetSystemMetrics
DispatchMessageA
TranslateMessage
GetMessageA
GetParent
SetWindowPos
IsWindowVisible
FindWindowExA
DestroyIcon
ReleaseDC
DrawIconEx
GetDC
GetIconInfo
IsWindow
GetWindowThreadProcessId
MessageBoxA
PeekMessageA
GetClassNameA

gdi32

CreateCompatibleDC
SelectObject
CreateDIBSection
BitBlt
DeleteObject
DeleteDC
CreateCompatibleBitmap

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

ole32

CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoInitialize

msvcrt

__CxxFrameHandler
realloc
memmove
strchr
strtod
srand
modf
_onexit
__dllonexit
strncmp
strncpy
floor
sprintf
_CIfmod
rand
??2@YAPAXI@Z
strrchr
??3@YAXPAX@Z
_ftol
atoi
malloc
free

oleaut32

VariantCopy
RegisterTypeLi
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys

Sections

.text
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

Imports

kernel32

ws2_32

psapi

shell32

advapi32

wininet

shlwapi

user32

gdi32

version

ole32

msvcrt

oleaut32

Sections

.text Size: 187KB - Virtual size: 187KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 8KB - Virtual size: 57KB

.CRT Size: 512B - Virtual size: 4B

.text
Size: 187KB - Virtual size: 187KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 8KB - Virtual size: 57KB

.CRT
Size: 512B - Virtual size: 4B