blackmoon | 4e47e7a2fe22ac707cfb191faefaa85a8f2db73ddb22bf03118abfc56b2adb26

Sharing

Copy URL Twitter E-mail

General

Target

4e47e7a2fe22ac707cfb191faefaa85a8f2db73ddb22bf03118abfc56b2adb26
Size

202KB
MD5

9f9d478dec290e7f95c7f18b1cc6682c
SHA1

82a5249ca3451846c00ec75b14bee1f8b6145f9d
SHA256

4e47e7a2fe22ac707cfb191faefaa85a8f2db73ddb22bf03118abfc56b2adb26
SHA512

a7d2e313fa9f19ea5a75ef82a1e09e94dde0cd0344060839e1897d759116314bac14851f9778f9971a595558185ff011e6d4380a4223f39c43b101dd43103a00
SSDEEP

6144:Y9exgHUj3xw23jtMeX4vdBuF0dGCWZVon1:YAxgHUj3xwmjtMeX4VBuF0dG5O

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4e47e7a2fe22ac707cfb191faefaa85a8f2db73ddb22bf03118abfc56b2adb26

Files

4e47e7a2fe22ac707cfb191faefaa85a8f2db73ddb22bf03118abfc56b2adb26
.exe windows:4 windows x86 arch:x86

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalAlloc
LocalFree
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetTickCount
CreateDirectoryA
GetPrivateProfileStringA
GetModuleFileNameA
WriteFile
CreateFileA
GetLocalTime
WritePrivateProfileStringA
ReadFile
GetFileSize
MoveFileA
GetTempPathA
WaitForSingleObject
CreateProcessA
GetProcessTimes
DeleteFileA
FindNextFileA
FindFirstFileA
FindClose
MultiByteToWideChar
GetUserDefaultLCID
GetCommandLineA
FreeLibrary
LoadLibraryA
LCMapStringA
TerminateThread
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
CreateThread
GetSystemInfo
TerminateProcess
GetDiskFreeSpaceExA
Sleep
QueryDosDeviceA
GetLogicalDriveStringsA
Module32First
VirtualQueryEx
lstrcpyn
WideCharToMultiByte
OpenProcess
IsWow64Process
GetProcAddress
GetModuleHandleA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentProcessId
CreateEventA
OpenEventA
CloseHandle
GetStartupInfoA

ws2_32

setsockopt
gethostbyname
htonl
connect
ntohs
getpeername
send
recv
gethostname
sendto
htons
inet_ntoa
recvfrom
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
bind
inet_addr
closesocket
getsockname
WSAEventSelect
WSACloseEvent
socket
WSACleanup
WSACreateEvent
WSAStartup
listen
accept
__WSAFDIsSet
select

psapi

GetProcessImageFileNameA
GetModuleFileNameExA

shell32

SHGetSpecialFolderPathA
ExtractIconA
ShellExecuteA

advapi32

CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyA
CryptReleaseContext

wininet

InternetCloseHandle
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetOpenA
InternetReadFile

shlwapi

PathIsDirectoryA
PathFileExistsA

user32

ShowWindow
wsprintfA
GetSystemMetrics
DispatchMessageA
TranslateMessage
GetMessageA
GetParent
SetWindowPos
IsWindowVisible
FindWindowExA
DestroyIcon
ReleaseDC
DrawIconEx
GetDC
GetIconInfo
IsWindow
GetWindowThreadProcessId
MessageBoxA
PeekMessageA
GetClassNameA

gdi32

CreateCompatibleDC
SelectObject
CreateDIBSection
BitBlt
DeleteObject
DeleteDC
CreateCompatibleBitmap

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

ole32

CoUninitialize
OleRun
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoInitialize

msvcrt

__CxxFrameHandler
realloc
memmove
strchr
strtod
srand
modf
_onexit
__dllonexit
strncmp
strncpy
floor
sprintf
_CIfmod
rand
??2@YAPAXI@Z
strrchr
??3@YAXPAX@Z
_ftol
atoi
malloc
free

oleaut32

VariantCopy
RegisterTypeLi
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VarR8FromCy
VarR8FromBool
LoadTypeLi
LHashValOfNameSys

Sections

.text
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

a3765c7103a80e09d71b4e2614a79ed1

Headers

File Characteristics

Imports

kernel32

ws2_32

psapi

shell32

advapi32

wininet

shlwapi

user32

gdi32

version

ole32

msvcrt

oleaut32

Sections

.text Size: 187KB - Virtual size: 187KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 8KB - Virtual size: 57KB

.CRT Size: 512B - Virtual size: 4B

.text
Size: 187KB - Virtual size: 187KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 8KB - Virtual size: 57KB

.CRT
Size: 512B - Virtual size: 4B