blackmoon | 12121f072ba07758b4f08559ff6e4d40N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

12121f072ba07758b4f08559ff6e4d40N.exe
Size

128KB
MD5

12121f072ba07758b4f08559ff6e4d40
SHA1

e978cfc3fcfde8540510460b1efe66a37607a2a9
SHA256

403095d6a9faaee9898cfb8aa83daa26cf61be2b92add6261d73edf31c65e18b
SHA512

23a6906c268cd44b923df32cef61d48fb89b41e22c745aea53da01202f47705ad9fa79e9db2bcf4e9c0db0408c083be5f52604ddc690718749469a1ab2ed94d6
SSDEEP

1536:lM5lJuZOP4hWdCWDQDEkGevYZXVkSeO48I24v2bSeACV0hefrTQR4FBUWW:l+UFcXGS4sW1Cc2TQGDU

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
12121f072ba07758b4f08559ff6e4d40N.exe

Files

12121f072ba07758b4f08559ff6e4d40N.exe
.dll windows:4 windows x86 arch:x86

f52750eb5ec19f0d8112bb1b21d5bb43

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

LocalAlloc
LocalFree
Module32First
OpenProcess
QueryDosDeviceW
GetEnvironmentVariableA
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
ResumeThread
GetCurrentProcess
VirtualQueryEx
FreeLibrary
VirtualAlloc
VirtualFree
GetProcAddress
CloseHandle
RtlZeroMemory
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
WriteFile
CreateFileA
Sleep
ReadFile
GetFileSize
GetTickCount
GetCommandLineA
GetModuleFileNameA
LoadLibraryA
LCMapStringA
lstrcpynA
GetTempFileNameA
GetTempPathA
CreateProcessW
LockResource
LoadResource
SizeofResource
FindResourceA
GetModuleHandleA
CopyFileA
MultiByteToWideChar
ExpandEnvironmentStringsW
WTSGetActiveConsoleSessionId
CreateToolhelp32Snapshot
WideCharToMultiByte
RtlMoveMemory
GetCommandLineW
ProcessIdToSessionId
GetProcessHeap

user32

PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
MsgWaitForMultipleObjects

shell32

ShellExecuteA
CommandLineToArgvW

advapi32

ChangeServiceConfig2A
OpenServiceA
CloseServiceHandle
CreateServiceA
OpenSCManagerA
RegQueryValueExA
RegOpenKeyA
OpenProcessToken
LookupPrivilegeValueA
DuplicateTokenEx
SetTokenInformation
AdjustTokenPrivileges
CreateProcessAsUserA
LookupAccountSidA
CryptDecrypt

iphlpapi

CreateIpForwardEntry
DeleteIpForwardEntry
GetIpForwardTable

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

psapi

GetProcessImageFileNameW

ws2_32

gethostbyname
WSACleanup
WSAStartup

msvcrt

modf
strstr
malloc
realloc
free
strchr
strrchr
floor
_stricmp
atof
sprintf
atoi
_ftol

oleaut32

VariantTimeToSystemTime

Exports

Exports

cv5n6_4d87y4r89t4_h18ber

Sections

.text
Size: 96KB - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f52750eb5ec19f0d8112bb1b21d5bb43

Headers

File Characteristics

Imports

kernel32

user32

shell32

advapi32

iphlpapi

wtsapi32

userenv

psapi

ws2_32

msvcrt

oleaut32

Exports

Exports

Sections

.text Size: 96KB - Virtual size: 94KB

.rdata Size: 4KB - Virtual size: 2KB

.data Size: 20KB - Virtual size: 77KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 96KB - Virtual size: 94KB

.rdata
Size: 4KB - Virtual size: 2KB

.data
Size: 20KB - Virtual size: 77KB

.reloc
Size: 4KB - Virtual size: 3KB