blackmoon | b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5[.]7z

Sharing

Copy URL

Twitter E-mail

General

Target

b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.7z
Size

3.7MB
MD5

592a65928518fa3230b06b6c0b39fab7
SHA1

6ca3cc110f4e57e5aced197694d6ed3799a66f07
SHA256

6d210bec7921edb5afe717e038328ad27f6955c5439db1092396aa40ae619c95
SHA512

6d883856aa0f5587420a67931f8b40f911045c352f485a03f4f69b3def6207e7c462ab49ad6f66735085a8dd186bbf2b370e1dc489c4edadc580e98eba9a13e2
SSDEEP

98304:AACFIubo1fuFhF/DXFJ3jCgdZ7jY+x/T0zhOIWBZ:AACN81fuFjrjn7nT0M9Z

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe

Files

b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.7z
.7z

Password: infected
b4ec9be8e93dd3f6f48db661592ad6a96ffde8827a7a30362eec06232d9b8da5.exe
.exe windows:5 windows x86 arch:x86

Password: infected

41feded63720680fe391f9f58f0d2453

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentProcess
CreateThread
CreateWaitableTimerA
SetWaitableTimer
GetWindowsDirectoryA
GetTempPathA
lstrcpyn
GlobalSize
RtlMoveMemory
GlobalFree
MultiByteToWideChar
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetModuleFileNameA
SetFileAttributesA
GetTickCount
CloseHandle
WriteFile
CreateFileA
ReadFile
GetFileSize
WaitForSingleObject
CreateProcessA
GetStartupInfoA
FindNextFileA
FindFirstFileA
FindClose
MoveFileA
GetCommandLineA
FreeLibrary
OpenProcess
LoadLibraryA
LCMapStringA
FlushFileBuffers
CreateFileW
WriteConsoleW
SetStdHandle
HeapSize
RaiseException
GetStringTypeW
GetConsoleMode
GetConsoleCP
SetFilePointer
Sleep
GetCurrentProcessId
Process32Next
Process32First
CreateToolhelp32Snapshot
LoadLibraryW
EnterCriticalSection
LeaveCriticalSection
IsProcessorFeaturePresent
LCMapStringW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
TerminateProcess
IsDebuggerPresent
UnhandledExceptionFilter
CreateEventA
OpenEventA
GetProcAddress
GetSystemDirectoryA
GetLastError
WideCharToMultiByte
HeapSetInformation
GetStartupInfoW
RtlUnwind
SetUnhandledExceptionFilter
GetModuleHandleW
DecodePointer
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetSystemTimeAsFileTime

user32

MsgWaitForMultipleObjects
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
SystemParametersInfoA
SetWindowPos
SetForegroundWindow
ShowWindow
GetClassNameA
GetWindowTextA
GetWindowThreadProcessId
IsWindowVisible

advapi32

LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken

shell32

ShellExecuteA
SHGetSpecialFolderPathA

ole32

GetHGlobalFromStream
CreateStreamOnHGlobal

gdiplus

GdipCreateBitmapFromHBITMAP
GdiplusShutdown
GdipDisposeImage
GdiplusStartup
GdipCreateBitmapFromStream
GdipCreateHBITMAPFromBitmap
GdipSaveImageToStream

winmm

mciSendStringA

Sections

.text
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3.9MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

41feded63720680fe391f9f58f0d2453

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

gdiplus

winmm

Sections

.text Size: 93KB - Virtual size: 92KB

.rdata Size: 17KB - Virtual size: 16KB

.data Size: 3.9MB - Virtual size: 4.0MB

.reloc Size: 17KB - Virtual size: 17KB

.text
Size: 93KB - Virtual size: 92KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 3.9MB - Virtual size: 4.0MB

.reloc
Size: 17KB - Virtual size: 17KB