blackmoon | 4caae0c72ca0f6984c78173ae90245bfcd9a16bb636d1973388d45eb57c50e1b

Sharing

Copy URL Twitter E-mail

General

Target

4caae0c72ca0f6984c78173ae90245bfcd9a16bb636d1973388d45eb57c50e1b
Size

110KB
MD5

db5dbed2d0adb680bdaf0aff75f779ec
SHA1

7d39338146b6d62923702e97a4bc93ff6fe593ba
SHA256

4caae0c72ca0f6984c78173ae90245bfcd9a16bb636d1973388d45eb57c50e1b
SHA512

2e638a51183de348ec16ecdd2955d25952896b958eb23989a10f32d4c05eb9cbe0522fb8fe41ae7d70f6219db0ff45e59a018312989af0bc67527b2bfa08b3fe
SSDEEP

3072:68b0SjhEsjJE72EIfvKXHzN0z4E7STWQM6HZ:6gjhPG7MCB0z4E7LQM6HZ

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/fce63851c1d0a4bf68fb415fac1dae78bcadd13b8fd0e8acb2d4bd84c843b2d3.exe	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/fce63851c1d0a4bf68fb415fac1dae78bcadd13b8fd0e8acb2d4bd84c843b2d3.exe

Files

4caae0c72ca0f6984c78173ae90245bfcd9a16bb636d1973388d45eb57c50e1b
.zip

Password: infected
fce63851c1d0a4bf68fb415fac1dae78bcadd13b8fd0e8acb2d4bd84c843b2d3.exe
.exe windows:4 windows x86 arch:x86

17e052162b979cde7cdbc93b6991c9f2

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

PathFileExistsA

kernel32

GetCurrentProcess
OpenProcess
LocalAlloc
LocalFree
CloseHandle
CreateToolhelp32Snapshot
Process32First
Process32Next
GetTickCount
lstrlenW
WideCharToMultiByte
MultiByteToWideChar
WaitForSingleObject
TerminateProcess
GetCurrentDirectoryW
GlobalAlloc
GlobalFree
GetProcessHeap
HeapAlloc
RtlMoveMemory
HeapFree
lstrcpyn
lstrcatA
GetModuleHandleA
ExitProcess
HeapReAlloc
IsBadReadPtr
GetModuleFileNameA
Sleep
GetLocalTime
CreateDirectoryA
ReadFile
GetFileSize
CreateFileA
WriteFile
GetUserDefaultLCID
GlobalUnlock
GlobalLock
SetFilePointer
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
InterlockedExchange
SetEnvironmentVariableA
CompareStringW
CompareStringA
SetStdHandle
IsBadCodePtr
GetStringTypeW
GetStringTypeA
SetUnhandledExceptionFilter
LCMapStringW
VirtualAlloc
VirtualFree
HeapCreate
HeapDestroy
GetEnvironmentVariableA
GetFileType
GetStdHandle
SetHandleCount
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
GetACP
DeleteFileA
FindClose
FindNextFileA
FindFirstFileA
GetLastError
GetVersionExA
GetDriveTypeA
lstrcpyA
lstrlenA
SetLastError
LockResource
LoadResource
FindResourceA
GetTimeZoneInformation
GetVersion
GetCurrentThreadId
GetCurrentThread
lstrcmpiA
lstrcmpA
GlobalDeleteAtom
InterlockedIncrement
InterlockedDecrement
MulDiv
IsBadWritePtr
FlushFileBuffers
lstrcpynA
GetFullPathNameA
TlsAlloc
DeleteCriticalSection
GlobalHandle
TlsFree
GlobalReAlloc
TlsSetValue
LocalReAlloc
TlsGetValue
GlobalFlags
WritePrivateProfileStringA
GetCurrentDirectoryA
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetProcessVersion
SetErrorMode
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCPInfo
GetOEMCP
GetStartupInfoA
RtlUnwind
RaiseException
HeapSize

user32

GetMenuCheckMarkDimensions
RegisterClipboardFormatA
ClientToScreen
TabbedTextOutA
DrawTextA
GrayStringA
UnhookWindowsHookEx
DestroyWindow
CreateDialogIndirectParamA
SetActiveWindow
EndDialog
GetDlgCtrlID
SetWindowTextA
GetMenuItemCount
SendDlgItemMessageA
IsDialogMessageA
SetWindowPos
SetFocus
GetWindowPlacement
IsIconic
RegisterWindowMessageA
SetForegroundWindow
GetForegroundWindow
GetMessagePos
GetMessageTime
DefWindowProcA
RemovePropA
GetPropA
SetPropA
GetClassLongA
CreateWindowExA
GetMenuItemID
GetSubMenu
GetMenu
RegisterClassA
GetClassInfoA
WinHelpA
GetCapture
GetTopWindow
CopyRect
GetClientRect
AdjustWindowRectEx
GetSysColor
MapWindowPoints
LoadIconA
LoadCursorA
GetSysColorBrush
LoadStringA
UnregisterClassA
PostThreadMessageA
DestroyMenu
LoadBitmapA
GetMenuState
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetFocus
GetNextDlgTabItem
GetActiveWindow
GetKeyState
CallNextHookEx
ValidateRect
SetWindowsHookExA
GetLastActivePopup
IsWindowEnabled
EnableWindow
SetCursor
PostMessageA
PostQuitMessage
GetWindow
PtInRect
GetWindowLongA
GetWindowTextA
GetCursorPos
SetWindowLongA
GetDlgItem
ShowWindow
UpdateWindow
SystemParametersInfoA
GetDC
ReleaseDC
IsWindow
SendMessageA
GetWindowRect
GetSystemMetrics
FindWindowExA
IsWindowVisible
GetWindowThreadProcessId
GetParent
GetClassNameA
GetWindowTextLengthW
GetWindowTextW
GetInputState
CallWindowProcA
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA

gdi32

GetClipBox
GetObjectA
GetStockObject
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SetMapMode
SetTextColor
SetBkColor
RestoreDC
SaveDC
CreateBitmap
GetDeviceCaps
SelectObject
DeleteDC
DeleteObject
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape

advapi32

RegOpenKeyExA
RegCreateKeyExA
RegSetValueExA
RegOpenKeyA
RegQueryValueExA
RegCloseKey
EnumDependentServicesA
EnumServicesStatusExA
EnumServicesStatusA
ChangeServiceConfigA
ControlService
StartServiceA
DeleteService
CreateServiceA
GetServiceKeyNameA
GetServiceDisplayNameA
ChangeServiceConfig2A
QueryServiceConfig2A
QueryServiceConfigA
CloseServiceHandle
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegDeleteValueA

shell32

SHChangeNotify
ShellExecuteExW
SHGetSpecialFolderPathA

ole32

CLSIDFromProgID
OleRun
CoUninitialize
CoCreateInstance
CLSIDFromString
OleInitialize
OleUninitialize
CoFreeUnusedLibraries
CoRegisterMessageFilter
CoRevokeClassObject
OleFlushClipboard
OleIsCurrentClipboard
CoInitialize

wininet

HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
InternetReadFile
InternetCloseHandle
InternetConnectA
FtpFindFirstFileA
FtpOpenFileA
InternetSetFilePointer
InternetGetConnectedState

odbc32

ord41
ord9
ord31
ord11
ord20
ord19
ord75
ord12
ord24
ord76
ord30
ord43
ord8
ord18
ord39
ord29
ord32
ord36
ord72
ord55

oledlg

ord8

oleaut32

SysAllocString
VariantCopy
RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
VariantChangeType
VarR8FromBool
VarR8FromCy
SysFreeString
VariantClear
SafeArrayDestroy
SafeArrayCreate
SystemTimeToVariantTime
VariantTimeToSystemTime
SafeArrayDestroyDescriptor
VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize

winspool.drv

OpenPrinterA
ClosePrinter
DocumentPropertiesA

comctl32

ord17

Sections

.text
Size: 208KB - Virtual size: 207KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 700B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

17e052162b979cde7cdbc93b6991c9f2

Headers

File Characteristics

Imports

shlwapi

kernel32

user32

gdi32

advapi32

shell32

ole32

wininet

odbc32

oledlg

oleaut32

winspool.drv

comctl32

Sections

.text Size: 208KB - Virtual size: 207KB

.rdata Size: 24KB - Virtual size: 22KB

.data Size: 24KB - Virtual size: 133KB

.rsrc Size: 4KB - Virtual size: 700B

.text
Size: 208KB - Virtual size: 207KB

.rdata
Size: 24KB - Virtual size: 22KB

.data
Size: 24KB - Virtual size: 133KB

.rsrc
Size: 4KB - Virtual size: 700B