blackmoon | file[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

file.exe
Size

2.5MB
MD5

709c27cf1451f3c700065e06aa44ab32
SHA1

70bca3ed9da45240de0a9e364103ce12567da8e4
SHA256

d4f5c92d2602f114b7269eee1157c290d2f70efca5093f2b5d67cd526eb5f8e8
SHA512

be50149908e6ad61063cc561b0f775536621e5827cfb103e209fe440f7471c35d1b38f4e8bda6e68c29f114b2d5d7a617be9a05d484df9fdcea033c1fd052ee9
SSDEEP

24576:VP+jov5GmCsqfMMoS8qO7Xk2XQ6QiQV8fmzG0NThVz6vOhMfcAs8UYTXjW4CEKad:kOmifwG0HVzQOhOXjJCEKEQIvufRoGp

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
file.exe

Files

file.exe
.exe windows:6 windows x64 arch:x64

4e9653c358320c642fba6c227fa69d9f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

F:\10月16日备份\各种源码\COD19科技源码\TOP源码\TOP历代版本源码+说明\旧版本从5.0-15.3\版本号：2.0.9- COD20版 -单板\COD_TB\x64\Release\1.5.4danban.pdb

Imports

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

imm32

ImmSetCompositionWindow
ImmGetContext
ImmReleaseContext

winhttp

WinHttpOpenRequest
WinHttpOpen
WinHttpSendRequest
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpReadData

kernel32

UnhandledExceptionFilter
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
LoadLibraryA
GetProcAddress
GetTickCount
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
QueryPerformanceFrequency
QueryPerformanceCounter
HeapFree
VirtualFree
DeviceIoControl
VirtualAlloc
InitializeCriticalSectionEx
CreateFileW
GetCurrentThreadId
GetModuleHandleA
HeapSize
GetLastError
HeapReAlloc
CloseHandle
RaiseException
HeapAlloc
HeapDestroy
DeleteCriticalSection
GetCurrentProcessId
IsProcessorFeaturePresent
ReadFile
IsDebuggerPresent
Process32First
SetConsoleTitleA
GetCurrentProcess
WriteFile
TerminateProcess
CreatePipe
GetTempPathW
WaitForSingleObject
OpenProcess
CreateToolhelp32Snapshot
MultiByteToWideChar
Sleep
GetTempPathA
K32GetModuleFileNameExA
LockResource
Process32Next
WritePrivateProfileStringA
FindResourceExW
LoadResource
FindResourceW
K32EnumProcesses
GetStartupInfoA
CreateProcessW
WideCharToMultiByte
GetConsoleWindow
lstrcmpiA
CreateProcessA
GetPrivateProfileIntA
GetPrivateProfileStringA
SetConsoleTitleW
SetEvent
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
InitOnceBeginInitialize
InitOnceComplete
OutputDebugStringW
SetUnhandledExceptionFilter
SizeofResource
GetSystemTimeAsFileTime
GetProcessHeap
InitializeSListHead

user32

GetMessageA
DispatchMessageA
GetWindowRect
DestroyWindow
SetWindowPos
GetClassNameA
ShowWindow
GetAsyncKeyState
GetWindowTextA
MessageBoxA
MoveWindow
DefWindowProcA
SetLayeredWindowAttributes
TranslateMessage
LoadIconA
PeekMessageA
GetSystemMetrics
SetWindowLongPtrA
RegisterClassExA
GetKeyState
LoadCursorA
ScreenToClient
GetCapture
ClientToScreen
GetForegroundWindow
SetCapture
SetCursor
GetClientRect
ReleaseCapture
SetCursorPos
GetCursorPos
OpenClipboard
PostQuitMessage
GetWindowThreadProcessId
SetClipboardData
GetClipboardData
CloseClipboard
EmptyClipboard
EnumWindows

advapi32

RegCreateKeyW
RegDeleteKeyW
RegCloseKey
RegSetKeyValueW
RegOpenKeyW

msvcp140

?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
_Xtime_get_ticks
_Thrd_detach
_Query_perf_counter
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
_Cnd_do_broadcast_at_thread_exit
?id@?$ctype@D@std@@2V0locale@2@A
?_Throw_C_error@std@@YAXH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xinvalid_argument@std@@YAXPEBD@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Throw_Cpp_error@std@@YAXH@Z
_Query_perf_frequency
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z
_Thrd_sleep
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Xlength_error@std@@YAXPEBD@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z

ntdll

RtlVirtualUnwind
RtlInitUnicodeString
RtlCaptureContext
RtlLookupFunctionEntry
NtQuerySystemInformation

ws2_32

inet_addr
gethostbyname
recv
connect
socket
send
closesocket
WSACleanup
htons
WSAStartup

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
memchr
memcpy
memmove
memset
_CxxThrowException
__current_exception_context
__current_exception
__C_specific_handler
strstr
__std_exception_copy
__std_exception_destroy
__std_terminate

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
_errno
_register_thread_local_exe_atexit_callback
exit
terminate
abort
_c_exit
_invalid_parameter_noinfo
_beginthreadex
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
__p___argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
__p___argc

api-ms-win-crt-stdio-l1-1-0

fopen
__acrt_iob_func
fflush
fclose
_get_stream_buffer_pointers
__p__commode
_fseeki64
_set_fmode
fseek
fsetpos
ungetc
__stdio_common_vfprintf
setvbuf
fgetpos
fgetc
fwrite
fputc
__stdio_common_vsscanf
fread
__stdio_common_vsprintf
_wfopen
ftell

api-ms-win-crt-string-l1-1-0

_stricmp
strncmp
isdigit
tolower
strcpy_s
isspace
strcmp

api-ms-win-crt-utility-l1-1-0

rand
srand
qsort

api-ms-win-crt-heap-l1-1-0

realloc
_callnewh
free
_set_new_mode
malloc

api-ms-win-crt-convert-l1-1-0

strtod
atoi
strtol

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file
_wremove

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-math-l1-1-0

fmod
sqrtf
sinf
sqrt
pow
_dclass
floorf
__setusermatherr
ceilf
cosf
sin
cos
fmodf

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Exports

Exports

cJSON_AddArrayToObject
cJSON_AddBoolToObject
cJSON_AddFalseToObject
cJSON_AddItemReferenceToArray
cJSON_AddItemReferenceToObject
cJSON_AddItemToArray
cJSON_AddItemToObject
cJSON_AddItemToObjectCS
cJSON_AddNullToObject
cJSON_AddNumberToObject
cJSON_AddObjectToObject
cJSON_AddRawToObject
cJSON_AddStringToObject
cJSON_AddTrueToObject
cJSON_Compare
cJSON_CreateArray
cJSON_CreateArrayReference
cJSON_CreateBool
cJSON_CreateDoubleArray
cJSON_CreateFalse
cJSON_CreateFloatArray
cJSON_CreateIntArray
cJSON_CreateNull
cJSON_CreateNumber
cJSON_CreateObject
cJSON_CreateObjectReference
cJSON_CreateRaw
cJSON_CreateString
cJSON_CreateStringArray
cJSON_CreateStringReference
cJSON_CreateTrue
cJSON_Delete
cJSON_DeleteItemFromArray
cJSON_DeleteItemFromObject
cJSON_DeleteItemFromObjectCaseSensitive
cJSON_DetachItemFromArray
cJSON_DetachItemFromObject
cJSON_DetachItemFromObjectCaseSensitive
cJSON_DetachItemViaPointer
cJSON_Duplicate
cJSON_GetArrayItem
cJSON_GetArraySize
cJSON_GetErrorPtr
cJSON_GetNumberValue
cJSON_GetObjectItem
cJSON_GetObjectItemCaseSensitive
cJSON_GetStringValue
cJSON_HasObjectItem
cJSON_InitHooks
cJSON_InsertItemInArray
cJSON_IsArray
cJSON_IsBool
cJSON_IsFalse
cJSON_IsInvalid
cJSON_IsNull
cJSON_IsNumber
cJSON_IsObject
cJSON_IsRaw
cJSON_IsString
cJSON_IsTrue
cJSON_Minify
cJSON_Parse
cJSON_ParseWithLength
cJSON_ParseWithLengthOpts
cJSON_ParseWithOpts
cJSON_Print
cJSON_PrintBuffered
cJSON_PrintPreallocated
cJSON_PrintUnformatted
cJSON_ReplaceItemInArray
cJSON_ReplaceItemInObject
cJSON_ReplaceItemInObjectCaseSensitive
cJSON_ReplaceItemViaPointer
cJSON_SetNumberHelper
cJSON_SetValuestring
cJSON_Version
cJSON_free
cJSON_malloc

Sections

.text
Size: 363KB - Virtual size: 363KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 368B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4e9653c358320c642fba6c227fa69d9f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d11

d3dcompiler_43

imm32

winhttp

kernel32

user32

advapi32

msvcp140

ntdll

ws2_32

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 363KB - Virtual size: 363KB

.rdata Size: 2.1MB - Virtual size: 2.1MB

.data Size: 2KB - Virtual size: 6KB

.pdata Size: 12KB - Virtual size: 12KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 368B

.text
Size: 363KB - Virtual size: 363KB

.rdata
Size: 2.1MB - Virtual size: 2.1MB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 368B