blackmoon | dc88a5fa27b308345ee9d1dad1f2af1ff5f21f5ed121bfa4cf5dc5f47209ac2a

Sharing

Copy URL

Twitter E-mail

General

Target

dc88a5fa27b308345ee9d1dad1f2af1ff5f21f5ed121bfa4cf5dc5f47209ac2a
Size

504KB
MD5

8be1901edad2925f9a7c22434e6fca4f
SHA1

b30fe3bf30e0821efd967aa405b04c94c9297144
SHA256

dc88a5fa27b308345ee9d1dad1f2af1ff5f21f5ed121bfa4cf5dc5f47209ac2a
SHA512

e71f97c95d1808553135c9ec506401e260ae3b32496af3e407598d3398b4a262e1b53d8fffc028bcbb6646c892af9bfc401f76f60abaad608416f5e0445192a8
SSDEEP

6144:hJhGdMKjc0MLPuwy8TlK25oLWZmIIiy2TMdGA67AP5nk9pgnjc5:hJhGWxq8NoKmI1IGAFnk90g

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
dc88a5fa27b308345ee9d1dad1f2af1ff5f21f5ed121bfa4cf5dc5f47209ac2a

Files

dc88a5fa27b308345ee9d1dad1f2af1ff5f21f5ed121bfa4cf5dc5f47209ac2a
.dll windows:4 windows x86 arch:x86

3af36341590a3e399275de47563046e1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

OpenProcess
HeapAlloc
HeapFree
QueryDosDeviceW
lstrlenW
WideCharToMultiByte
GlobalAlloc
GlobalFree
lstrcpyn
GetDateFormatA
GetTimeFormatA
lstrcpyA
Module32First
Module32Next
VirtualQueryEx
ReadProcessMemory
CreateProcessW
VirtualAllocEx
WriteProcessMemory
GetModuleHandleA
GetProcAddress
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
VirtualFreeEx
FindFirstFileW
FindClose
GetTempPathW
CreateProcessA
LoadLibraryA
VirtualAlloc
VirtualFree
GetModuleFileNameA
VirtualProtect
GlobalMemoryStatusEx
GetLogicalDriveStringsA
GetDriveTypeA
GetDiskFreeSpaceExA
RtlZeroMemory
lstrcmpW
HeapCreate
HeapDestroy
lstrcmpiW
lstrlenA
lstrcmpA
VirtualProtectEx
GetCurrentProcessId
GetCurrentProcess
FreeLibrary
ExitProcess
HeapReAlloc
IsBadReadPtr
GetEnvironmentVariableA
WriteFile
CreateFileA
GetTickCount
GetLocalTime
GetUserDefaultLCID
FormatMessageA
GetStartupInfoA
CreateToolhelp32Snapshot
LCMapStringA
ReadFile
GetFileSize
GetCommandLineA
DeleteCriticalSection
InitializeCriticalSection
CreateThread
LeaveCriticalSection
GetTempPathA
GetLogicalProcessorInformation
LocalFree
IsBadCodePtr
SetUnhandledExceptionFilter
LocalAlloc
CloseHandle
SetWaitableTimer
CreateWaitableTimerA
LocalSize
RtlMoveMemory
lstrcpynA
lstrcatA
Process32Next
LoadLibraryExA
FlushFileBuffers
SetStdHandle
GetStringTypeW
GetStringTypeA
GetOEMCP
GetACP
GetCPInfo
LCMapStringW
SetFilePointer
RaiseException
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
Process32First
GetFileType
GetStdHandle
SetHandleCount
TlsGetValue
SetLastError
GetSystemDirectoryA
GetWindowsDirectoryA
GetVersionExA
GetLastError
GetVersion
InterlockedDecrement
InterlockedIncrement
RtlUnwind
TerminateProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
MultiByteToWideChar
DeleteFileA
GetProcessHeap
EnterCriticalSection

user32

CallWindowProcA
MsgWaitForMultipleObjects
FindWindowA
GetWindowThreadProcessId
IsWindow
CreateDesktopW
CloseDesktop
IsWindowVisible
WaitForInputIdle
EnumWindows
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA
RegisterWindowMessageA
SetWindowLongA
GetAncestor

advapi32

CreateProcessWithTokenW
RegOpenKeyA
RegQueryValueExA
RegCloseKey
DuplicateTokenEx
OpenProcessToken
CreateProcessAsUserW

shell32

SHGetSpecialFolderPathW
SHGetSpecialFolderPathA

ole32

CoUninitialize
CLSIDFromString
OleRun
CoSetProxyBlanket
CoInitialize
CoCreateInstance
CoInitializeSecurity
CLSIDFromProgID
IIDFromString

ws2_32

closesocket
inet_addr
WSAStartup
gethostbyname
socket
htons
send
recv
WSACleanup
connect

iphlpapi

SendARP
GetPerAdapterInfo
GetAdaptersInfo

oleaut32

RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
VarR8FromBool
VarR8FromCy
SystemTimeToVariantTime
VariantChangeType
VariantInit
SafeArrayAllocDescriptor
SafeArrayAllocData
SafeArrayDestroy
VariantCopy
VariantClear
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
VariantTimeToSystemTime
SysAllocString
SysFreeString
SafeArrayCreate

crypt32

CryptStringToBinaryA
CryptBinaryToStringA

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

pdh

PdhCollectQueryData
PdhRemoveCounter
PdhGetFormattedCounterValue
PdhAddCounterA
PdhOpenQuery

shlwapi

StrToIntExW
PathFileExistsA
StrToIntW

Exports

Exports

Main
_��ӳ��

Sections

.text
Size: 364KB - Virtual size: 363KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 108KB - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3af36341590a3e399275de47563046e1

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

ws2_32

iphlpapi

oleaut32

crypt32

version

pdh

shlwapi

Exports

Exports

Sections

.text Size: 364KB - Virtual size: 363KB

.rdata Size: 12KB - Virtual size: 10KB

.data Size: 108KB - Virtual size: 196KB

.reloc Size: 16KB - Virtual size: 13KB

.text
Size: 364KB - Virtual size: 363KB

.rdata
Size: 12KB - Virtual size: 10KB

.data
Size: 108KB - Virtual size: 196KB

.reloc
Size: 16KB - Virtual size: 13KB