blackmoon | tfd[.]zip

Resubmissions

22-12-2024 05:26

241222-f44c4svqcy 10

22-12-2024 05:18

241222-fzr5aavqhp 10

Sharing

Copy URL

Twitter E-mail

General

Target

tfd.zip
Size

6.6MB
MD5

44da30588e79926aa259c03796820e6d
SHA1

37bc83fe0487e8c1f7f309983af78a3b3dab24f2
SHA256

fcf54eaf0f05dae2521ce9a53b67a0ac8a72c98f9f8b25a9258fbe1261f0be5e
SHA512

1ff5a5e9f840fdf7713375c9294149f5265d1b09645eb00c2cc2d1ed07847a7bc990cc3aca8aaaf4205f9415153f9563be630268d28335a85bd1808cba3d8e0d
SSDEEP

98304:Nkm/OuBU0P2VJEgdGuTzUlD4JWX++gLCrK6UjqHiL7y3qF+Ok+K6QppKOU:KmWXXEgEuTzcOpuGDqCK3q0Xkt

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/GF.DATA	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/GF.DATA

Files

tfd.zip
.zip
GF.DATA
.dll windows:5 windows x86 arch:x86

7ccaed4d62ec0c0f17e4d6b2d54f9270

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetUserDefaultLCID
WideCharToMultiByte
GetCommandLineA
GetModuleFileNameA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
MultiByteToWideChar
TerminateProcess
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
LoadLibraryA
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
WriteConsoleW
SetStdHandle
IsProcessorFeaturePresent
DecodePointer
GetCommandLineA
RaiseException
HeapFree
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
LCMapStringW
GetStringTypeW
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
HeapDestroy
QueryPerformanceCounter
HeapSize
WriteFile
RtlUnwind
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

GetMessageA
PeekMessageA
DispatchMessageA
wsprintfA
MessageBoxA
TranslateMessage
CharUpperBuffW

wininet

InternetCloseHandle
InternetReadFile
InternetOpenA
InternetOpenUrlA
HttpQueryInfoA

ole32

CLSIDFromProgID
CLSIDFromString
CoCreateInstance
CoUninitialize
CoInitialize
OleRun

msvcrt

calloc
memmove
__CxxFrameHandler
strncmp
sprintf
??2@YAPAXI@Z
??3@YAXPAX@Z
strchr
free
malloc
_atoi64
_ftol
atoi
strrchr
realloc
modf

oleaut32

VariantInit
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElemsize
VarR8FromCy
VarR8FromBool
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
VariantCopy
RegisterTypeLi
LHashValOfNameSys
LoadTypeLi
VariantChangeType

Exports

Exports

�k��"�t��(؊>ѫ��6B�F�>"2،�SK�E؈dE��e��r2q��IuG��Ӓ2{DY`�s]�X�<��q߬|(�c�ۼ�Ԙ��y�k��#��b'�V�Ұ��c��fZ�3��s��C�p~�\�JYt�̨��-^��>��ڪ�u��V$CTst�.wgPb�L��6f�_�&�CxE��{1��0�S��ﭵ�9�0f9 �ؓE�|?`�ג�]�*\4z�\(��#S�d�3 UI`tY��X��6ֈ��͜�#�W�{o�3X��͠��D��z��C?�vB*Ӧ�lQ~��9��q݅��;U"�I5s��3%X�}��x&^�-��8؋e�2�� >�`:�(�4]h�j�p��NƁw|�_lB�`�ڒ��`5D�Of��@D��w�\X�Ӳt�lI�!��Z��C#]�A{� [N�g��E��o��q�'{��1M�{�p��%�i?�l�D!��0�%��*n�G9Óh"�Т��F�$��!��K�� ^�8�ԝ��I��X},H�w��[H�� V�d��$��F��?�Ri�6�� W��$E#��4(�@L��\h��ߍP��Uú�01��a#WsV�BW�i˽�*n�J{� +��p/�[�U�v@dp8�q��F�TW��԰�N��e2\�<K� wۀ1TY~.�KV�9��!�j�퀦lȀ��\��Ӿ��"�;�� Tٛ 4�Wsp��?�tX�� L��8#D�� *v|��D_mi��<��h��7(&�^$�*(�V��s�� ��t� �>��T�>�(��b�Uj��M��uˎ�]44&� 1`"H�غ@��%@��Ҩ�ά��7Q=0�{��5��=�O�٣}��L�;��Tp�NL)��1N�b�1�Dm��|�6��ܫ��w*�ٖ��Ƞ(GϦ�I�u�0��cG�*A>z�me��x�1��8�#��Oy<u'( ̵�`۶�˄�� x��HAR$~��~��#�Ǎ��~ǕdM�t)h��J�0f�ޥ�i��/'��c�j�9)� 8�� Tf�?��!�wטzM}�-)�z��A��D��|�qDE� ��jƆ��s��<�x"]{|��\]$� ��|�>)� N��%� B�>� �,.�#�� I��4j��v{��/yW�N�ZTN�X7y'�#��L� zd��԰�9x<�?��;�wZ��,{O� ��%$�#�L4oI;�~wښXO�*Xf��9q��za&1to��6�٢��5Iڐ5e�F폤��ȕ�O��D,�1��F+39�,��6� Z��u�D�)C��!M�~��/z3Vu�K"� n��_��e��̢��'M��X�dC�xG�R��MX@�h��H�%Q�\h�o!P�=��F�:� yi�f�Q�#FDk8��+��=�S�κ�qX�+��y�xI`D��?�e�(�g�,��Ӧ�w��d�/cx �1seǔ<��Y��n�e��A��_�I�z�E'�s&�-��R�l��]I��Q��L��#�D�y4]p�p�3�IG��]*�_qe 3T��Η�{��l�p��} ��C��*�R�}��T��w��'�]t�K�0pȂ��#)�t%Ĳ&Ӭ��v�R(Tٵ?��a�M��r�ږ7"�kI�e�I�F6]ίsXzָ��]PI�?��@�r�)%��X�ؑ��-��ᤗ�euSnB��F��Mol�z��Ŧ��5H~�f�]]��Fք��-��h�p�V��H�p0}�s�5﷟�_�4��~H��!p>nmb��,+K�{�g� 퍅��s�� frS��]��"�w��ֽO &� ��3��:X?X�ʊ��+՛,z�f�ĜT�IZ��;��J�|��J�^g��G%��_E�.��:>��;'w��S��(fD��!�/��O ��+\/K1�2�~bXX��H6��֜��y��a��b��z��cw�*-�5�an�l�۵�[:v�j&f�$%��R"i��!�A�n�>. m��?�a�OjШ�Ku�y2��i�Xrm)��͍p��p��'� ��'�s]�1�lPE{{�xxd&��c2��X5�pans�Q��^*5�}��s��>�T�TÜ�ŭ8Y��<��;��F�Q�vA6��)�ЁT�'K�.�s;2j��2[|t�{F�J*�2�oZko��F��P M*fw ��൫�.m��Q�ɝK �?�f9ɞ��=^^6U\��X۱��nI�5a��HEo�Y�ld��gM&$�_�[��j�Ly��8�,�Ud1�ˇ��1��AgW裤]g�Q��:7Mش��;��`^��h Y��?#� �Ǔ�^��;Adꘘ�帝T�ײ`��?�� 9Τ+\�n/�goZs�5^��h 2��N�+�s��]��zU=��.�*��H⤗��p�W�Q\`��(a1�PxpS��t`*�a�A��x��K��``>*��e��J�Yk#�r�-��!S��h�Bwf��F*�!�ק�7��z�v�s6�ۓ��$�qH�G�c��<�WW1'�n��A�HO��`+Cw�هK��v�j�� ]��AbfV>��gƳ�i�Z�Yi* b(�2n�b�w?#t:s�G0�y��Fl3� �*�ԁ� ��&0�mVs��0��@fZ��A7� dd�@8uN�_ƣ7p��瞅�&�<� F7κڡN��t�hgm��.�8�c��N��Mq��eK �� <!�ְ� �7�`��,�5�L ��2 UB��ϜA[�a��T��;E�U(�=��E�:��
Win10

Sections

.text
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.-(T
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.:5C
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.\EQ
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
run me as admin.bat

Resubmissions

Sharing

General

Malware Config

Signatures

Files

7ccaed4d62ec0c0f17e4d6b2d54f9270

Headers

File Characteristics

Imports

kernel32

user32

wininet

ole32

msvcrt

oleaut32

Exports

Exports

Sections

.text Size: 64KB - Virtual size: 63KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 20KB - Virtual size: 78KB

.-(T Size: 3.5MB - Virtual size: 3.5MB

.:5C Size: 4KB - Virtual size: 1KB

.\EQ Size: 3.2MB - Virtual size: 3.2MB

.reloc Size: 12KB - Virtual size: 8KB

.text
Size: 64KB - Virtual size: 63KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 20KB - Virtual size: 78KB

.-(T
Size: 3.5MB - Virtual size: 3.5MB

.:5C
Size: 4KB - Virtual size: 1KB

.\EQ
Size: 3.2MB - Virtual size: 3.2MB

.reloc
Size: 12KB - Virtual size: 8KB