blackmoon | 20835219058[.]zip

Resubmissions

21-01-2025 17:04

250121-vlqfvstrfr 10

21-01-2025 17:03

250121-vk2gqstrdn 10

Sharing

Copy URL

Twitter E-mail

General

Target

20835219058.zip
Size

9.9MB
MD5

e1c6ccc4bbaaf000fb558cc0050b6cda
SHA1

4eb427419db0c4e6e51173ef28a32776b3d04d2d
SHA256

9e8507bc885281b256eea110cd13a268e5363b08626a500b369280504d33feea
SHA512

08fb72512833d766b370d3ef15521784c2130f881268fe100520b0f1614c5713c05469f42cb5225341eb6ce32522b54dfbde44609e66e1780423b15e3e38a7be
SSDEEP

196608:tQNbd2kh2PoC0MJPtYU2ptfZjzyuOVtFt4brv58c2ZsEmKZrEEh:tQTPIQYYHptfZgFUr5P2ZSaLh

Score

10^/10

blackmoon xred

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/0815a1760eecfecbb2d99fb1680c46abe11a6949def31c30938b81a0e7282253	family_blackmoon

Xred family
xred

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/0815a1760eecfecbb2d99fb1680c46abe11a6949def31c30938b81a0e7282253

Files

20835219058.zip
.zip

Password: infected
0815a1760eecfecbb2d99fb1680c46abe11a6949def31c30938b81a0e7282253
.exe windows:5 windows x86 arch:x86

cb21125ad113dbfdd75b5518563170ef

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GlobalFree
GlobalUnlock
GlobalLock
SetFilePointer
GetLastError
GetCurrentProcess
GetVersionExA
TerminateProcess
OpenProcess
GetTempPathA
GetWindowsDirectoryA
lstrcpyA
GetSystemDirectoryA
lstrlenA
MultiByteToWideChar
GlobalAlloc
SetLastError
LCMapStringA
lstrcatA
GetVersion
WideCharToMultiByte
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
GetCurrentThread
lstrcmpiA
lstrcmpA
GlobalDeleteAtom
InterlockedIncrement
InterlockedDecrement
LocalFree
FlushFileBuffers
lstrcpynA
LocalAlloc
TlsAlloc
GlobalHandle
TlsFree
GlobalReAlloc
TlsSetValue
LocalReAlloc
TlsGetValue
GlobalFlags
WritePrivateProfileStringA
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetProcessVersion
SetErrorMode
GetCPInfo
GetOEMCP
RtlUnwind
RaiseException
HeapSize
GetACP
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
HeapDestroy
HeapCreate
IsBadWritePtr
LCMapStringW
SetUnhandledExceptionFilter
GetStringTypeA
GetStringTypeW
IsBadCodePtr
SetStdHandle
InterlockedExchange
LoadLibraryA
GetProcAddress
FreeLibrary
GetCommandLineA
FindFirstFileA
RemoveDirectoryA
FindNextFileA
FindClose
SetFileAttributesA
DeleteFileA
GetModuleFileNameA
GetTickCount
GetStartupInfoA
CreateProcessA
WaitForSingleObject
WriteFile
CloseHandle
GetPrivateProfileStringA
IsBadReadPtr
HeapFree
HeapReAlloc
HeapAlloc
ExitProcess
GetModuleHandleA
GetProcessHeap
MoveFileA
CreateDirectoryA
Beep
Sleep
IsDebuggerPresent
CreateEventA
OpenEventA
CreateMutexA
GetCurrentProcessId
CreateFileA
GetDiskFreeSpaceExA
GlobalMemoryStatusEx
Process32Next
Process32First
CreateToolhelp32Snapshot
SetWaitableTimer
CreateWaitableTimerA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
OpenFileMappingA
VirtualFree
VirtualAlloc
VirtualQuery
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
LoadLibraryA
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
FreeLibrary
GetTickCount
GlobalFree
GetProcAddress
LocalAlloc
LocalFree
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetCommandLineA
RaiseException
RtlUnwind
HeapFree
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
LCMapStringA
LCMapStringW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
HeapDestroy
QueryPerformanceCounter
HeapReAlloc
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
WriteFile
SetFilePointer
GetConsoleCP
GetConsoleMode
InitializeCriticalSectionAndSpinCount
SetStdHandle
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

shlwapi

PathFileExistsA

ws2_32

WSAStartup
closesocket
WSACleanup
select
WSAAsyncSelect
ntohs
getsockname
recv
send
gethostbyname
connect
inet_addr
htons
socket

user32

LoadBitmapA
GetMenuCheckMarkDimensions
TabbedTextOutA
DrawTextA
GrayStringA
UnhookWindowsHookEx
GetDlgCtrlID
SetWindowTextA
GetMenuItemCount
SetWindowPos
SetFocus
GetWindowPlacement
RegisterWindowMessageA
GetMessagePos
GetMessageTime
RemovePropA
CallWindowProcA
GetPropA
SetPropA
GetClassLongA
GetMenuItemID
GetSubMenu
GetMenu
RegisterClassA
GetClassInfoA
WinHelpA
GetCapture
GetTopWindow
GetMenuState
CopyRect
GetFocus
AdjustWindowRectEx
GetSysColor
MapWindowPoints
LoadIconA
LoadCursorA
GetSysColorBrush
LoadStringA
DestroyMenu
GetParent
GetWindow
PtInRect
GetWindowLongA
GetCursorPos
SetWindowLongA
GetDlgItem
SystemParametersInfoA
SendMessageA
GetSystemMetrics
ModifyMenuA
SetMenuItemBitmaps
GetNextDlgTabItem
GetKeyState
CallNextHookEx
ValidateRect
SetWindowsHookExA
GetLastActivePopup
SetCursor
CheckMenuItem
EnableMenuItem
PostMessageA
GetMessageA
wsprintfA
MessageBoxA
GetAsyncKeyState
MoveWindow
DestroyWindow
ReleaseDC
DispatchMessageA
TranslateMessage
PeekMessageA
UnregisterClassA
DefWindowProcA
PostQuitMessage
SetLayeredWindowAttributes
GetDC
CreateWindowExA
RegisterClassExA
GetWindowRect
ShowWindow
IsIconic
ClientToScreen
GetClientRect
FindWindowA
CreateWindowStationA
GetWindowThreadProcessId
GetClassNameA
GetWindowTextA
IsWindowVisible
SetForegroundWindow
GetActiveWindow
GetForegroundWindow
IsWindowEnabled
EnableWindow
GetUserObjectInformationW
CharUpperBuffW
MessageBoxW
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

gdi32

SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
ScaleWindowExtEx
SetViewportOrgEx
SetMapMode
SetTextColor
SetBkColor
RestoreDC
SaveDC
CreateBitmap
Escape
ExtTextOutA
RectVisible
PtVisible
GetStockObject
GetBkColor
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteDC
DeleteObject
CreatePen
Rectangle
TextOutA
GetObjectA
GetDeviceCaps
GetClipBox

advapi32

RegSetValueExA
DeleteService
ControlService
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey

shell32

SHGetSpecialFolderPathA
ShellExecuteA

winspool.drv

OpenPrinterA
ClosePrinter
DocumentPropertiesA

comctl32

ord17

wtsapi32

WTSSendMessageW

Exports

Exports

GS��{m��ԶT��S�� l�?�Oةݿ��=VC��b�� | E=��>�LiI�3?��"r��+y�a~: ]��𞦱��G5�s�JLQ�'��KǕ��{�(��V��s(@H<!s��p�PkC:6� �:��g��z� ��C�@��G�p*��lq�N�N��l΁�R��v,��彎wSù�ĸ��e�K�{?|��w}-��A%Adq�;o!�'N��4exˇg��bD"z^�x�̕7��D7�� {DҕU��<�v��kb�G$��ͫ��Ώ��@��e_��#�V)�a�7|C?cJ�٦��ĚEE��D��K��k`�9��la��>��F"�j(�&!ѫ<�İv��<�?�$�J��JZ_MpJ��J��dV��(�|lS��f6:�+&��U%��8�JtҦ�z�痨�F5�UG��\�?J��RKF�3��6=Y;L$�i�A�<��`E��:j��˯��p�'F��.�u\��4Ծ��4�� <�P�l뾋��YA��]��^t�Ϗd�SD�8w3��?��n݇�H]��p0#C��q��z[Ď�]tgJ��%!�Q��Q^A<��Fe8��g�!R��\6��y7%�Fs��d}5ԁw��#jA.Oc�H��Lt�x��\@��qk�׭��?se"��l�"]��k�3��(6�6��~�!�`|�M��л�}Β��!R��H�'�j`ӤsHBg��j��r=��(ߵƉ�v��P� �n�%yl��G��#�7l�*��C�r¿lr!Lj.^��g��*��K�Nc��n��F��r��+Es��2+�b7��;�4�c��oK�%Sv�%��q^ֆ��;�-]�K0��r��yHHȵ�֗��"��AD/d�ya>�Gy��\d�_鿌s��ֈ��H\j(�a J)�H�%��6j��wF,�d�yPܖH�,�S� zE�u��T��2^4�K��#��ba3Q��80�?|n@u�3��h�%��W�<v?�0�q4�n��̭�V ��.C�6f�m�?F2)/��|�� Mo`��*I��x�2�M��\?��`�O��Sa�Fm)h��&󳋻��-��%�؅��~8h��f��eՆ�\��A6l!�;�u��s50��>��c�=�Pe�[go#�w�rN场:��/��ս�QE1��e?��;��UꗙR"n-:֪�ii�UOV�L6�Ӊ�`/郪=��`��9796h��l�E�8k��AFc��!e��70 6��6��0��r`e��i��ªK@�QKoBwR�j�|�.uSC�W�4Q?�H"[(]��S��5J�CK��;j��]��q�R��~�/��/�C�,:��/m��p�,-�Z'j$S�n�V��;��D-l��5�� H$�Z�gO��bqT�츯��2��[n�8�+�q4�L��*PmY/�M�D_-%%��:�HB��y��bqg��:A��&��]F��Ih0��6�봿��1U��uJh��X��|��`09- j1�Sa�Ą�R�T�d��a��{��i� ��$�� f��3� �L�d�15�\�缝�ͷ�zFR��E�7Uz��ۦ7]5��9��@��/��|7��Whq�狎^/� 2j+�۪�$��k!:�KM��vQg�!<z�՞'�lq��CX��<��y?١Cx��&j ��\;M D*Nd�X�k�,1��@��$`�5N2[|Ǔ�m� ��9Z}ai��4�5x��j��A �A>*��`��b9�5�yO]�>��S�_b��ҏ"�ѱ��}�Pt��f��%�� T'Z5F[ ��8�Ӕ�^9�d_�aJ2��S��h8�e�4�X��{�g·�!|Ք��Z+��ᄂcOVB�t;6b��F��i�|�R��\N]��_U�Т8C�s5��n�:�9�&^��!��:y�1��Ϟ��ZDI�%�<W-̐ Dk�I,Y�F"�U�ܪ�ܑ<��t]~6��Y�l�ר6��I/L%i�$V�f��,��h�4��eI��~��vr�D�K{�)�q��I��н��7�d��DnrNj��Y��3��] #l6��1�>��0>�I��LDT_V�`]h�{�?�p�0��TH��\��ھ�IMͩ��?`��*�R�h|=�U�IO�z��#��k��y4I/�j��Tb �� B��Sx!!��C1�%p��j#کZ'-��C�>Rň�C��ut�?ͻ��v�>��$��0#��ѥ��#lI��K��"��h/fq �E ��>�R��S��M��e�Y �f��בɖ�;>��+�3� ��B)��aǴ�,��oC&J��A��auBk�7s��ó9g�{��!��O��\E��M�gg��+J��&��~+5 �>�ǂ��~Q�5�1"l�28k�'�K�}�I��EϽlN�&�]��w��ǵ��!N�)�nŒJ�B 8�Mr7i9��K�x+�@�b8!,$��K�İ�NAH�n��b�n�]u�vM��L�٪(��굕�=R,�cث��o��p��1�k�u��h'��Jc�s��I��+�� F��kG�;M%��C�'q�(�� x�0��k>�S�KD*�`��?�פI��#Pħ��DNg��e�w��م��)vX/��%�w�_֡��d��6U��.�dM�$_5np}�ΥUx�{�YT`�� .��Q��<#�:�%�YdI�~iFX��B�Y

Sections

.text
Size: 324KB - Virtual size: 320KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5.6MB - Virtual size: 5.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

QianLong
Size: 3.7MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

QianLong
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

cb21125ad113dbfdd75b5518563170ef

Headers

File Characteristics

Imports

kernel32

shlwapi

ws2_32

user32

gdi32

advapi32

shell32

winspool.drv

comctl32

wtsapi32

Exports

Exports

Sections

.text Size: 324KB - Virtual size: 320KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 5.6MB - Virtual size: 5.7MB

QianLong Size: 3.7MB - Virtual size: 3.7MB

QianLong Size: 2.0MB - Virtual size: 2.0MB

.text
Size: 324KB - Virtual size: 320KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 5.6MB - Virtual size: 5.7MB

QianLong
Size: 3.7MB - Virtual size: 3.7MB

QianLong
Size: 2.0MB - Virtual size: 2.0MB