MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b373ba723ae5bee2fdecb385900b6b4ff5ad4ab8fe5bfd21ebb0211dd473eb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Blackmoon

Vendor detections: 2

Intelligence 2 IOCs YARA 2 File information Comments

SHA256 hash:	0b373ba723ae5bee2fdecb385900b6b4ff5ad4ab8fe5bfd21ebb0211dd473eb3
SHA3-384 hash:	70c8b822052814564de6ef90b7142ec177efa489d90ebe9d22d996dcc98896a60fc0b02611930efec510deefcb926828
SHA1 hash:	4dfcd4e786647720aa0e8a3aba91d9e77756daf2
MD5 hash:	b95ce7a08fde906601730b66795a8769
humanhash:	neptune-happy-texas-october
File name:	0b373ba723ae5bee2fdecb385900b6b4ff5ad4ab8fe5bfd21ebb0211dd473eb3
Download:	download sample
Signature	Blackmoon Create hunting rule
File size:	551'936 bytes
First seen:	2020-03-23 18:53:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	aa0eec3ac12029f53fe3f31bfe84046c (1 x Blackmoon)
ssdeep	12288:icKw115YkKMBd8uBi78+wvxqJ+xayP9plU+Zix8A7x50ZTQwsXdbAZ4b:XKw1c63P2UvEJfyPG+oCQDXdbA
Threatray	23 similar samples on MalwareBazaar
TLSH	7BC4238FDB60FA35E1BAD13210EFDEFB66267D20A02452867AC43C077EB67650D0B491
Reporter	Marco_Ramilli
Tags:	Blackmoon exe

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.PECompact-2

PUA.Win.Packer.PecompactHeuris-1

PUA.Win.Packer.Pecompact-72

PUA.Win.Packer.Pecompact-74

PUA.Win.Packer.Pecompact-75

PUA.Win.Packer.Pecompact-69

SecuriteInfo.com.Generic_r.IWX.12265.32555.UNOFFICIAL

PUA.Win.Adware.Softpulse-6693799-0

Gathering data

Threat name:

Win32.Trojan.Banker

Status:

Malicious

First seen:

2016-09-21 09:42:00 UTC

AV detection:

30 of 31 (96.77%)

Threat level:

2/5

Verdict:

suspicious

Blackmoon

270c10b611fa95a41054622c5caed5e88a7b3ec9c2ffaec93725b95b6d6d5aa3

Blackmoon

2d40a6c3d1200616055b55031daa8a6b010b3c99219f6b6da87bcd2b2f27d6c2

Blackmoon

2de69c2d371c790dd7977c5778e4c3cc1c9df180e8075a490e8eda4a1536bc63

Blackmoon

668ec5b9759f0349cc79113c4d2bb62ebf2239de79532f97248b242df8608a3c

Blackmoon

846481e2b8fa290c2cb12b0c8803305435c9833c4c791f3d4d989db6f51838c5

Blackmoon

a3d9ff9c48053f4e1ace3a4988f83763467735a5de5a40df41b8dba3c3c5c931

Blackmoon

ae2ee9f58ee2c27d739190e1176d8898a49ddac0c36e392115f12309ac07e63a

Blackmoon

b571436ef8d4284f5dabee122973c8710965a31de19f80f7a8a62cb8cea8f1d6

Blackmoon

f080b66a335bf45b2c6f95f9cf3478f82438d518af26053d093b137b5dd01393

Blackmoon

+ 13 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_krbanker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Blackmoon

exe 0b373ba723ae5bee2fdecb385900b6b4ff5ad4ab8fe5bfd21ebb0211dd473eb3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/95721/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID
DNS_API	Performs DNS calls	DNSAPI.dll::DnsQuery_A
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample