MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac
SHA3-384 hash: 825532b9f7afb6e48faff7f49a1911aee6ef0a441280cd5446d49fac71d3cd9553d7415a08a26a481ff48e290b1add36
SHA1 hash: 687e082d7b63d6f6b89d14fc816e6ddb13115947
MD5 hash: 3a86674436b046de9086e80fb352e5ac
humanhash: kilo-colorado-six-lithium
File name:SecuriteInfo.com.Win32.MalwareX-gen.25730.23232
Download: download sample
Signature Blackmoon
Create hunting rule
File size:5'595'136 bytes
First seen:2024-09-26 14:17:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e06d1687757349c09ec4f136b4660ba (1 x Blackmoon)
ssdeep 98304:rWOKsx0/5AyrFtQVqXpFm1lpcl8oGli+WMalKqjbpUkg1hLmvbiKYlbPeHh0:rWzsanQMXpFm1lpcGMFjbpTg1hGZYVM0
TLSH T14B463349EF763436C2B74374243F694AC9A10EE14F34C9BB07F643CA69B11B669BA143
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:Blackmoon exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2.01.1.6.6_JK.exe
Verdict:
Malicious activity
Analysis date:
2024-08-26 12:57:27 UTC
Tags:
blackmoon
Link:
https://app.any.run/tasks/cd8d310d-d7aa-426f-b1f0-ba0fc0938d9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.25730.23232.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f56d2f56c487103d52da2a
Tags:
Noobyprotect Blackmoon Vmdetect
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Delayed reading of the file
DNS request
Connection attempt
Sending an HTTP POST request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm lolbin microsoft_visual_cc packed packed safengine_shielden shell32
Link:
https://www.filescan.io/uploads/66f56d279b2f79465c04e834/reports/41b98e7e-70fd-433e-96a4-103ad8a4f335/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Microsoft Corporation
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cc6185df-43c9-41ca-89ae-0594283df8a4
Result
Threat name:
BlackMoon
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1519513
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Yara detected BlackMoon Ransomware
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac/
Threat name:
Win32.Infostealer.BlackMoon
Create hunting rule
Status:
Malicious
First seen:
2024-08-26 12:57:29 UTC
File Type:
PE (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=buf2nop4rv6wjavxamdcrqefo5mzpi3adv2hrvc2kfgb7txmvwwa._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240926-rmav1svcjh/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d5aad2bc-057f-4541-a293-161afb37bfa3
Unpacked files
SH256 hash:
0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac
MD5 hash:
3a86674436b046de9086e80fb352e5ac
SHA1 hash:
687e082d7b63d6f6b89d14fc816e6ddb13115947
Link:
https://www.unpac.me/results/c1cd8027-4a42-4122-a781-b0c0f38f1a62/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d0ba6b9fc8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Blackmoon

Executable exe 0d0ba6b9fc8d7d6482b7030628c085775997a3601d7478d45a514c1fceecadac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3192397/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
RAS_APIUses Remote AccessKERNEL32.dll::RasHangUpA
SHLWAPI.dll::RasHangUpA
USER32.dll::RasHangUpA
GDI32.dll::RasHangUpA
ADVAPI32.dll::RasHangUpA
WININET.dll::RasHangUpA
WINHTTP.dll::RasHangUpA
WS2_32.dll::RasHangUpA
WINSPOOL.DRV::RasHangUpA
SHELL32.dll::RasHangUpA
COMCTL32.dll::RasHangUpA
RASAPI32.dll::RasHangUpA
WIN_HTTP_APIUses HTTP servicesKERNEL32.dll::WinHttpCrackUrl
SHLWAPI.dll::WinHttpCrackUrl
USER32.dll::WinHttpCrackUrl
GDI32.dll::WinHttpCrackUrl
ADVAPI32.dll::WinHttpCrackUrl
WININET.dll::WinHttpCrackUrl
WINHTTP.dll::WinHttpCrackUrl
WIN_SVC_APICan Manipulate Windows ServicesKERNEL32.dll::ControlService
SHLWAPI.dll::ControlService
USER32.dll::ControlService
GDI32.dll::ControlService
ADVAPI32.dll::ControlService

Comments