MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 15


Intelligence 15 IOCs YARA 26 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f
SHA3-384 hash: 438e64991217b52b136e9d539fecf14c4dcabcbf5c685f8042bd33d0c2fa8a65f27b4b7ca72d14053ddcd10c9a4f35bb
SHA1 hash: ca58da3d229ae599a0663a0dbc587fca20d95bda
MD5 hash: ced8ef4a79d487315657632b9923003d
humanhash: louisiana-river-alaska-blue
File name:1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f.exe
Download: download sample
Signature Blackmoon
Create hunting rule
File size:14'526'575 bytes
First seen:2024-07-24 11:25:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fced957c3eb170632c72ecf5388f54dc (1 x Blackmoon)
ssdeep 196608:2ODLXS7IPQPNLUQ6S8as8C/EQx4K2rikIwNLu7vi991uJBV1ptdYQbRti4g:2ODjQIIPNmA0rAc4u76VuJxpt59t9g
Threatray 122 similar samples on MalwareBazaar
TLSH T194E62323B280D872C4010A394977DEF471767F625F21A52FBBEA7EFA3E315506E50286
TrID 28.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
13.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
dhash icon e8cc1f8971a3a4e4 (1 x Blackmoon)
Reporter Anonymous
Tags:Blackmoon exe


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Dropper.Ramnit-7081815-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Generickdz-10032424-0
Create hunting rule

Win.Malware.Generickdz-10032432-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0e4cf6f74caeb2f89b297
Tags:
Banker Encryption Generic Network Stealth Malware Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a file in the Windows directory
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a file to the %temp% directory
Modifying an executable file
Creating a window
Searching for synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Moving a recently created file
Searching for the window
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd darkkomet fingerprint floxif keylogger lolbin makop microsoft_visual_cc overlay packed remote setupapi shell32
Link:
https://www.filescan.io/uploads/66a0e4ce3ba51bb345a353af/reports/9369e0d7-8305-4c80-b38d-3ee0c955c07f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f
Result
Verdict:
MALICIOUS
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1635e195-5c03-4767-95b8-94f03fa864cd
Result
Threat name:
BlackMoon, Neshta
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479966
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected BlackMoon Ransomware
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479966 Sample: Ia93PTYivQ.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 152 freedns.afraid.org 2->152 154 xred.mooo.com 2->154 156 7 other IPs or domains 2->156 178 Malicious sample detected (through community Yara rule) 2->178 180 Antivirus detection for URL or domain 2->180 182 Antivirus detection for dropped file 2->182 186 12 other signatures 2->186 15 Ia93PTYivQ.exe 2 17 2->15         started        20 svchost.com 2->20         started        22 EXCEL.EXE 2->22         started        24 svchost.com 2->24         started        signatures3 184 Uses dynamic DNS services 152->184 process4 dnsIp5 164 qq678833.f08.87yun.club 103.224.212.216, 49712, 49714, 49751 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 15->164 166 77026.bodis.com 199.59.243.226, 49713, 49755, 49763 BODIS-NJUS United States 15->166 92 C:\Windows\HD_.exe, PE32 15->92 dropped 94 C:\Users\user\Desktop\HD_Ia93PTYivQ.exe, PE32 15->94 dropped 96 C:\Users\user\AppData\Local\Temp\1.dat, PE32 15->96 dropped 172 Creates HTML files with .exe extension (expired dropper behavior) 15->172 174 Tries to detect virtualization through RDTSC time measurements 15->174 176 Contains functionality to detect sleep reduction / modifications 15->176 26 HD_Ia93PTYivQ.exe 1 5 15->26         started        29 Ia93PTYivQ.exe 20->29         started        168 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 52160, 52161 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->168 31 Synaptics.exe 24->31         started        file6 signatures7 process8 file9 132 C:\Users\user\...\._cache_HD_Ia93PTYivQ.exe, PE32 26->132 dropped 134 C:\ProgramData\Synaptics\Synaptics.exe, PE32 26->134 dropped 136 C:\ProgramData\Synaptics\RCX2B1B.tmp, PE32 26->136 dropped 33 ._cache_HD_Ia93PTYivQ.exe 10 26->33         started        36 Synaptics.exe 31 26->36         started        138 C:\Users\user\Desktop\HD_IA93PT~1.EXE, PE32 29->138 dropped 140 C:\Users\user\AppData\Local\...\RCX6D17.tmp, PE32 29->140 dropped 142 C:\Users\user\AppData\Local\...\RCX5B53.tmp, PE32 29->142 dropped 40 HD_IA93PT~1.EXE 29->40         started        process10 dnsIp11 98 C:\Users\user\...\haozhuma_gl_1.8 (1).exe, PE32 33->98 dropped 100 C:\Users\user\AppData\Local\...\SB360.exe, PE32 33->100 dropped 42 SB360.exe 2 33->42         started        45 haozhuma_gl_1.8 (1).exe 3 1 33->45         started        158 freedns.afraid.org 69.42.215.252, 49729, 80 AWKNET-LLCUS United States 36->158 160 drive.usercontent.google.com 142.250.186.97, 443, 49732, 49733 GOOGLEUS United States 36->160 162 docs.google.com 172.217.18.14, 443, 49725, 49726 GOOGLEUS United States 36->162 102 C:\Users\user\Documents\~$cache1, PE32 36->102 dropped 104 C:\Users\user\AppData\Local\...\WYJOTWYu.exe, PE32 36->104 dropped 106 C:\Users\user\AppData\Local\...\RCX4413.tmp, PE32 36->106 dropped 108 C:\Users\user\AppData\Local\...\RCX3898.tmp, PE32 36->108 dropped 188 Drops PE files to the document folder of the user 36->188 48 WerFault.exe 36->48         started        110 C:\Users\user\...\._cache_HD_IA93PT~1.EXE, PE32 40->110 dropped 50 svchost.com 40->50         started        file12 signatures13 process14 file15 144 C:\Users\user\Desktop\._cache_SB360.exe, PE32 42->144 dropped 52 ._cache_SB360.exe 5 42->52         started        56 ._cache__CACHE~2.EXE 42->56         started        146 C:\Users\user\AppData\Local\...\LibHttp.dll, PE32 45->146 dropped 202 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 45->202 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->204 58 ._cache_HD_IA93PT~1.EXE 50->58         started        signatures16 process17 file18 112 C:\Windows\svchost.com, PE32 52->112 dropped 114 C:\Users\user\Desktop\HD__C83AE~1.EXE, PE32 52->114 dropped 116 C:\Users\user\Desktop\._cache__CCC23~1.EXE, PE32 52->116 dropped 118 118 other malicious files 52->118 dropped 190 Creates an undocumented autostart registry key 52->190 192 Drops PE files with a suspicious file extension 52->192 194 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 52->194 196 2 other signatures 52->196 60 ._cache_SB360.exe 52->60         started        63 svchost.com 56->63         started        65 svchost.com 58->65         started        67 svchost.com 58->67         started        signatures19 process20 file21 148 C:\Users\user\...\._cache_._cache_SB360.exe, PE32 60->148 dropped 69 ._cache_._cache_SB360.exe 60->69         started        73 ._cache__CACHE~2.EXE 63->73         started        75 SB360.exe 65->75         started        77 haozhuma_gl_1.8 (1).exe 67->77         started        process22 file23 120 C:\Users\user\...\HD_._cache__CACHE~1.EXE, PE32 69->120 dropped 122 C:\Users\user\Desktop\._cache__CD249~1.EXE, PE32 69->122 dropped 124 C:\Users\user\Desktop\._cache__C2526~1.EXE, PE32 69->124 dropped 128 65 other malicious files 69->128 dropped 198 Infects executable files (exe, dll, sys, html) 69->198 79 svchost.com 69->79         started        126 C:\Users\user\Desktop\._cache__CACHE~3.EXE, PE32 73->126 dropped 83 svchost.com 75->83         started        200 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 77->200 signatures24 process25 file26 150 C:\Windows\directx.sys, ASCII 79->150 dropped 170 Sample is not signed and drops a device driver 79->170 85 ._cache_._cache_SB360.exe 79->85         started        88 ._cache_SB360.exe 83->88         started        signatures27 process28 file29 130 C:\Users\user\Desktop\._cache__CACHE~2.EXE, PE32 85->130 dropped 90 svchost.com 88->90         started        process30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-04-30 06:53:00 UTC
AV detection:
33 of 38 (86.84%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckco4mt4ihinubvcqoazjurxn3j5slyn73e5vrr2kiryzajfoqhq._file
Verdict:
malicious
Similar samples:
68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
Blackmoon
69d118fb4175ca4c144fd29b8c9c8a0218cb03da947e0136d36b08b2bd2b652c
Blackmoon
a228df5184a2c1a2864e8e7872c2ab98718a287ffea2d6c2c4dd65ba85752692
Blackmoon
bf49053baf8ece7e12575f1e37ce7f0d55592ab87ff18f27af25d11a3923a548
Blackmoon
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
Blackmoon
+ 112 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:neshta family:purplefox aspackv2 banker bootkit discovery persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240724-njv51axbka/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Writes to the Master Boot Record (MBR)
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
UPX packed file
Blackmoon, KrBanker
Detect Blackmoon payload
Detect Neshta payload
Detect PurpleFox Rootkit
Neshta
PurpleFox
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/478defaa-b097-4445-84c1-dc106bf40422
Unpacked files
SH256 hash:
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
MD5 hash:
7a4736888da0afc969d14e920c115533
SHA1 hash:
41d2322ab981f541962d862b693b6d203d4669b0
Link:
https://www.unpac.me/results/7f130b99-4504-4556-9877-ee4477cb5ce6/
SH256 hash:
4cc9f81836ce27226f2b4a795a44772148c8515892770e8811411a92298568fb
MD5 hash:
d23614451ec39a4fe0e40d06ea2f4545
SHA1 hash:
51bdcda5d84f8704693fa06b66811803dc71c131
Link:
https://www.unpac.me/results/7f130b99-4504-4556-9877-ee4477cb5ce6/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/7f130b99-4504-4556-9877-ee4477cb5ce6/
SH256 hash:
1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f
MD5 hash:
ced8ef4a79d487315657632b9923003d
SHA1 hash:
ca58da3d229ae599a0663a0dbc587fca20d95bda
Detections:
BlackmoonBanker
Create hunting rule
Link:
https://www.unpac.me/results/7f130b99-4504-4556-9877-ee4477cb5ce6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Hacktools_CN_Panda_andrew
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:Windows_Generic_Threat_046aa1ec
Create hunting rule
Author:Elastic Security
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Blackmoon

Executable exe 1284ee327c41d0da06a2838194d2376ed3d92f0dfec9dac63a52238c8125740f

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
RAS_APIUses Remote AccessRASAPI32.dll::RasGetConnectStatusA
RASAPI32.dll::RasHangUpA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments


Avatar
Kasibe commented on 2024-07-25 12:10:34 UTC

DarkKomet