MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7
SHA3-384 hash: fac7f0da0cf7d7d7a5e271dd095764df7ed056c6d13ba5639f0bd40de3b7389a10150ff0fae5c750dc1cf4cdbc9dfb2e
SHA1 hash: a1d6b62a2e24d683cdd579a52cf1c862dc379bb0
MD5 hash: 04f9f9265ebf716fb8d155ea311d7e39
humanhash: october-grey-fix-mexico
File name:QQ截图2022-05-07 203509.exe
Download: download sample
Signature Blackmoon
Create hunting rule
File size:1'249'380 bytes
First seen:2022-05-11 12:57:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d2ad662f0a5e9d21ad01c4944f8cad9 (1 x Blackmoon)
ssdeep 24576:tgbQ9+3D+NwPhe/z2d1PzKJT+cxaBhZuGlMdFbURZPNxgVkuu2ZUZpYQTtu:2M0z+NwJZd5cT+eoZuGlMfbiZ7wvQ
Threatray 11'970 similar samples on MalwareBazaar
TLSH T10645AE33B644F8CAE364207CF1B057603DF96A566C6C80DBAE915E293C7295B2E4770E
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 48455dd1010101be (2 x Blackmoon, 1 x Gh0stRAT)
Reporter obfusor
Tags:Blackmoon exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269692/
Detection(s):
Win.Dropper.Tiggre-9845940-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17133/overview
Behaviour
MalwareBazaar
CursorPosition
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer flystudio greyware keylogger overlay packed poison virus
Link:
https://www.filescan.io/uploads/627bb2f3f83e35ebf4f2c451/reports/b9f33d9f-48ee-4a56-a93a-86f5decb01e5/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KRBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a45801b7-ab0f-47d0-b27b-875548c20e48
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/991841
Signature
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7/
Threat name:
Win32.Trojan.FlyAgent
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 12:58:11 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqew7gybgbqbtsyppecaf2vyxyyuuezsw3m43mgm6nofnlwrow3q._file
Verdict:
malicious
Similar samples:
0200431b94084f2b3509336ae5f27a034c8d93b8281d3a45e010299a051f2e8f
Blackmoon
04fd37d37934ec89447d0756b611c568f5e27240bb2f1f0a952c31e0d5fed9ab
Blackmoon
15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0
Blackmoon
1c735b8043168d9472b5dcc426e56f46c46e61a825b5a6fdb74389d6cb4daef5
Blackmoon
1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d
Blackmoon
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547
Blackmoon
6c827d61cbe6d4b9c2851c1c234353265188e805cc27ebe195b9133e1f8fcc80
Blackmoon
6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f
Blackmoon
b72e48f5e44ac62ff8a6946d030f1d156d0ecd2c6f6a38e42df69b1290d7fd7e
Blackmoon
+ 11'960 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220511-p7gsysbbem/
Behaviour
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Unpacked files
SH256 hash:
c94c98e17ebcc8b23b707e29effaef29e64817a9ba0587f9e8d98fb289337e95
MD5 hash:
5fb0af5b24f0a66ac9971b4914311cd4
SHA1 hash:
720c34508de013b05c3ff7c2744ff7bd00006e4e
Link:
https://www.unpac.me/results/102cf264-2f7c-41a6-859c-cff66c529977/
SH256 hash:
08f88cec87f11e9d09fad5672a63302f068a27067412c0349f3903835482eff5
MD5 hash:
b0a0b0cc60031e972811e6af77eea173
SHA1 hash:
ed1d6c0382348ab918f19a3fd4fc9200bfa35d00
Link:
https://www.unpac.me/results/102cf264-2f7c-41a6-859c-cff66c529977/
SH256 hash:
14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7
MD5 hash:
04f9f9265ebf716fb8d155ea311d7e39
SHA1 hash:
a1d6b62a2e24d683cdd579a52cf1c862dc379bb0
Link:
https://www.unpac.me/results/102cf264-2f7c-41a6-859c-cff66c529977/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/14096f9b0130/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_BlackMoon
Create hunting rule
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269692/

Comments