MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1994b5aea0ffc20364530c024facd27e8f0733818f1ef59776256f2d7b384b9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Blackmoon

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	1994b5aea0ffc20364530c024facd27e8f0733818f1ef59776256f2d7b384b9d
SHA3-384 hash:	e8193a84b340a5b6b5336e4c01ab2a3fa596f13c2f8bac980b3275a77303e52b8fd591dbfacde8123e58afd32c5a9c84
SHA1 hash:	e3f898a52f4adfc187e3537d40858c902cdf925d
MD5 hash:	90bf43830eb35be9af84c6eaaef3c103
humanhash:	arizona-lamp-sixteen-mars
File name:	90bf43830eb35be9af84c6eaaef3c103.exe
Download:	download sample
Signature	Blackmoon Create hunting rule
File size:	1'204'224 bytes
First seen:	2023-10-17 06:22:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7c23581b37507842bd454e05a03cddf7 (1 x Blackmoon)
ssdeep	24576:cAEXKiDI9T4512XfHRX8SbaWR3kM4AyQidz5M6:ceTTtRXPpNkHT
Threatray	33 similar samples on MalwareBazaar
TLSH	T198458E52B46240B2C2052731ECE7A3FEA9788F6A0F318AC39764FD785DB15E1973714A
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	a261bae8d2a896ca (39 x Blackmoon, 9 x Gh0stRAT, 3 x CobaltStrike)
Reporter	abuse_ch
Tags:	Blackmoon exe

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/455175/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.9133.23323.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file

Sending a custom TCP request

Сreating synchronization primitives

Creating a process from a recently created file

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware keylogger lolbin shell32

Link:

https://www.filescan.io/uploads/652e28fa422e14c65a9114d6/reports/451997ca-3db6-4147-83bd-b76b6d7243a8/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/1994b5aea0ffc20364530c024facd27e8f0733818f1ef59776256f2d7b384b9d

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/024f7360-b2c6-468f-b6b6-a3bc4f20d9cd

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1327038

Signature

Contains functionality to modify clipboard data

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1994b5aea0ffc20364530c024facd27e8f0733818f1ef59776256f2d7b384b9d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1994b5aea0ffc20364530c024facd27e8f0733818f1ef59776256f2d7b384b9d/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-10-17 06:23:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 23 (52.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dgklllva77bagzctbqbe7lgsp2hqom4br4pplf3wevxs26zyjooq._file

Verdict:

malicious

Blackmoon

1948cbc56b010af69cab63977edb0dfb76de1520291fd9eac8777a887f006adc

Blackmoon

56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652

Blackmoon

6ce171619dd97a51a8d5e6a4eaeea86f4fea6ed400c9e0a879b690b4fbd0a6b4

Blackmoon

799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325

Blackmoon

b02b469a0902282b16e80a46be10ccfafed6a4fce5ec7bc65da0b9764c044ef4

Blackmoon

c47a2878fc31c893ecead34851c697424e9e159e34c2ed5c93d6b69cee90cb66

Blackmoon

dd0ec925f314210edfffb5638487233cbed59aabcf085d2d372527124ebc759e

Blackmoon

faaf2d27ca3c7a332b9c9474b869931e614e77697d30703c4f2c02b14237b019

Blackmoon

fdb6ea9de0be18ad1f1418aa6dd3ce73db50d6abab7b27d274eeb15940a3bc31

Blackmoon

+ 23 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231017-g5gfeahh9s/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

1994b5aea0ffc20364530c024facd27e8f0733818f1ef59776256f2d7b384b9d

MD5 hash:

90bf43830eb35be9af84c6eaaef3c103

SHA1 hash:

e3f898a52f4adfc187e3537d40858c902cdf925d

Link:

https://www.unpac.me/results/2956ccb4-7d3a-41a2-b06e-f8a5afc3bf94/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1994b5aea0ffc20364530c024facd27e8f0733818f1ef59776256f2d7b384b9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Hacktools_CN_Panda_andrew Create hunting rule
Author:	Florian Roth
Description:	Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/455175/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample