MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e
SHA3-384 hash: 7a010cf367142fdea3f8bc86a60c285e6a9fcd62dc54ca5cf062d9e4616dce87824ee0c79e37a9d03cb71e80643adc52
SHA1 hash: 77f19318a0b2525703bdbd87b99e187e6fba155c
MD5 hash: 2de10499efcfed5daeb44a6989360e15
humanhash: jersey-six-kitten-coffee
File name:setup.exe
Download: download sample
Signature Blackmoon
Create hunting rule
File size:4'980'736 bytes
First seen:2025-04-29 13:59:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d57db542f0a3db5b10e324daca27483d (2 x Blackmoon)
ssdeep 98304:6/kPXmL6CsqApOxMgkLn0GiPWs4g6iRsOaviQmNLQKELbZr8Sp:6/UXmLd3y5n056yFaqFQKer86
Threatray 1 similar samples on MalwareBazaar
TLSH T17F36232323760408E0E5CDBDC9277EA631F717768F43FC7E5AEA69C03A064A4A752953
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10522/11/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:Blackmoon exe KRBanker

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
No threats detected
Analysis date:
2025-04-29 14:05:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/351fd345-19b8-402e-9c01-d8153c8dabf2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5015/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810dc22c8b2e86d0ac46f47
Tags:
vmprotect virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy fingerprint keylogger microsoft_visual_cc obfuscated packed packed packed packer_detected virtual vmprotect
Link:
https://www.filescan.io/uploads/6810db71212716475fb0ac5c/reports/11067d5f-2afe-4a42-bc45-0323891623eb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/20b34d9f-890a-403f-ab49-47321e1ee90d
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1677377
Signature
Antivirus / Scanner detection for submitted sample
Detected VMProtect packer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 13:59:20 UTC
File Type:
PE (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzmz6tx7zmh4iha22tg3jfqn7cy7mjj3pt34s2dd6vsk5pcjacha._file
Verdict:
malicious
Label(s):
krbanker
Create hunting rule
privateloader
Create hunting rule
Similar samples:
1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e
Blackmoon
error
Blackmoon
Result
Malware family:
blackmoon
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon banker discovery trojan vmprotect
Link:
https://tria.ge/reports/250429-ra4bssy1hx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
VMProtect packed file
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/866ac684-8363-4266-aa9f-571a179307bf
Unpacked files
SH256 hash:
1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e
MD5 hash:
2de10499efcfed5daeb44a6989360e15
SHA1 hash:
77f19318a0b2525703bdbd87b99e187e6fba155c
Link:
https://www.unpac.me/results/92da8106-2b92-4d59-8ae8-7661e36e5930/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

YoungLotus

Executable exe 30f1434c85fcbfb70b8c294460ee2f7368f4ff1aebfb85e06aac5ed3d5046c47

Blackmoon

Executable exe 1e599f4effcb0fc41c1ad4cdb4960df8b1f6253b7cf7c96863f564aebc49008e

(this sample)

  
Link
https://tria.ge/250429-q3873ssl13/behavioral1
  
Dropped by
SHA256 30f1434c85fcbfb70b8c294460ee2f7368f4ff1aebfb85e06aac5ed3d5046c47
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5015/
  
Dropped by
MD5 312774722b2a953142e3d39c464fa9df

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::SetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments