MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2
SHA3-384 hash: f4b8d6b760983a88612ac21c9e697e4261a2f1f4dceaf8e5945103350e94add63a99c9452d0282c8db40da334d4890c8
SHA1 hash: dc1a476236ed9454481d0a751540326d28003e2b
MD5 hash: a683a263949c7443317f3dffacf4cb94
humanhash: winter-virginia-sixteen-artist
File name:SecuriteInfo.com.Program.KDU.1.5636.4829
Download: download sample
Signature Blackmoon
Create hunting rule
File size:1'058'304 bytes
First seen:2024-09-28 10:26:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c9cd4d99ae86c9baa4d07bc5b4ef6e9 (1 x Blackmoon)
ssdeep 24576:i4Zxqy4TVxdlhXZhlKuTTAFt/bqNd3ragFcB3J:imd4Zxdlh/EJH/m3rd+L
TLSH T1C43533316AE97D12E6DE42354175FF67C782041AF8ECEC80AEFE180A9429F4C42935E7
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:Blackmoon exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Program.KDU.1.5636.4829
Verdict:
Malicious activity
Analysis date:
2024-09-28 10:31:30 UTC
Tags:
blackmoon xor-url generic
Link:
https://app.any.run/tasks/1d8d967c-2130-4484-9c9e-b54123bc03a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Program.KDU.1.5636.4829.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f7daf379032805ce8ecc25
Tags:
Static Heur Blackmoon Injection Exploit Packed
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin microsoft_visual_cc overlay packed packed shell32 upx
Link:
https://www.filescan.io/uploads/66f7d9f719fd255708d78f80/reports/349a7362-d700-4152-a960-391b4c9e4916/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HackingTeam
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fbf25b0-0ec1-42e7-a72c-cee049bbda4f
Result
Threat name:
BlackMoon
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1521463
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected BlackMoon Ransomware
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2/
Threat name:
Win32.Infostealer.BlackMoon
Create hunting rule
Status:
Suspicious
First seen:
2024-09-28 07:06:43 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ff3t2rtybnrmgwpxd7fm6dodrilyfc2bcvzpeayifjbgz77lucza._file
Verdict:
malicious
Label(s):
krbanker
Create hunting rule
Result
Malware family:
blackmoon
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon banker discovery trojan
Link:
https://tria.ge/reports/240928-mg3xds1anm/
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Blackmoon, KrBanker
Detect Blackmoon payload
Verdict:
Malicious
Tags:
blackmoon mofongoloader cobalt_strike
YARA:
n/a
Link:
https://app.threat.zone/submission/91d0f2bf-7878-4647-9dce-b387481424e2
Unpacked files
SH256 hash:
0f63d0cdd05e5308a25e9414136bbc2d1898ea3cfda9388d5af1796b47d40106
MD5 hash:
6206e7bd72ee6c7df5e2a13b19a05303
SHA1 hash:
88260d9da5e75ae2aa7d4a671de0e1807ebf006d
Link:
https://www.unpac.me/results/82700b16-bc57-42ad-b6f1-49aec1423005/
SH256 hash:
e6e9e172eb09df481adbf02c1e26e9e94cf828a3135993ed8d86050c553c66c7
MD5 hash:
bf09f0e34ce9a426b101acd361dda03c
SHA1 hash:
03c2bdba514161a16fe86efb6650cc58d700060d
Link:
https://www.unpac.me/results/82700b16-bc57-42ad-b6f1-49aec1423005/
SH256 hash:
55bd4308a2d63bb7bf9f61519faa7c9c00e283bd48ea32be1177e9040905f607
MD5 hash:
d85eddae57a9a9c5685c19ceeb326063
SHA1 hash:
b59b33e33fd86cf3a5c116c436ae991a2730f1df
Detections:
PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429
Create hunting rule
Link:
https://www.unpac.me/results/82700b16-bc57-42ad-b6f1-49aec1423005/
SH256 hash:
0d598b69dd565f7acea551b87da7d0cfa49ee79703e64aa824bf5c3db5f07195
MD5 hash:
c6069d988bdb295481b0d8e6675d1ae6
SHA1 hash:
737325c985f0b0a50b91e887d977ce14ecf3014f
Detections:
CobaltStrike_Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
CobaltStrike_Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Link:
https://www.unpac.me/results/82700b16-bc57-42ad-b6f1-49aec1423005/
SH256 hash:
29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2
MD5 hash:
a683a263949c7443317f3dffacf4cb94
SHA1 hash:
dc1a476236ed9454481d0a751540326d28003e2b
Link:
https://www.unpac.me/results/82700b16-bc57-42ad-b6f1-49aec1423005/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
KRBanker
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Blackmoon

Executable exe 29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3195152/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
RAS_APIUses Remote AccessRASAPI32.dll::RasHangUpA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyA

Comments