MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackMoon


Vendor detections: 16


Intelligence 16 IOCs YARA 41 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
SHA3-384 hash: 3be7fa539fe364b95330482c15dd59187bebb238314d5ceaa6e2029eb9ce4f0c1c10e96834c09d58e812c030ffac1592
SHA1 hash: dc477ae9d4382ce27acb7e13ea03271401c8aec3
MD5 hash: ec74a5e98f17fae94c07d4fe35dd7558
humanhash: purple-massachusetts-skylark-lemon
File name:5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d.exe
Download: download sample
Signature BlackMoon
Create hunting rule
File size:18'197'504 bytes
First seen:2024-07-24 14:38:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 196608:3LUKXbeO7ELKQfmKZbZLXGGIT2I9BeimM2b:357EV+xTVI
Threatray 2 similar samples on MalwareBazaar
TLSH T1D2076C51F99780B1EA07543088A7927F97306A094B64CBD7FA5CBED8FF376D12A32109
TrID 38.2% (.EXE) Inno Setup installer (107240/4/30)
20.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.3% (.EXE) InstallShield setup (43053/19/16)
14.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
dhash icon 9633c3cc2cce2b9a (3 x BlackMoon, 1 x XWorm, 1 x Neshta)
Reporter Anonymous
Tags:Blackmoon exe


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Trojan.Zegost-9763840-0
Create hunting rule

Win.Malware.Farfli-9832713-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9908305-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Trojan.Razy-9938962-0
Create hunting rule

Win.Dropper.Midie-9942397-0
Create hunting rule

Win.Trojan.Generickdz-10010918-0
Create hunting rule

Win.Malware.Flystudio-10011070-0
Create hunting rule

Win.Trojan.Generickdz-10015217-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a1120ccb3d02fa0e492f36
Tags:
Execution Generic Infostealer Network Stealth Trojan Delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Searching for the window
Moving a file to the %temp% directory
Modifying an executable file
Creating a file in the drivers directory
Loading a system driver
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Launching the process to change network settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cmd evasive explorer fingerprint lolbin packed packed rat remote rundll32 shell32
Link:
https://www.filescan.io/uploads/66a11210b45fbebc0edba42b/reports/1a2f7e1b-92d7-477e-ac17-8ab6c4ba6912/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/330b4bd3-318a-4b2a-9b36-5cf7c0049d84
Result
Threat name:
Gh0stCringe, GhostRat, Mimikatz, Running
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480261
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Creates a Windows Service pointing to an executable in C:\Windows
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sample is not signed and drops a device driver
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Gh0stCringe
Yara detected GhostRat
Yara detected Mimikatz
Yara detected RunningRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480261 Sample: qGJBgGtR7e.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 111 freedns.afraid.org 2->111 113 xred.mooo.com 2->113 115 8 other IPs or domains 2->115 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for URL or domain 2->131 133 Antivirus detection for dropped file 2->133 137 17 other signatures 2->137 11 qGJBgGtR7e.exe 1 6 2->11         started        14 TXPlatfor.exe 2->14         started        17 svchost.exe 1 2->17         started        19 6 other processes 2->19 signatures3 135 Uses dynamic DNS services 111->135 process4 dnsIp5 101 C:\Users\user\...\._cache_qGJBgGtR7e.exe, PE32 11->101 dropped 103 C:\ProgramData\Synaptics\Synaptics.exe, PE32 11->103 dropped 105 C:\ProgramData\Synaptics\RCX2E5C.tmp, PE32 11->105 dropped 107 C:\...\Synaptics.exe:Zone.Identifier, ASCII 11->107 dropped 22 ._cache_qGJBgGtR7e.exe 9 11->22         started        26 Synaptics.exe 467 11->26         started        171 Multi AV Scanner detection for dropped file 14->171 173 Drops executables to the windows directory (C:\Windows) and starts them 14->173 29 TXPlatfor.exe 13 1 14->29         started        109 C:\Windows\SysWOW64\Remote Data.exe, PE32 17->109 dropped 31 Remote Data.exe 17->31         started        119 s-part-0014.t-0009.t-msedge.net 13.107.246.42, 443, 50009, 50010 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->119 175 Checks if browser processes are running 19->175 177 Contains functionality to detect sleep reduction / modifications 19->177 33 WerFault.exe 19->33         started        35 splwow64.exe 19->35         started        37 WerFault.exe 19->37         started        39 9 other processes 19->39 file6 signatures7 process8 dnsIp9 75 C:\Users\user\...\HD_._cache_qGJBgGtR7e.exe, PE32 22->75 dropped 77 C:\Users\user\AppData\Local\...\RCXA4A7.tmp, PE32 22->77 dropped 79 C:\Users\user\AppData\Local\...\RCX45BD.tmp, PE32 22->79 dropped 85 3 other malicious files 22->85 dropped 139 Antivirus detection for dropped file 22->139 141 Multi AV Scanner detection for dropped file 22->141 143 Machine Learning detection for dropped file 22->143 41 HD_._cache_qGJBgGtR7e.exe 22->41         started        45 N.exe 1 1 22->45         started        47 R.exe 3 2 22->47         started        123 freedns.afraid.org 69.42.215.252, 49727, 80 AWKNET-LLCUS United States 26->123 125 xred.mooo.com 26->125 127 2 other IPs or domains 26->127 81 C:\Users\user\DocumentsbehaviorgraphAOBCVIQIJ\~$cache1, PE32 26->81 dropped 145 Drops PE files to the document folder of the user 26->145 49 WerFault.exe 26->49         started        51 WerFault.exe 26->51         started        83 C:\Windows\System32\drivers\QAssist.sys, PE32+ 29->83 dropped 147 Sample is not signed and drops a device driver 29->147 149 Opens the same file many times (likely Sandbox evasion) 31->149 file10 signatures11 process12 file13 95 C:\...\._cache_HD_._cache_qGJBgGtR7e.exe, PE32 41->95 dropped 163 Antivirus detection for dropped file 41->163 165 Multi AV Scanner detection for dropped file 41->165 167 Machine Learning detection for dropped file 41->167 53 ._cache_HD_._cache_qGJBgGtR7e.exe 41->53         started        97 C:\Windows\SysWOW64\TXPlatfor.exe, PE32 45->97 dropped 58 cmd.exe 1 45->58         started        60 dllhost.exe 45->60         started        99 C:\Windows\SysWOW64\6564156.txt, PE32 47->99 dropped 169 Creates a Windows Service pointing to an executable in C:\Windows 47->169 signatures14 process15 dnsIp16 121 www.wshifen.com 103.235.46.96, 49716, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 53->121 87 C:\Users\user\Desktop\data.dll, PE32 53->87 dropped 89 C:\Users\user\...\...........lnk (copy), PE32 53->89 dropped 91 C:\Users\user\Desktop\            \...\.ink, PE32 53->91 dropped 93 2 other malicious files 53->93 dropped 151 Antivirus detection for dropped file 53->151 153 Multi AV Scanner detection for dropped file 53->153 155 Machine Learning detection for dropped file 53->155 157 Uses netsh to modify the Windows network and firewall settings 53->157 62 netsh.exe 53->62         started        64 netsh.exe 53->64         started        159 Uses ping.exe to sleep 58->159 161 Uses ping.exe to check the status of other devices and networks 58->161 66 PING.EXE 58->66         started        69 conhost.exe 58->69         started        file17 signatures18 process19 dnsIp20 71 conhost.exe 62->71         started        73 conhost.exe 64->73         started        117 127.0.0.1 unknown unknown 66->117 process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d/
Threat name:
Win32.Trojan.Synaptics
Create hunting rule
Status:
Malicious
First seen:
2024-07-07 06:38:41 UTC
File Type:
PE (Exe)
Extracted files:
321
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=layoa4b6spgc3cq3uy3xmuh7l55yzozw2wasfrqt7jljgd3rvcgq._file
Verdict:
malicious
Similar samples:
bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50
BlackMoon
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
BlackMoon
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox discovery macro persistence privilege_escalation rat rootkit trojan upx
Link:
https://tria.ge/reports/240724-r1agea1clm/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Sets service image path in registry
Suspicious Office macro
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e129e2c5-6335-4639-9c98-4ac6f12f2b60
Unpacked files
SH256 hash:
6ec12115fbf6d7f9a39ebc65ebb390da2f1e2c8ff98ec8ae156d39008b6bcacc
MD5 hash:
da78606bc86e771602b3e9ca3dc4db37
SHA1 hash:
1080d39c42e1173489a7b23689d85ee154a9fb9c
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Detections:
check_installed_software
Create hunting rule
Mimikatz_Strings
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
f7d1da0c348c0fb5715f09981b266930df7bf0a6378af292b0e9480c662fe77c
MD5 hash:
0c62737a9264f5a87b95e19026c733b4
SHA1 hash:
eaa4546978289c1e96cd008cacb5a79615818355
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
b6ad927ce7a5281f1b71be347b6ee4b920a8ef90f104c6a5cc56082fba0c3528
MD5 hash:
d4ef6ce7414ad6377d34d704a398642d
SHA1 hash:
7650a0b1160a9ff501592bcb5533da972f97caa3
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
MD5 hash:
8dc3adf1c490211971c1e2325f1424d2
SHA1 hash:
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
18cd824faf1a0cc7c97f7139dcfda7914f9042bdb051c2043f9cc450ae300094
MD5 hash:
fd60f3b062474eca30a70e010e91c7a8
SHA1 hash:
19da119258107624c10b68acaab91223860f7b6a
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
1db1795c9551b94b4a424e0fa6ae900347e3a93dd23742dda666adf7ec461825
MD5 hash:
8e4ffeab659a1c869c416f2a4b57a8d8
SHA1 hash:
036dad25d6c830af47321ecb47047ee074a57451
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
MD5 hash:
4a36a48e58829c22381572b2040b6fe0
SHA1 hash:
f09d30e44ff7e3f20a5de307720f3ad148c6143b
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
8b24c85b5325e2ceff531651a74274409518fb2ff11ef258d2675377b0c9b5a2
MD5 hash:
af1ec73c78d5428c204009f3fab1db67
SHA1 hash:
3f523439f4bcc49175f26e056b66932a1592c30a
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
d5e68a1c65280cb8497e7cb95bd0013d79cb728c30fe7821315915946b88251c
MD5 hash:
1722acf805e3328b38ec95d4f8842e76
SHA1 hash:
a7da4196731c3fcb034227a4a9ce6038befa97f5
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
01a7d8088c631988c03430795e80edf07123047294ee4a6fc260eb29b7515346
MD5 hash:
a92db0cd60e2a9c3625c4e61f5e9623b
SHA1 hash:
7944609760ad0bbb86b1c3efd9da9292dc710ddc
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
06bee582e280fe7d935097943f9196c6b6a7cb64992235a261ddfb35200371ba
MD5 hash:
79d99472ecaea3b91ee25d4294073a80
SHA1 hash:
88d1e56a6e00c0db68bdfb5700feb03bd5ae0141
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
780694ff0d139490d704eefede5026a1e3041cafd684ab78d65c1c03c3255438
MD5 hash:
0f1dbb55b1c87fdb17a100ea8df21dec
SHA1 hash:
2f218f30ca6185c6d60ab014227cd6be58a76585
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
SH256 hash:
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
MD5 hash:
ec74a5e98f17fae94c07d4fe35dd7558
SHA1 hash:
dc477ae9d4382ce27acb7e13ea03271401c8aec3
Link:
https://www.unpac.me/results/bd895f6d-77dd-45ba-82fd-e6ab24f2a83e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BlackMoon

Executable exe 5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegNotifyChangeKeyValue
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments


Avatar
Kasibe commented on 2024-07-25 12:08:36 UTC

DarkKomet