MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Blackmoon

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79
SHA3-384 hash:	6159d988d477309048cf7e540a23ed9a7b6b4c42b45e3e192ce08ddf8cd89cf4325a49146e80e8bc33b299fe36f81c83
SHA1 hash:	bf8bf87788034e67399584ea672031366b13db61
MD5 hash:	03970e27a3e5fbbffbbc249769f9f3bf
humanhash:	nevada-eleven-crazy-delta
File name:	678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79
Download:	download sample
Signature	Blackmoon Create hunting rule
File size:	688'472 bytes
First seen:	2022-01-04 09:03:45 UTC
Last seen:	2022-01-04 11:02:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	163ce73e6369b6830f7ee781052d2470 (1 x Blackmoon)
ssdeep	6144:x9ZURaJOfiCIorsoCv0h7E9cwFyNkkCIjq7O3IWU+MagLMNLeJFuxmXROnWnK6ia:x8Ry8ixorsoC8ZGVYd3nUrCfsXRzK6ia
Threatray	135 similar samples on MalwareBazaar
TLSH	T196E48D06BED280FFD655193014BA67769A3A5B020B35CFC39398DF592D33171AE3A13A
File icon (PE):
dhash icon	a261bae8d2a896ca (39 x Blackmoon, 9 x Gh0stRAT, 3 x CobaltStrike)
Reporter	JAMESWT_WT
Tags:	42 192 232 209 Blackmoon exe signed

Code Signing Certificate

Organisation:	iPhone Distribution: China Mobile Group Shandong Co., Ltd.
Issuer:	Apple Worldwide Developer Relations Certification Authority
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-05-07T06:07:32Z
Valid to:	2024-05-06T06:07:31Z
Serial number:	7dd984a17e2bf0bddf54abe8cd583e42
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	384fde6e3c3e8cc10ba16b948beba37536823aeab9847027782431ca94de78e2
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79

Verdict:

No threats detected

Analysis date:

2022-01-04 09:05:21 UTC

Tags:

installer

Link:

https://app.any.run/tasks/f2b8db7d-ea40-4e18-9e47-90f650002f30

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/217234/

Detection(s):

SecuriteInfo.com.Trojan005246d51.14116.12142.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

DNS request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3802/overview

Behaviour

MalwareBazaar

CursorPosition

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

chinad greyware keylogger overlay packed wacatac

Link:

https://www.filescan.io/uploads/61d40d8892bdc4b4077d88e8/reports/724ce288-3f55-420a-a48e-3426210b122c/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2936ba72-6e2a-48cb-aeb9-1a3adcfdc6dd

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/915158

Signature

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2021-11-17 17:43:00 UTC

File Type:

PE (Exe)

Extracted files:

50

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

10835966177c277d70fae42109ddacccea06ab0c576709e9a68ec768840882ae

15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0

2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37

37877d87fff1b903df41bdb21fb500b0371f72de500c6f6768aec4d76966de67

435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f

7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7

76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6

f4158e798cb1c425cd5c50250f7016e9acd26bae7373e46585907682f120c546

+ 125 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220104-k1lq4sgaa3/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79

MD5 hash:

03970e27a3e5fbbffbbc249769f9f3bf

SHA1 hash:

bf8bf87788034e67399584ea672031366b13db61

Link:

https://www.unpac.me/results/fd48e40e-5342-465c-bccd-97c6ed748ca9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/217234/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample