MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 14


Intelligence 14 IOCs YARA 53 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
SHA3-384 hash: f7303c65d1375f4b277276cfafea695e302c6e465931261bd14e78973a38791d019484b99f17316dd4f33213b7d58fe7
SHA1 hash: f1c5f2300a25791638486f6877ef15595c317d48
MD5 hash: 3b1f63c4264774b0fafbd343170e6edf
humanhash: floor-william-wisconsin-artist
File name:93CF0DED4E46A85580A71A48968FCF56A14C1D25C339B2651D99994FA4DDDDFC.exe
Download: download sample
Signature Blackmoon
Create hunting rule
File size:14'237'190 bytes
First seen:2024-05-18 02:08:19 UTC
Last seen:2024-07-24 19:10:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 09d0478591d4f788cb3e5ea416c25237 (4 x Worm.Mofksys, 3 x Blackmoon, 2 x Gh0stRAT)
ssdeep 196608:szYkJ4XFhay+nW4SfCNGjQRC8ALFDFBYJi6HfuNqwY6q1/a3OFwcAhrou34gO6gh:szYQ4X2ynn6RC8ALV7GHfuUHzxVFwTqv
Threatray 11 similar samples on MalwareBazaar
TLSH T1B8E63380D53C08A6F450AEB77532A57BD486086F88592F78878F7F734D9E870F5898B8
TrID 50.8% (.EXE) Win32 EXE PECompact compressed (v2.x) (59069/9/14)
35.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
1.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 69e8cc8686cce869 (1 x Blackmoon)
Reporter Anonymous
Tags:Blackmoon exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
349
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc.exe
Verdict:
Malicious activity
Analysis date:
2024-05-18 16:52:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0eafe1f5-de57-4562-a6df-f9f00a8c3c03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.PecompactRetail-1
Create hunting rule

PUA.Win.Packer.PECompact-1
Create hunting rule

PUA.Win.Packer.PecompactRetail-3
Create hunting rule

Gathering data
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Launching the process to change network settings
Creating a process with a hidden window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
DNS request
Connection attempt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed packed packed pecompact
Link:
https://www.filescan.io/uploads/66480df9d5c40bffee61470a/reports/c09a0df0-5944-4287-9df6-bb8109b9da34/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
Result
Verdict:
MALICIOUS
Malware family:
KRBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4c30520-7f35-4dff-b393-3c0ec25b9c6c
Result
Threat name:
BlackMoon
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1443684
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Uses netsh to modify the Windows network and firewall settings
Yara detected BlackMoon Ransomware
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2024-05-18 02:09:06 UTC
File Type:
PE (Exe)
Extracted files:
159
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sphq33koi2uflafhdjejnd6pk2quyhjfym43ezi5tgmu7jg53x6a._file
Verdict:
malicious
Similar samples:
3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b
Blackmoon
79e715893ab09905956babde38423d0a5bf8473fad5857ba8a2729039d82689a
Blackmoon
912c7862289ed0e63f8617f075c9479d90190e3dd1b5a173ae43cc58d95c5b56
Blackmoon
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
Blackmoon
bb6aed55da4225ebf59c253940fd805326b404da3986b75db64cc2ea9c5a40df
Blackmoon
d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b
Blackmoon
fb95ac6e639e2e70bccf34921bd0ab868dc1abb8917ed56b28b73e02e2c96fe1
Blackmoon
fe31def96d6ba1b9ad355b348b5fbbaf16675eb5bc8a0441deb40e06e7494358
Blackmoon
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240518-ck49hsfd52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
6ec12115fbf6d7f9a39ebc65ebb390da2f1e2c8ff98ec8ae156d39008b6bcacc
MD5 hash:
da78606bc86e771602b3e9ca3dc4db37
SHA1 hash:
1080d39c42e1173489a7b23689d85ee154a9fb9c
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
a110e1f00a7ce7313ba550068100b4d873b57daf40b5b7200ea32788c5cab66b
MD5 hash:
4383a497da7e41f3dc930b45173eebba
SHA1 hash:
e7b98eb904ca1a7631b61f30ecc8c7e7485ae27a
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
95a525dfa3c79b94498488478f51b172301f73fb9c3e9d68dbc9f061affdec87
MD5 hash:
1553d28c5b825ae8b3d7983d56830dbc
SHA1 hash:
abf510a3cdf5130b7ecd07130fa7f0b6d89df037
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
8d41efd690a163c2477cc3b777bc78b78fbd9e09ecc2dfc5e76548fd248719c6
MD5 hash:
fd84c02ab8a411525cb3b6cb60392b5d
SHA1 hash:
994369e18b091ce09d98369d4e6460b29475ff02
Detections:
win_karius_g0
Create hunting rule
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
Parent samples :
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
SH256 hash:
ca6d29b99869a95430d72222234161fe79f25e05af65c7e5166debb2e59fff70
MD5 hash:
54843f53001275ffcea0e353a55fec5f
SHA1 hash:
7df15909195a14434fc45e914cd1d64df186af77
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
33cfcb4956499de228c26ec1dc092763637f035e05e5624f54db1fefb89f0c7a
MD5 hash:
70cab9d8810d33dc5e49a316e6c2ebfd
SHA1 hash:
c6eda245ff5b34dd6f8b986de865e5c058e62edf
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
Parent samples :
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
82852a6f778c15c9f0a0ec11e5538b990753463d50fc70b14128bb42f8f80466
b10e357e2c94e48cfc90656a2da338a74820814ec4b98cc70cf7af08b0a70280
SH256 hash:
0af365b5db119b2f43d72cb75f3f0302bbaa3a05ef61ef71c256c231713be5dd
MD5 hash:
006d175e480403666095f4077a7b4260
SHA1 hash:
8a13d09ab170fd3e04edba33c16f6a91d91fce82
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
b6ad927ce7a5281f1b71be347b6ee4b920a8ef90f104c6a5cc56082fba0c3528
MD5 hash:
d4ef6ce7414ad6377d34d704a398642d
SHA1 hash:
7650a0b1160a9ff501592bcb5533da972f97caa3
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
eb39ef6f2f2548ad0b5e412dc3f70089f113d9ceaf8ecbff5fe0583f3bca759e
MD5 hash:
dc8f4ca2ff63885548d1d9c6cbebc0f5
SHA1 hash:
3d6b368d3df3950dcf6b06537ffd622fb020ab32
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
dc2031469fa89771e97a03d6f46e10ff367f429b84189f78fcfb03f5f5c984e7
MD5 hash:
92670a279b344970a4429fa6aa16a3d3
SHA1 hash:
1e61613d747f9d65a13cb6aeb164894f3bed5b85
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
4da98dba49deac1aead8cbd879001a3a9766445affcae24caa383e932fa5bb19
MD5 hash:
58f3e1a049be8ecb1d1c70107c5e0526
SHA1 hash:
14149ee413fa44df00527b51cf61b7cb4314e9e8
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
8b24c85b5325e2ceff531651a74274409518fb2ff11ef258d2675377b0c9b5a2
MD5 hash:
af1ec73c78d5428c204009f3fab1db67
SHA1 hash:
3f523439f4bcc49175f26e056b66932a1592c30a
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
d5e68a1c65280cb8497e7cb95bd0013d79cb728c30fe7821315915946b88251c
MD5 hash:
1722acf805e3328b38ec95d4f8842e76
SHA1 hash:
a7da4196731c3fcb034227a4a9ce6038befa97f5
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
01a7d8088c631988c03430795e80edf07123047294ee4a6fc260eb29b7515346
MD5 hash:
a92db0cd60e2a9c3625c4e61f5e9623b
SHA1 hash:
7944609760ad0bbb86b1c3efd9da9292dc710ddc
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
cabec992dd72fd15d141ba2d1de760dad29344c1e204a93b15b96f8e83c783b3
MD5 hash:
df5e4b4f37d94b754c174b80491858cb
SHA1 hash:
3727af3792d2148d696492aa4d7a05ee7a20f694
Detections:
INDICATOR_EXE_Packed_ASPack
Create hunting rule
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
Parent samples :
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
82852a6f778c15c9f0a0ec11e5538b990753463d50fc70b14128bb42f8f80466
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
b3a6805182f053f098f6e38dc1cc5a906383b8d00cbf2f0af68377e7ebd65f22
b10e357e2c94e48cfc90656a2da338a74820814ec4b98cc70cf7af08b0a70280
SH256 hash:
34481c436fb4af1345a741cfcaed5502c10346770196b9ece02edb0eb7e4b027
MD5 hash:
81d96590f239313f23c10c454406131f
SHA1 hash:
92cdd6170a663b6dd1316aa2c76afc2bddcb51e1
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
d50f3ce221f33b82b5672a2ee38c0f381868cb89c78b3fdc337bb22c2dca16e4
MD5 hash:
a0407fcfd90eb462dfcc0d1f8884f619
SHA1 hash:
8e27e40f5ffb9b8fe09aa8c4d931c98ece8cd1fc
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
0f9ea1cedd9046b5eb781074ca290e9d8a5f4e68203ec1180729849c7616f1d3
MD5 hash:
3a79c0e41fa5515a10ca4f73fd009932
SHA1 hash:
3cda5c1e282ec2348f173de9bf1ea0a264d5fc60
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
SH256 hash:
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
MD5 hash:
3b1f63c4264774b0fafbd343170e6edf
SHA1 hash:
f1c5f2300a25791638486f6877ef15595c317d48
Link:
https://www.unpac.me/results/267c7dd9-c9df-4e94-a0a6-6b2cc429dc42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_BlackMoon
Create hunting rule
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:PECompact2xxBitSumTechnologies
Create hunting rule
Author:malware-lu
Rule name:PECompactv25RetailBitsumTechnologies
Create hunting rule
Author:malware-lu
Rule name:PECompactV2XBitsumTechnologies
Create hunting rule
Author:malware-lu
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA

Comments