MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1
SHA3-384 hash: 3954724348ef1aeb1499dbecd7763055b7daed268e8173d62d4a38412571195fb28f28b5cd05b0d5d20990fbbc49d925
SHA1 hash: 59435f8d2b585302447486b7719d209b45309cec
MD5 hash: d55234e703c601880f1f9392678d0dc8
humanhash: aspen-ack-nineteen-arizona
File name:9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1
Download: download sample
Signature Blackmoon
Create hunting rule
File size:1'898'026 bytes
First seen:2024-04-09 20:01:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3828b63943b359ca8aa20e37d5ff8fba (1 x Blackmoon)
ssdeep 24576:9r0TxazTID9UhQtRlA6Jz7kzSRciXSD3FbbBN/IyZJbOOEHqBh3SWgSklWNy+:9ZzED7tRX8SWwWpNN/IyjEOBST1WNy+
Threatray 8 similar samples on MalwareBazaar
TLSH T1C595BE63F19180F6C92C1539DDAD2336FA74629C0A258BF3EB92DF751C31E90962721E
TrID 46.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
29.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Generic Win/DOS Executable (2002/3)
5.6% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 959a9b5508c6740d (4 x Blackmoon)
Reporter e24111111111111
Tags:Blackmoon

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1.exe
Verdict:
Malicious activity
Analysis date:
2024-04-09 21:18:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94d40ce0-3d3f-4343-81a4-27a403c15db8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Launching the process to change network settings
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Connection attempt
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
antavmu blackmoon cmd keylogger lolbin netsh overlay packed rundll32 shell32 unknown
Link:
https://www.filescan.io/uploads/66159eda08ebdfcacdffc497/reports/a5b0a67d-50c9-44a1-8d12-2ee626089414/overview
Verdict:
Malicious
Labled as:
Trojan.Kolovorot
Link:
https://www.hybrid-analysis.com/sample/9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Barack Obama's Everlasting Blue Blackmail Virus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aff227bd-00e6-483f-a340-b785c72325aa
Result
Threat name:
BlackMoon
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1423444
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected BlackMoon Ransomware
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1/
Threat name:
Win32.PUA.Diplugem
Create hunting rule
Status:
Malicious
First seen:
2024-04-07 03:25:00 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
23 of 23 (100.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4i3yd6n6dypiksg5bm5pqtouyovbmc2vy7me2nb5x3gqcatgdyq._file
Verdict:
malicious
Similar samples:
01b6c305fc65cca6806df3cea024ae52231fd43b5e17d643e4ed47bc66560670
Blackmoon
4a18ba49021a964bce07d237b348cc52433839dd8e35dddd92e655b2991a871c
Blackmoon
5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6
Blackmoon
5e2de89e01d48c383780e2fc5e56619b4a2cd8a91b6a9c6040d8f360bad39db3
Blackmoon
a0ce738eba1a792b2746c50081ebb84a4f7054ee5f3b1a9651d5d385615eb933
Blackmoon
Result
Malware family:
blackmoon
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon banker trojan upx
Link:
https://tria.ge/reports/240409-yr9cpscd2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
UPX packed file
Blackmoon, KrBanker
Detect Blackmoon payload
Unpacked files
SH256 hash:
5e0958d308b98b9334f4c11e5326db7e6b56f58b549cced0724ef4f52b4c7f30
MD5 hash:
52b030b61f6ffd889c512caecb983afb
SHA1 hash:
483560c9a18db3892c7f862e794b0d726ae7318c
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
Link:
https://www.unpac.me/results/e6779180-6045-46db-a947-4121d58b4752/
SH256 hash:
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
MD5 hash:
c3adbb35a05b44bc877a895d273aa270
SHA1 hash:
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d
Link:
https://www.unpac.me/results/e6779180-6045-46db-a947-4121d58b4752/
SH256 hash:
9711bc0fcdf0f0f42a46e859d7c26ea61d50b05aae3ec269a1edf668081330f1
MD5 hash:
d55234e703c601880f1f9392678d0dc8
SHA1 hash:
59435f8d2b585302447486b7719d209b45309cec
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
Link:
https://www.unpac.me/results/e6779180-6045-46db-a947-4121d58b4752/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9711bc0fcdf0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:blackmoon_payload_v1
Create hunting rule
Author:RandomMalware
Rule name:Hacktools_CN_JoHor_Rdos
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file spec.vbp
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_BlackMoon
Create hunting rule
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::InitializeSecurityDescriptor
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA

Comments