MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 18


Intelligence 18 IOCs YARA 43 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
SHA3-384 hash: b2a91cc9b6cc39c223c87794b8391142e691c4ab500a3457543b12f31147b4ee17c53f3c42e00b7f65690394a33d5d2d
SHA1 hash: 0ff584ee230838ae8fefffb16009104393ec515c
MD5 hash: bac8175b9fce575ef751012c729a1d32
humanhash: virginia-orange-king-minnesota
File name:bac8175b9fce575ef751012c729a1d32.exe
Download: download sample
Signature Blackmoon
Create hunting rule
File size:7'092'736 bytes
First seen:2025-02-02 08:28:12 UTC
Last seen:2025-02-21 21:35:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3222c3f44785a4ac7520003a95ac4f46 (1 x CoinMiner, 1 x Blackmoon)
ssdeep 196608:IWwVcH1newKPI+DfEIWkwuasqsTgxdoKz2z9R68vKbu:tw/Pg+DcIXw8qsTMom2a8m
Threatray 1 similar samples on MalwareBazaar
TLSH T16F66332F59C369BDD5902EF0569FF5D80046742B281BA9301E12CFD809768F3E2DB69B
TrID 39.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
24.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:Blackmoon exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
485
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bac8175b9fce575ef751012c729a1d32.exe
Verdict:
Malicious activity
Analysis date:
2025-02-02 08:34:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ba74a81-2adb-44e6-b885-ed51951b858e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Malware.PDB-629.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.PDB-643.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.PDB-630.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.PDB-632.UNOFFICIAL
Create hunting rule

Win.Virus.Gh0stRAT-6997801-0
Create hunting rule

Win.Dropper.Gh0stRAT-7480052-0
Create hunting rule

Win.Dropper.Gh0stRAT-7777113-0
Create hunting rule

Win.Trojan.Farfli-9763835-0
Create hunting rule

Win.Malware.Sdld-9819320-0
Create hunting rule

Win.Dropper.Tiggre-9845940-0
Create hunting rule

Win.Dropper.Gh0stRAT-9856137-0
Create hunting rule

Win.Malware.Staser-9938521-0
Create hunting rule

Win.Trojan.Gh0stRAT-9971270-1
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.Nitol.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679f2cdba9881a7a01c5157f
Tags:
blackmoon phishing emotet madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a service
Launching the process to change the firewall settings
Creating a process with a hidden window
Сreating synchronization primitives
Launching a process
Creating a window
Possible injection to a system process
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packed packer_detected upx
Link:
https://www.filescan.io/uploads/679f2cd23a4118f0a7614b25/reports/060d605d-9248-4679-a636-6c45a12564dc/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KRBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93a14b19-36f8-4ef2-896b-e67f52bc2dba
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604976
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to modify windows services which are used for security filtering and protection
Creates files in the system32 config directory
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Drops HTML or HTM files to system directories
Found API chain indicative of sandbox detection
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604976 Sample: UFMp7JcgA2.exe Startdate: 02/02/2025 Architecture: WINDOWS Score: 100 99 www.4i7i.com 2->99 101 down.ftp21.cc 2->101 103 9 other IPs or domains 2->103 119 Suricata IDS alerts for network traffic 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for URL or domain 2->123 125 9 other signatures 2->125 9 svchost.exe 129 2->9         started        14 msiexec.exe 2->14         started        16 UFMp7JcgA2.exe 6 1 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 113 down.ftp21.cc 60.10.1.55, 57320, 80 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 9->113 115 aka.ms 23.32.221.157, 49732, 80 AKAMAI-ASUS United States 9->115 75 C:\Windows\Temp\ctfmoon.exe, PE32 9->75 dropped 77 C:\Windows\SysWOW64\vc_redist.x86.exe, PE32 9->77 dropped 79 C:\Windows\SysWOW64\...\VC_redist.x86[1].exe, PE32 9->79 dropped 89 111 other malicious files 9->89 dropped 143 System process connects to network (likely due to code injection or exploit) 9->143 145 Creates files in the system32 config directory 9->145 147 Found API chain indicative of sandbox detection 9->147 155 5 other signatures 9->155 20 Traffmonetizer.exe 9->20         started        25 vc_redist.x86.exe 3 9->25         started        27 svchost.exe 1 9->27         started        29 ctfmoon.exe 9->29         started        81 C:\Windows\...\vcruntime140_threads.dll, PE32 14->81 dropped 83 C:\Windows\SysWOW64\vcruntime140.dll, PE32 14->83 dropped 85 C:\Windows\SysWOW64\vcomp140.dll, PE32 14->85 dropped 91 35 other malicious files 14->91 dropped 149 Infects executable files (exe, dll, sys, html) 14->149 87 C:\Users\user\...behaviorgraphraphicsPerfSvcs.dll, PE32 16->87 dropped 151 Uses netsh to modify the Windows network and firewall settings 16->151 153 Modifies the windows firewall 16->153 31 powershell.exe 17 16->31         started        33 netsh.exe 2 16->33         started        39 8 other processes 16->39 117 127.0.0.1 unknown unknown 18->117 35 VC_redist.x86.exe 18->35         started        37 conhost.exe 18->37         started        file6 signatures7 process8 dnsIp9 105 data.traffmonetizer.com 136.243.150.101, 443, 57814, 57824 HETZNER-ASDE Germany 20->105 107 blnc.traffmonetizer.com 168.119.91.41, 443, 49743, 57845 HETZNER-ASDE Germany 20->107 111 2 other IPs or domains 20->111 69 C:\Windows\System32\config\...\Installer.exe, PE32 20->69 dropped 127 Creates files in the system32 config directory 20->127 129 Drops executables to the windows directory (C:\Windows) and starts them 20->129 41 Installer.exe 20->41         started        71 C:\Windows\Temp\...\vc_redist.x86.exe, PE32 25->71 dropped 44 vc_redist.x86.exe 76 25->44         started        73 C:\Windows\SysWOW64\MODIf.html, data 27->73 dropped 131 System process connects to network (likely due to code injection or exploit) 27->131 133 Drops HTML or HTM files to system directories 27->133 109 api.iproyal.com 93.189.62.83, 443, 49738 MELBICOM-EU-ASMelbikomasUABNL Lithuania 29->109 135 Multi AV Scanner detection for dropped file 29->135 47 conhost.exe 29->47         started        137 Deletes itself after installation 31->137 49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 VC_redist.x86.exe 35->53         started        55 conhost.exe 39->55         started        57 conhost.exe 39->57         started        59 6 other processes 39->59 file10 signatures11 process12 file13 139 Creates files in the system32 config directory 41->139 61 Traffmonetizer.exe 41->61         started        93 C:\Windows\Temp\...\VC_redist.x86.exe, PE32 44->93 dropped 95 C:\Windows\Temp\...\wixstdba.dll, PE32 44->95 dropped 141 Drops executables to the windows directory (C:\Windows) and starts them 44->141 64 VC_redist.x86.exe 44->64         started        97 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 53->97 dropped signatures14 process15 file16 157 Creates files in the system32 config directory 61->157 67 C:\ProgramData\...\VC_redist.x86.exe, PE32 64->67 dropped signatures17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2025-02-02 08:29:15 UTC
File Type:
PE (Exe)
Extracted files:
173
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unnxk4fxqgh3i6bxa45vss2fqecj5wvaq6u6qvfvwok2xxd3m5zq._file
Verdict:
malicious
Label(s):
krbanker
Create hunting rule
Similar samples:
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
Blackmoon
error
Blackmoon
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:gh0strat banker defense_evasion discovery persistence privilege_escalation rat trojan upx
Link:
https://tria.ge/reports/250202-kc5jbavrhr/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Downloads MZ/PE file
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Gh0strat family
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
Gh0st RAT payload
Gh0strat
Verdict:
Malicious
Tags:
Win.Virus.Gh0stRAT-6997801-0
YARA:
n/a
Link:
https://app.threat.zone/submission/bbf8bc4f-eccd-49f9-973a-d15a5fe7cceb
Unpacked files
SH256 hash:
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
MD5 hash:
bac8175b9fce575ef751012c729a1d32
SHA1 hash:
0ff584ee230838ae8fefffb16009104393ec515c
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
86c1b142e3ca539692304177744e2a29e0681b324461ce138540cf50c391e65d
MD5 hash:
f752a14cbfc71f7080a7c7285ac4bfc7
SHA1 hash:
0ce074adfbbb6b4e0fd228d4908ce8434dff5077
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
Parent samples :
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905
b16be5d71f0bfd28ed7356bd84c3b61d1c7b2590bd2c485530060f8900182789
34a87671d9a7225ad9aafdca0bdff858b9ae1c8fcdf834c505268507052a7a80
8fc47c0972e855f0866d9cf9cba29d56210fc709f13214e6ae6687ca40ca51b8
0259075adca93861dd02c548ece119844d3a790548e892be43d5a526690725cd
899cb424a250e13191b2d85de9a380c9a2e1ce316c4f46ad0db88d46a01aa8ab
SH256 hash:
582f376e8448d01a0ed433906e09e51c4aacbfbcba07099b7538f545c8e85cd5
MD5 hash:
104468bb5797de3adb52ac66d6a751d3
SHA1 hash:
39b712989e78c180d3d1f683b8367feaaed7e034
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
1e02248fc226f1813f9a473aaf8dc9bd264101a6e371ddb73e145c0949834d47
MD5 hash:
4b874a3043d5e3c133f4c35863159638
SHA1 hash:
3a7d21700497d81c41193544b7ea913032d0aa82
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f
MD5 hash:
c4ea65bd802f1ccd3ea2ad1841fd85c2
SHA1 hash:
2364d6dd5dd3b566e06e6b1dc960533d2b3017b7
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5
MD5 hash:
9a341540899dcc5630886f2d921be78f
SHA1 hash:
bab44612721c3dc91ac3d9dfca7c961a3a511508
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
f9b8513f35beb0aee22507455da63bfebd9973734256b5a72dab37c9b9f1d836
MD5 hash:
02e06a61281bd3082e31e4099e04d403
SHA1 hash:
3ebe20d71bfb4eed250fad3175c11578d5dc8105
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
fff382f996ab2d34b895a3c7ed24bd5e581fcbc11d3d356f6cf0b2416a9a2edf
MD5 hash:
a7e5f3f4d4362c5ed7d27144536c874e
SHA1 hash:
28dee6276ca4ae150557150abaa3c819186d4715
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
5f5f8783fafb5f2372c84e3b11324d773109cb1c0721fed6aeebe7d8aff5e4fd
MD5 hash:
472754b5aafbefb8b2cf02f8612f1b9a
SHA1 hash:
82a85de00b09a78ef02a4de84cced96fe6a54065
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
e72254cd64e957daba137d027faab9df40412aea1696f5f2fa42e4d954c6d815
MD5 hash:
f137e1701f8d7ad7155ef9f27eb71bc4
SHA1 hash:
d116bd67874175b2b890b941743d54421e96b7e7
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
0cd7784abf24f622d5a602bb558f2a732381cb8f6f0434293cfb8f62bf673c8c
MD5 hash:
50b31b125f89f1bf1c35e62be60163eb
SHA1 hash:
5f387de3fb46ebce5fe8382d9fe0b4f53d9e438b
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30
MD5 hash:
e8cdacfd2ef2f4b3d1a8e6d59b6e3027
SHA1 hash:
9a85d938d8430a73255a65ea002a7709c81a4cf3
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c
MD5 hash:
38470ca21414a8827c24d8fe0438e84b
SHA1 hash:
1c394a150c5693c69f85403f201caa501594b7ab
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
3b4e123dd6ad90287496405fab4d44b736792c0c3f4ffbf0626e6a78c6cc6b2d
MD5 hash:
5f1adaa6e4f61f662a58d810deecd38c
SHA1 hash:
68639af40905f3cfc0975b7060fd7fd9df39ad0b
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
MD5 hash:
e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 hash:
2242627282f9e07e37b274ea36fac2d3cd9c9110
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
3835e10c4fd61402dd8b6e5e69146c42310db1c04cbb1bb7b8b627fc263071d0
MD5 hash:
0129857631af9333d3a01a55200e8933
SHA1 hash:
64f9c6cb0f4c591bad2c33ecede2321b6d48fef3
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
e654a1fa3594871c214f51e3a413e5850dad941baab062b2030aebd0c966adf2
MD5 hash:
0396e190e8c245932c10ce34e7a28d52
SHA1 hash:
a906c0ac6c8f67802d5e88a145c4f31fd343c5a8
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
ac08f8c28ecb33685e9ea9d1c55839fcba1085275952c5a6724293dac4480d13
MD5 hash:
cae5d1c601523b5f5251d93dc66e7ae5
SHA1 hash:
aa89e7933489eaf0a594c254c5a380ef44f845f3
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
cbd8385e4636f7345b5ae24e0a8b77c30ae6f55b641c5e60f4c73a5bda558e9c
MD5 hash:
d316e3266e7035b5d655bc7237891393
SHA1 hash:
9f0acba571669980018854c62ea47cb14c615beb
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
803c46864a0788088057cc2ca2c017ec397640d1d235566385124b075a5e0503
MD5 hash:
5db6670a8c428f9f633c996d1b447e17
SHA1 hash:
4793feef62e78f26476673c83a05147801c5eb7f
Detections:
win_rincux_auto
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Backdoor_Nitol_Jun17
Create hunting rule
GhostDragon_Gh0stRAT
Create hunting rule
MAL_Nitol_Malware_Jan19_1
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
Parent samples :
7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
SH256 hash:
d2ea6d20b31cba4bbfaadca61230747c688215d30e00bf5ecbdbf60575d61804
MD5 hash:
e9adf68bc51b7393ba0595ce304387a2
SHA1 hash:
14df2ae477ba7ae7660f5f99e13ba61f9b47f539
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
50104afd1438520b708459b6e6bc8274a5c081e1432cfca47189dfdc9345aaa6
MD5 hash:
2604ceefd3c48bf1d36246821be6e0af
SHA1 hash:
11052716662b98428dba3378fb699c4cd5bcaae4
Detections:
BlackmoonBanker
Create hunting rule
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
e9ce0efa6819b32e8dea0364538b4876af52a8752d720c76562368eaab1db8ee
MD5 hash:
8c7abddfd8ef1a5b8ac1ae072bf9e07e
SHA1 hash:
bceec684f6ce973df0a2a3683b5c8ca68bbe9985
Detections:
BlackmoonBanker
Create hunting rule
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
4f5db9345f517648f9f743e03ee52d4d76ca70169577ffb07c4f686794d3d716
MD5 hash:
25fd27121058e8aaa75b028efbf265b1
SHA1 hash:
038eca387c8d6003140983c5e6e1c312c618276a
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
8e3b0b1ca9338ede77abfd7ceddbe9427fef69cc70e3698a52b87b3e70270dce
MD5 hash:
dd92138cbcccc7008e8fffc806c8cc9c
SHA1 hash:
056af811010e290980bf991aecda27705160a4fb
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
ed122af466684d5c3bcf36bb3937498468a627deb34707038023f1a2a2e404a4
MD5 hash:
1e95d33882b605c4c9fa282c04bfd5b9
SHA1 hash:
0b48df38e6d1d7355b62c8bdabf094cecfa1f431
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
07e317b3dfd5d1f37f22aa85a2caf5a830315e770d8bcf6c97b10eb121106002
MD5 hash:
5629cdcfd62971c2ea8f104210a2a0e8
SHA1 hash:
0fb4b58d2e6319a479801802dab845c6cc53ee62
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
21fce19e94bfcf0c5aa0afc0e541a92b11302e93a02b53fc1fe896ab6d0f52ba
MD5 hash:
667c946aef3c436abddc7908eb0ffa40
SHA1 hash:
309d6a6141eb1d82abbaed3d3ca139f45582c2f9
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
89cd66e51f490dba5a818525bab15810604b895cebb2a5bfb4fb670ca229f972
MD5 hash:
a83318068ed77eef71f9d28e4731c179
SHA1 hash:
347f97b17ccb4f22a4e201009b6145066b600e1d
Detections:
BlackmoonBanker
Create hunting rule
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
4d9e8ea2d3654fa271e7fd274b01a89025ba1d96db2f2e509ee2a0a77959cc51
MD5 hash:
1a461e34e7418a62eb0de58eeb2ced99
SHA1 hash:
47214dcecf6e49f65375d518bdeb1792b6ae75f9
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
6d8642223fb62912989013eed93e3cba402b630dff4a2d4ff4089f9c0c34ce7c
MD5 hash:
d9936a7d83cb5f45884d98c47f4794f6
SHA1 hash:
4b73f4f5a99a5e20a65c2c96b336e67257d99e0b
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
e1452fa0899efd91ce5f884ba3dff00711b3a92b372000b79f0a7ab52365af4b
MD5 hash:
9a21d1513e4eb50675e17e176da2607f
SHA1 hash:
6fe88de7d2d4383b7af9adf7d3239fe001d6d99e
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
e384aa8ff68e9b60156aad3d1238ce1ae9579ed9138f10da6e252dd897bf42c5
MD5 hash:
ce9f5a3c7f39736f53c981c67950f3c1
SHA1 hash:
c6fe39426268b5d5b5e5c0d64e7d4ccaacc905de
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
77a5d1619f9f07262e8ce98bb235ff961fafcecd3335922372de65cdd8877c4d
MD5 hash:
2e71c6394a6ab152139e2977c48440ff
SHA1 hash:
d4557ed90d8ac11606e0f36aea100bffcb5b3540
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
4a14fa56abb39e63e25d380a17c32714f1a064b7c90ec3fb2f5fe7e0a07d0f05
MD5 hash:
70afd43f46a101e1666732dcf7cac48b
SHA1 hash:
dbfb1190ec2b799a5f1ae54bbaac28ec0a4a3419
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
0b120ee62f9ae12acd9c9994d43579141c5e4ae8ec84acbf227dd57afacc42e4
MD5 hash:
6d94f52bd532c57995a6b011f8b14f50
SHA1 hash:
e0047e9a014405b63aaa05336ec3b9bd173d60e6
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
ba2b07142468da55384d6b87466ae0146e610cb89e93f2436c2efe064cb3a5c6
MD5 hash:
2f899d0d4b2026c5a283bf64c522d470
SHA1 hash:
e28b489ba3a5816ed900ac67c5a657d58b8b4d00
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
d838c40848daf87743e96d42f8db18bb66a0b27cff5a48926a85a61c2d3e05b9
MD5 hash:
0bfef61b203054f6fbf08419ffe3f018
SHA1 hash:
ed9d0418507630996eb2c473ec5daf11d185c2c6
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
SH256 hash:
7735ad9b8eeec4d4f18fc44f0120ea0bf5f5296a99caeaed65478cd1fac33183
MD5 hash:
251792b503c1376eda3f97c5d0a8b432
SHA1 hash:
edaa083e936cc20f6cbc5b3dca330ac40e706c87
Link:
https://www.unpac.me/results/eab2941c-2230-4f34-9a95-350b35085a1d/
Malware family:
Gh0stRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a35b7570b781/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackMoon
Create hunting rule
Author:NDA0E
Description:Detects BlackMoon
Rule name:blackmoon_payload_v1
Create hunting rule
Author:RandomMalware
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MALWARE_Win_BlackMoon
Create hunting rule
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Blackmoon

Executable exe a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2932462/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyA

Comments