MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Blackmoon

Vendor detections: 16

Intelligence 16 IOCs YARA 15 File information Comments

SHA256 hash:	e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768
SHA3-384 hash:	73e6c8e1d8c5c3323102f4b779ba6fc0c00b426683b5f98291816ad391ab7100c96cfb33d0cd7321912d8d43b591516c
SHA1 hash:	1c5e6050d3d143be67d3a10dcfdc866768183f7b
MD5 hash:	6b09b99819bebde32963507058ebbf8b
humanhash:	california-oven-tennessee-avocado
File name:	2025-03-29_6b09b99819bebde32963507058ebbf8b_amadey_black-basta_hijackloader_icedid_rhadamanthys_smoke-loader_xiaobaminer.exe
Download:	download sample
Signature	Blackmoon Create hunting rule
File size:	6'597'849 bytes
First seen:	2025-03-29 12:41:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	53d02dee8a3558f2a2295b34eb0d6374 (59 x Blackmoon, 2 x CoinMiner)
ssdeep	49152:7iYgiAmOHYew6TKAQatzuvFS/KCGZd0qgNEf16lhulJLirHJIZ/K0tDAy49uO7G+:/AmgGWQtZ/K0tGOFWVRuLftCTt6Z6lR9
Threatray	4 similar samples on MalwareBazaar
TLSH	T154665A13F6E441A9E0AAD178CE729631EB727C554BF1A5DF2240F2D81E37AD07A38721
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10522/11/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	f8ba6c0e0ec982c0 (62 x Blackmoon, 2 x CoinMiner)
Reporter	zhuzhu0009
Tags:	Blackmoon exe

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2025-03-29_6b09b99819bebde32963507058ebbf8b_amadey_black-basta_hijackloader_icedid_rhadamanthys_smoke-loader_xiaobaminer

Verdict:

Malicious activity

Analysis date:

2025-03-29 11:56:49 UTC

Tags:

stealer blackmoon

Link:

https://app.any.run/tasks/db4d69ba-edb3-442b-ba0c-7d728019519b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.PUA.Tool.BtcMine-2.UNOFFICIAL

Win.Trojan.Qhost-160

Win.Dropper.Tiggre-9845940-0

Win.Trojan.Generic-10020386-0

Win.Virus.Delf-10036412-0

Win.Malware.Score-6940809-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e7e001cfd0a37f8309720b

Tags:

blackmoon autorun emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Enabling the 'hidden' option for recently created files

Creating a file

Modifying an executable file

Modifying a system executable file

Blocking the User Account Control

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Blocking a possibility to launch for the Windows registry editor (regedit.exe)

Changing the Windows explorer settings

Creating a file in the mass storage device

Enabling a "Do not show hidden files" option

Enabling threat expansion on mass storage devices

Changing the hosts file

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm blackmoon coinminer dotnet evasive expand explorer fingerprint fingerprint iceid keylogger lolbin microsoft_visual_cc overlay packed packer_detected rundll32 virus

Link:

https://www.filescan.io/uploads/67e7eaa4f274bf2d8e287020/reports/89b98c9d-aa86-440d-b3f0-0a9c337d6aef/overview

Verdict:

Malicious

Labled as:

Dropper.Generic.AutorunINF.Recex.1

Link:

https://www.hybrid-analysis.com/sample/e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768

Malware family:

XiaoBa

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2231590-b6e3-49a5-9358-0e353e6c199e

Result

Threat name:

Coinhive

Detection:

malicious

Classification:

spre.adwa.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1651688

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes the view of files in windows explorer (hidden files and folders)

Creates an undocumented autostart registry key

Creates autorun.inf (USB autostart)

Creates files in the recycle bin to hide itself

Disables the Windows registry editor (regedit)

Disables UAC (registry)

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Found strings related to Crypto-Mining

Infects executable files (exe, dll, sys, html)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Multi AV Scanner detection for submitted file

Mutes Antivirus updates and installments via hosts file black listing

Yara detected Coinhive miner

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768/

Threat name:

Win32.Coinminer.XiaoBaMiner

Status:

Malicious

First seen:

2025-03-24 13:27:16 UTC

File Type:

PE (Exe)

Extracted files:

309

AV detection:

24 of 24 (100.00%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4rdu5cqyfmvwcgou532vgej5aauxndj7dlqy2qcydn4e65hqs5ua._file

Verdict:

malicious

Label(s):

krbanker

Blackmoon

e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768

Blackmoon

error

Blackmoon

Result

Malware family:

blackmoon

Score:

10/10

Tags:

family:blackmoon banker defense_evasion discovery persistence spyware stealer trojan

Link:

https://tria.ge/reports/250329-pxekvatsez/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops autorun.inf file

Drops file in System32 directory

Adds Run key to start application

Checks whether UAC is enabled

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds policy Run key to start application

Disables RegEdit via registry modification

Drops file in Drivers directory

Blackmoon family

Blackmoon, KrBanker

Detect Blackmoon payload

UAC bypass

Verdict:

Malicious

Tags:

cryptojacking trojan blackmoon Win.Trojan.Qhost-160

YARA:

crypto_jacking_signatures MALWARE_Win_BlackMoon

Link:

https://app.threat.zone/submission/f7b54830-96b7-4cfa-8f9c-f903ebb89398

Unpacked files

SH256 hash:

e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768

MD5 hash:

6b09b99819bebde32963507058ebbf8b

SHA1 hash:

1c5e6050d3d143be67d3a10dcfdc866768183f7b

Detections:

BlackmoonBanker

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

ba7cd3c2ef37746576ea934fbbfe6ce0f659977f604cb6528e642e6d82e60ff7

MD5 hash:

5e9d2fccad3b9edbc0a8ab0fe1e5e510

SHA1 hash:

4f74227b71e570f57e0bf611de8fe2b73cd3aba3

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

b251520c354423ee5e0e84a7e3b778195ac4324c110369ee69201dcecad3f91c

MD5 hash:

cb23d3fcfac9b3c64f499cdd26b0e53d

SHA1 hash:

6fcdc1548b828db8578acaec6a36464aed267af3

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

b75675a3ce734f1530814b764623a0682710f0ac8d2c8fa3ce32a84b32e129a5

MD5 hash:

0657e06b0a5ca2bc285d481d37073885

SHA1 hash:

240277dac9cc16c654f7037ee0d318c6b160f09a

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

da434bf40f89c933c78bd3ac475b65f3a0211cefbf092ee9327b9f144e9f046e

MD5 hash:

bbd6c102213e93b99f05c463a355c897

SHA1 hash:

e67fdf1a78a64c68f362cfba1735a7bf1c3acf22

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

MD5 hash:

619f7135621b50fd1900ff24aade1524

SHA1 hash:

6c7ea8bbd435163ae3945cbef30ef6b9872a4591

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

5917d321051b1d8ba2ba1e89b42d7d2623b59803b7d8a424695b70edd4e87dcc

MD5 hash:

e283a1c7f4b53f5b9a79d4d8d06e7eac

SHA1 hash:

ed48f3152d119d9df076c586f39129e8043e5a89

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

f0bbf82d54bf5005a26a15279388c4a044d457ca9702a3b73d4fba405e84fab8

MD5 hash:

16110cc8422078f4707895caab470bfe

SHA1 hash:

638c25425c306719004951b9faea759dcdd5dea7

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

e7d9fde3b3b74011498270a833de32411b222b3660b7ed8fe6f65c3ca804ebd5

MD5 hash:

ecd4651f6cd32476621a0ca98399299a

SHA1 hash:

ca651bc152096d0e2d58d5aa16540b04849e3a3c

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

cd14f180c5b43696964d427e068fd381a6b69a8e19734b5bc5a1b7ccbc44177d

MD5 hash:

bcc61b37da2f6c6dd7f2a6682d5c1d74

SHA1 hash:

9f10fb0d526d69bb4748a56b76c87740240bf194

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

SH256 hash:

66e00560565b93c20ea24131d9608f9545d6fa40e8e6348d3936cc125cb32610

MD5 hash:

72398e351c9093d53d54b3186fe66e93

SHA1 hash:

0017c198301fb4b2ad35ab1ac5d9fb4139f62916

Link:

https://www.unpac.me/results/6d9fd0d3-39c9-4438-a07f-b6cdb8a0da97/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e4474e8a182b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e4474e8a182b2b6119d4eef553113d0029768d3f1ae18d40581b784f74f09768

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackMoon Create hunting rule
Author:	NDA0E
Description:	Detects BlackMoon

Rule name:	blackmoon_payload_v1 Create hunting rule
Author:	RandomMalware

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_BlackMoon Create hunting rule
Author:	ditekSHen
Description:	Detects executables using BlackMoon RunTime

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	virustotal Create hunting rule
Author:	Tracel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/db4d69ba-edb3-442b-ba0c-7d728019519b

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.DLL::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.DLL::CloseHandle KERNEL32.DLL::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::TerminateProcess KERNEL32.DLL::LoadLibraryA KERNEL32.DLL::GetDriveTypeA KERNEL32.DLL::GetStartupInfoA KERNEL32.DLL::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.DLL::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.DLL::CopyFileA KERNEL32.DLL::CreateDirectoryA KERNEL32.DLL::CreateFileA KERNEL32.DLL::DeleteFileA KERNEL32.DLL::GetWindowsDirectoryA KERNEL32.DLL::GetSystemDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample