MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414
SHA3-384 hash: f80dce547ce11effdbed771806380d71b6affba8c0249125bb7462f6054ca2f35a72fd6c39b0fe4f8c835bbb0a7ed049
SHA1 hash: 181823bd5aa2fa6b40d2e31634932eb6b3000a67
MD5 hash: 3e83b87371048459516879706507bb81
humanhash: sweet-nebraska-quebec-white
File name:AS.bin
Download: download sample
Signature Blackmoon
Create hunting rule
File size:6'381'568 bytes
First seen:2023-05-17 21:31:22 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 61157ef30d022b9c8d79de039a5d7191 (1 x Blackmoon)
ssdeep 98304:DTgpwS4t7BDf+UH0DUUGeiWtbeS5vaMfhzGuTIAFBXsTfneuVnPI:sVwUGeFbeSNa+aZEB8LneuxI
Threatray 25 similar samples on MalwareBazaar
TLSH T1BD560277674020ACC02649309A734AE8B6B135132E74C92FF7D5DDF87F66C12DA26B1A
TrID 71.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter sixpounder
Tags:Babar Blackmoon darkmoon dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390794/
Detection(s):
Win.Dropper.Tiggre-9845940-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe crypto greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/646547d3246cdb7d431a113e/reports/0562ad16-ebca-4daf-b4bf-e49d80edb1d5/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd1c6214-e0d0-4a22-85fc-1657d6667138
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1235655
Signature
Found PSEXEC tool (often used for remote process execution)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 868649 Sample: AS.bin.dll Startdate: 17/05/2023 Architecture: WINDOWS Score: 64 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Machine Learning detection for sample 2->31 33 Found PSEXEC tool (often used for remote process execution) 2->33 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 8 other processes 7->15 process5 17 WerFault.exe 9 9->17         started        19 rundll32.exe 11->19         started        21 WerFault.exe 23 9 13->21         started        23 WerFault.exe 9 15->23         started        25 WerFault.exe 2 9 15->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2023-05-17 21:32:11 UTC
File Type:
PE (Dll)
Extracted files:
57
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dmb46zfckadlyyoe4lqrvto7lysysibcqcc4hsjhigic3jxiqka._file
Verdict:
malicious
Similar samples:
13e6ff5cb9fdf2ba6560edda8afa17724d14122dd087af29004c7684cb6c4252
Blackmoon
37877d87fff1b903df41bdb21fb500b0371f72de500c6f6768aec4d76966de67
Blackmoon
383b0abb5274e9c87f8d42b0dfca92d82ea28ac940d55d25787a0c3394df6a93
Blackmoon
45982d6a7674a3ff4d2f28e95963d74729e0cb3059c08ef2e4c235182bf4591d
Blackmoon
678f39a7f5bc61c4c9a0f34a0fe44f49fea5349cd51f9c8808ee2b6602ff1d79
Blackmoon
7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7
Blackmoon
788df2cfd4c197c811a9ec741ad14fe7475ca9b4d0d0b0a1b895ae51bec61806
Blackmoon
db6edb488bdadbd506ec6d28710abb9c5cdd844fc394fa7e8293710f4afea8e9
Blackmoon
e60400f9da142b7bb4e83bfa2d964e3ed937dd350d2c6881c21daa826757bac3
Blackmoon
f4158e798cb1c425cd5c50250f7016e9acd26bae7373e46585907682f120c546
Blackmoon
+ 15 additional samples on MalwareBazaar
Result
Malware family:
blackmoon
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon
Link:
https://tria.ge/reports/230517-1dlqlage24/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414
MD5 hash:
3e83b87371048459516879706507bb81
SHA1 hash:
181823bd5aa2fa6b40d2e31634932eb6b3000a67
Detections:
BlackmoonBanker
Create hunting rule
Link:
https://www.unpac.me/results/9587b14a-6d10-4972-b4bc-a4f39e78726d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8d81e7b2512/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_BlackMoon
Create hunting rule
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Blackmoon

DLL dll e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/390794/

Comments