MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef74de060d6351cd515504f3314efde0becfee073d9eec3a4b68c6e0de7195ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Blackmoon

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	ef74de060d6351cd515504f3314efde0becfee073d9eec3a4b68c6e0de7195ad
SHA3-384 hash:	d98650c2c9979caf3ca1f1af9b1c1d6bd136568d54a21d50d4027985503ec0a4efa0485bb16fe9231ef096b00da8a713
SHA1 hash:	adcaebeb0fb7d03c4e64f89dbfdd648e924350c4
MD5 hash:	7748bb2e024af53aa5d99201f0193f40
humanhash:	pluto-monkey-victor-montana
File name:	fnf tricky mod.exe
Download:	download sample
Signature	Blackmoon Create hunting rule
File size:	9'625'088 bytes
First seen:	2022-04-19 05:23:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	93ce46c00df111695f96d72a872086b1 (1 x Blackmoon)
ssdeep	196608:pPNWthfTsNaWtIi7Aoyv9aRG01Em2vtiRtFGpu+SK7KGi6g3VW:pPNuTGtrAo4CrL2vQdGp5SK71i6g3
Threatray	2 similar samples on MalwareBazaar
TLSH	T1A0A6233735950507D0E5C93D972BBDF131FA46268B426CB06DEDE8C12969CECA2C398E
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	54e9ecaab2e869f0 (1 x Blackmoon)
Reporter	adm1n_usa32
Tags:	Blackmoon exe

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fnf tricky mod.exe

Verdict:

Suspicious activity

Analysis date:

2022-04-19 05:22:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/90685d37-95d5-4a3f-9304-9811f6a0ed43

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264481/

Detection(s):

MiscreantPunch.SingleXOR.EXE.166.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Searching for synchronization primitives

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Sending an HTTP POST request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/625e4778ffe27d511907e266/reports/9ba868d2-5005-4615-bc6f-d91d25661fe3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cfb52b5c-14d3-43aa-a89a-92b6ac2ee529

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/978623

Signature

Antivirus / Scanner detection for submitted sample

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef74de060d6351cd515504f3314efde0becfee073d9eec3a4b68c6e0de7195ad/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-04-18 12:55:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 41 (58.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=552n4bqnmni42ukvatztctx54c7m73qhhwpoyoslnddobxtrswwq._file

Verdict:

malicious

Blackmoon

6ec7aa60afcb5b409e55f0a47ff4ba273f1c9e28f7bd5c9f32b1d749ccad0719

Blackmoon

Result

Malware family:

n/a

Score:

9/10

Tags:

upx

Link:

https://tria.ge/reports/220419-f3ptbsehan/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Unpacked files

SH256 hash:

b03e221900fb350de15371eed12977cdd6e3df0e1389a9c93d750d4b37b9028b

MD5 hash:

9d1cf6ba64669e1b5912c718345abdc8

SHA1 hash:

b55dae627e427d684040ce2b6f375c09c5cb107b

Link:

https://www.unpac.me/results/5798c782-7ea2-4801-9bae-c60eee7f0dbe/

SH256 hash:

c3b62790e439dc457864563bbb1dd8ae2167eefafd8d4fb21d2945d11c20f888

MD5 hash:

9d4fee31a42b8ca5518d80877fbac5fd

SHA1 hash:

fc674eb244909a0a6ceca78a6450a91c59ff6b5a

Link:

https://www.unpac.me/results/5798c782-7ea2-4801-9bae-c60eee7f0dbe/

SH256 hash:

ef74de060d6351cd515504f3314efde0becfee073d9eec3a4b68c6e0de7195ad

MD5 hash:

7748bb2e024af53aa5d99201f0193f40

SHA1 hash:

adcaebeb0fb7d03c4e64f89dbfdd648e924350c4

Link:

https://www.unpac.me/results/5798c782-7ea2-4801-9bae-c60eee7f0dbe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef74de060d6351cd515504f3314efde0becfee073d9eec3a4b68c6e0de7195ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_BlackMoon Create hunting rule
Author:	ditekSHen
Description:	Detects executables using BlackMoon RunTime

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/264481/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample