Malware Analysis Report

2025-08-11 01:36

Sample ID 231208-f6txfsag6y
Target eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e
SHA256 eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e
Tags
vmprotect blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e

Threat Level: Known bad

The file eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e was found to be: Known bad.

Malicious Activity Summary

vmprotect blackmoon banker trojan

Blackmoon, KrBanker

Detect Blackmoon payload

Checks computer location settings

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 05:29

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 05:29

Reported

2023-12-08 05:32

Platform

win7-20231201-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aow_dr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2524 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2524 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2524 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2524 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
PID 2524 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
PID 2524 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
PID 2524 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe

"C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

Network

N/A

Files

memory/2524-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2524-3-0x0000000000400000-0x00000000015B1000-memory.dmp

memory/2524-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2524-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2524-6-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2524-10-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2524-8-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2524-13-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2524-15-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2524-18-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2524-20-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2524-23-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2524-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2524-30-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2524-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2524-28-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2524-25-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2524-35-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2524-37-0x0000000077200000-0x0000000077201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

MD5 a84add5fa56d9791dbb5300e1938538a
SHA1 ee5510d9f21b8975af2b2a656be25f358b753b7d
SHA256 137cbdceee790d4166945d3c62080fa5145458769cd7bc44616b4fb799b44144
SHA512 e09d38e1413b9aa031cceb9fd5b14ca36a728e8115b0de8476161c8549f742cc00e7a3728475e8fffe65bbfafde01bfe788aca859d73552cadfd4f54d9c1dd4f

\Users\Admin\AppData\Local\Temp\aow_dr.exe

MD5 b5dd2ad618694048355e2e3c396d7860
SHA1 bceaf75cf61c51bf711cd9180d95d30355a99578
SHA256 5ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512 d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

MD5 b5dd2ad618694048355e2e3c396d7860
SHA1 bceaf75cf61c51bf711cd9180d95d30355a99578
SHA256 5ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512 d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec

\Users\Admin\AppData\Local\Temp\aow_dr.exe

MD5 b5dd2ad618694048355e2e3c396d7860
SHA1 bceaf75cf61c51bf711cd9180d95d30355a99578
SHA256 5ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512 d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec

C:\Users\Admin\AppData\Local\Temp\dr.dll

MD5 8471b22c4ffd8240cdcc363284d62e61
SHA1 24681a90b32ee0da595b875fe59ea2fa2e5bf592
SHA256 c8f57935622e8fea2ff0a963e8dc82b08dc4e3d65440e63405cb0f505993d83f
SHA512 6972a7486bbff19c71026276376abd8d289ef1089f2835dea32b5edec0682f635508aad25354a6c2f82254887e120584e12ca494a273012432c5c9e18dda3571

memory/2524-51-0x0000000000400000-0x00000000015B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 05:29

Reported

2023-12-08 05:32

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aow_dr.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe

"C:\Users\Admin\AppData\Local\Temp\eac27f773d364b92fed8f6a500eb7781e1dbb10b32b1fab7ebe42742376b874e.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4732-0-0x0000000001780000-0x0000000001781000-memory.dmp

memory/4732-1-0x0000000001C80000-0x0000000001C81000-memory.dmp

memory/4732-2-0x0000000000400000-0x00000000015B1000-memory.dmp

memory/4732-3-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

memory/4732-4-0x0000000003470000-0x0000000003471000-memory.dmp

memory/4732-5-0x0000000003480000-0x0000000003481000-memory.dmp

memory/4732-6-0x0000000003490000-0x0000000003491000-memory.dmp

memory/4732-7-0x00000000034A0000-0x00000000034A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

MD5 a84add5fa56d9791dbb5300e1938538a
SHA1 ee5510d9f21b8975af2b2a656be25f358b753b7d
SHA256 137cbdceee790d4166945d3c62080fa5145458769cd7bc44616b4fb799b44144
SHA512 e09d38e1413b9aa031cceb9fd5b14ca36a728e8115b0de8476161c8549f742cc00e7a3728475e8fffe65bbfafde01bfe788aca859d73552cadfd4f54d9c1dd4f

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

MD5 b5dd2ad618694048355e2e3c396d7860
SHA1 bceaf75cf61c51bf711cd9180d95d30355a99578
SHA256 5ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512 d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

MD5 b5dd2ad618694048355e2e3c396d7860
SHA1 bceaf75cf61c51bf711cd9180d95d30355a99578
SHA256 5ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512 d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec

C:\Users\Admin\AppData\Local\Temp\dr.dll

MD5 797f63a1da1c2177cde767eaf392689f
SHA1 5378489b4f3b77a00e6e770b6add48f2145f839c
SHA256 cba7cc202a99e4699deb3d6a9f840713b700a09fc03391a0ffd82a3def81c607
SHA512 d3f57682cbd970e4f8c85058ab438a92c0c9400d4c25b7986b247fdf5395dd80422781ddf7aa98c3f51db028866606c33425d52736f1d07df2905231764416e2

memory/4732-21-0x0000000000400000-0x00000000015B1000-memory.dmp