Malware Analysis Report

2025-08-11 01:18

Sample ID 231221-f566dsadh7
Target af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d
SHA256 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d
Tags
vmprotect blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d

Threat Level: Known bad

The file af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d was found to be: Known bad.

Malicious Activity Summary

vmprotect blackmoon banker trojan

Detect Blackmoon payload

Blackmoon, KrBanker

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-21 05:28

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 05:28

Reported

2023-12-21 05:31

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aow_dr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3040 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
PID 3040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
PID 3040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe
PID 3040 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe

"C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

Network

N/A

Files

memory/3040-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3040-2-0x0000000000400000-0x00000000015B8000-memory.dmp

memory/3040-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3040-31-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3040-32-0x0000000000330000-0x0000000000331000-memory.dmp

memory/3040-38-0x0000000077AD0000-0x0000000077AD1000-memory.dmp

memory/3040-36-0x0000000000330000-0x0000000000331000-memory.dmp

memory/3040-34-0x0000000000330000-0x0000000000331000-memory.dmp

memory/3040-29-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3040-26-0x0000000000310000-0x0000000000311000-memory.dmp

memory/3040-24-0x0000000000310000-0x0000000000311000-memory.dmp

memory/3040-21-0x0000000000300000-0x0000000000301000-memory.dmp

memory/3040-19-0x0000000000300000-0x0000000000301000-memory.dmp

memory/3040-16-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/3040-14-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/3040-11-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/3040-9-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/3040-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/3040-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3040-5-0x0000000000400000-0x00000000015B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

MD5 45e32807f10a086a3823929f2a666119
SHA1 17ee3eefcddfddb88a8fde3da1c563eb7d98344a
SHA256 f570c243b986a4f66bc922a965f2910a7a5b5605d707d47f1740243c87042294
SHA512 86b53125748d91a8393080d9b65183e781a00e2779fea73738786af42fe65eb2dc42bf8f356ce31998e192090e48c61097e1bac5c836875a1c4f68e5397d8e31

\Users\Admin\AppData\Local\Temp\aow_dr.exe

MD5 b5dd2ad618694048355e2e3c396d7860
SHA1 bceaf75cf61c51bf711cd9180d95d30355a99578
SHA256 5ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512 d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec

C:\Users\Admin\AppData\Local\Temp\dr.dll

MD5 465d31b9b4a8813d053f20d8f6464f1b
SHA1 54f3c26713bba3498789a4cbd0ff2ce5ec4b46e7
SHA256 ab94a8e3b291577e01cfbdf5eefd139ce8418ea9ace152240e476f43301e9890
SHA512 e5e746a5d37e33aba33b2a54172ea2dea385a57d3be16aff82c6f6f1ba03b9833815f488bd5784abd7f43f55fcefd83cc2516a317b90fee135a338cac4585639

memory/3040-52-0x0000000000400000-0x00000000015B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 05:28

Reported

2023-12-21 05:31

Platform

win10v2004-20231215-en

Max time kernel

96s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aow_dr.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe

"C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/3804-0-0x00000000016F0000-0x00000000016F1000-memory.dmp

memory/3804-2-0x0000000000400000-0x00000000015B8000-memory.dmp

memory/3804-3-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/3804-8-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/3804-7-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

memory/3804-6-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

memory/3804-4-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/3804-5-0x0000000000400000-0x00000000015B8000-memory.dmp

memory/3804-1-0x0000000001B90000-0x0000000001B91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt

MD5 45e32807f10a086a3823929f2a666119
SHA1 17ee3eefcddfddb88a8fde3da1c563eb7d98344a
SHA256 f570c243b986a4f66bc922a965f2910a7a5b5605d707d47f1740243c87042294
SHA512 86b53125748d91a8393080d9b65183e781a00e2779fea73738786af42fe65eb2dc42bf8f356ce31998e192090e48c61097e1bac5c836875a1c4f68e5397d8e31

C:\Users\Admin\AppData\Local\Temp\aow_dr.exe

MD5 b5dd2ad618694048355e2e3c396d7860
SHA1 bceaf75cf61c51bf711cd9180d95d30355a99578
SHA256 5ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512 d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec

C:\Users\Admin\AppData\Local\Temp\dr.dll

MD5 f36e82d381da7974f9937910234f6b5e
SHA1 54bfab91d362e4340e8bfaee542051492345150a
SHA256 82989f250e81229723415d3dcbb977596cab579aa5dcbb3ebcd64a345198b453
SHA512 199ca7cca13993d3ef641f3a90c0fd1c000b9bdac358faec2e658fc1e996959e705eabe9a3c7ec3f31970fd35aa269de0217698e2190de75a4446ac1eea5cc9d

memory/3804-22-0x0000000000400000-0x00000000015B8000-memory.dmp