Malware Analysis Report

2025-03-15 06:03

Sample ID 240511-csnxhafh7z
Target 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90
SHA256 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90
Tags
vmprotect blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90

Threat Level: Known bad

The file 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90 was found to be: Known bad.

Malicious Activity Summary

vmprotect blackmoon banker trojan

Blackmoon, KrBanker

Detect Blackmoon payload

Loads dropped DLL

VMProtect packed file

Drops startup file

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 02:20

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 02:20

Reported

2024-05-11 02:23

Platform

win7-20240215-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe N/A
N/A N/A C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe

"C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe"

C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe

C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.2x5.xyz udp
CA 148.113.164.76:8080 tcp
CA 148.113.164.76:8080 qincc.vip tcp
US 8.8.8.8:53 sk.2x5.xyz udp
CA 148.113.152.19:9266 sk.2x5.xyz tcp

Files

memory/2316-0-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/2316-1-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/2316-5-0x0000000010000000-0x0000000010067000-memory.dmp

memory/2316-8-0x0000000002EA0000-0x00000000038A0000-memory.dmp

C:\Users\Public\Videos\VSTelem\kmvgn\Language.dll

MD5 3dc8268e939ea269474b319e6ad64066
SHA1 37919c320708877525aa0b4443674b3b75d32ebc
SHA256 0e807eea09cfb000d965d3f32ac4dfba6fa9a480bf6289ffd3c7576dddfdbb5a
SHA512 05c0c4c8eb6e9af30739968bf70c308db9ac74b97d9a58e7adb6a0c42683f261b1018eddedee9fa0898275ca288f1af7cac7fa9a380a7745d80bc0d325f60fde

C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe

MD5 86810e2d993f7327eb5b25b5d17d21c1
SHA1 92be7e63223f3c7e37161b8fc1ab555813988d70
SHA256 63636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246
SHA512 148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c

memory/2608-23-0x0000000010000000-0x000000001005D000-memory.dmp

memory/2608-21-0x0000000010000000-0x000000001005D000-memory.dmp

memory/2608-26-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2608-25-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Public\Videos\VSTelem\kmvgn\Update.log

MD5 7e651e861e25e68820d109b1f2618d79
SHA1 7a8263f724d1ba5891b3c7d96cbf140c9d731cc7
SHA256 e7b0140998a55eac72263fd9d41452851475ef99fea74e201dfb76a963e25b80
SHA512 6bc20c4c85c0399dbeb9e2f523b3e0e3368434da074fa669bc026105a8e6e67bf9fd5d78542ba295d8f470ca507eb3b5416bcf5c75f5ac0c9bba0a323ed19c00

memory/2316-32-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/2608-35-0x0000000010000000-0x000000001005D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 02:20

Reported

2024-05-11 02:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe N/A
N/A N/A C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe

"C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe

C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.2x5.xyz udp
CA 148.113.164.76:8080 tcp
US 8.8.8.8:53 76.164.113.148.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
CA 148.113.164.76:8080 qincc.vip tcp
US 8.8.8.8:53 sk.2x5.xyz udp
CA 148.113.152.19:9266 sk.2x5.xyz tcp
US 8.8.8.8:53 19.152.113.148.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/644-0-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/644-1-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/644-4-0x0000000010000000-0x0000000010067000-memory.dmp

C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe

MD5 86810e2d993f7327eb5b25b5d17d21c1
SHA1 92be7e63223f3c7e37161b8fc1ab555813988d70
SHA256 63636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246
SHA512 148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c

C:\Users\Public\Videos\VSTelem\jcozx\Language.dll

MD5 3dc8268e939ea269474b319e6ad64066
SHA1 37919c320708877525aa0b4443674b3b75d32ebc
SHA256 0e807eea09cfb000d965d3f32ac4dfba6fa9a480bf6289ffd3c7576dddfdbb5a
SHA512 05c0c4c8eb6e9af30739968bf70c308db9ac74b97d9a58e7adb6a0c42683f261b1018eddedee9fa0898275ca288f1af7cac7fa9a380a7745d80bc0d325f60fde

memory/4032-19-0x0000000010000000-0x000000001005D000-memory.dmp

memory/4032-21-0x0000000010000000-0x000000001005D000-memory.dmp

C:\Users\Public\Videos\VSTelem\jcozx\Update.log

MD5 7e651e861e25e68820d109b1f2618d79
SHA1 7a8263f724d1ba5891b3c7d96cbf140c9d731cc7
SHA256 e7b0140998a55eac72263fd9d41452851475ef99fea74e201dfb76a963e25b80
SHA512 6bc20c4c85c0399dbeb9e2f523b3e0e3368434da074fa669bc026105a8e6e67bf9fd5d78542ba295d8f470ca507eb3b5416bcf5c75f5ac0c9bba0a323ed19c00

memory/4032-23-0x00000000008A0000-0x00000000008DE000-memory.dmp

memory/644-28-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/4032-32-0x0000000010000000-0x000000001005D000-memory.dmp