Malware Analysis Report

2025-01-22 13:04

Sample ID 240626-hsmx4athjk
Target afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182
SHA256 afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182
Tags
blackmoon banker spyware stealer trojan vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182

Threat Level: Known bad

The file afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182 was found to be: Known bad.

Malicious Activity Summary

blackmoon banker spyware stealer trojan vmprotect

Detect Blackmoon payload

Blackmoon, KrBanker

Loads dropped DLL

Reads user/profile data of web browsers

VMProtect packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 07:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 07:00

Reported

2024-06-26 07:02

Platform

win7-20240419-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lic.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruan.dat N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\lic.dat N/A
File opened for modification C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\lic.dat N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\lic.dat
PID 1760 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\lic.dat
PID 1760 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\lic.dat
PID 1760 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\lic.dat
PID 1760 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\ruan.dat
PID 1760 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\ruan.dat
PID 1760 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\ruan.dat
PID 1760 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe C:\Users\Admin\AppData\Local\Temp\ruan.dat

Processes

C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe

"C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe"

C:\Users\Admin\AppData\Local\Temp\lic.dat

C:\Users\Admin\AppData\Local\Temp\lic.dat

C:\Users\Admin\AppData\Local\Temp\ruan.dat

C:\Users\Admin\AppData\Local\Temp\ruan.dat

Network

Country Destination Domain Proto
US 8.8.8.8:53 v2.noran.cc udp
CN 49.235.205.45:6001 tcp

Files

\Users\Admin\AppData\Local\Temp\lic.dat

MD5 0a0ba4cc253e12830c7b2645f4844f0e
SHA1 a264bd5ac72b3e5102241fdeb1863e1dcae2a4a3
SHA256 3e183983c5721d92fc699c4ac9549c25a4169bcc48228503648025d820b1f55a
SHA512 495a7e7675335b10d89e1b74ee20683d3aa9077e5fb9f04c0101e0c9efae73cda8ec9b25cab0dde898c8ef927b782020a354e0afd48eba7e6d32c4637a4c0170

C:\Users\Admin\AppData\Local\Temp\econnect.dll

MD5 471b98da9b92d5e74b4aba84705bdad3
SHA1 1398cad906e1fe7a814a55838a8518a562b3341d
SHA256 8f73b2d0cc300fc637f9c71858d8390fac78360397e64b8ddaf751e81cc3e68d
SHA512 a382e610789f8a60246055cb807f9479dddaffd08e887d79ccda82077470339c4bd7747618ed8e3515c068b79cadba511255426602960ff7e7d9fd50b69a3109

\Users\Admin\AppData\Local\Temp\ruan.dat

MD5 e3d1633fb6d3203f010908612212c22c
SHA1 5de2daf278db3f94273671ffacbe584fdc73e8ee
SHA256 992597951b73ff1193cbcdee202aaf6758838d6a6b5e4b14d35c9a5d339b8705
SHA512 c026a8bb757dd64b05a4769a5b8ec35f9d3bf9197abc3544cdf1736f207e8cee20c154a38d456f45d5044ec75a86458cc3eb6974e7256e14b1279409385784d1

memory/1760-29-0x0000000002E30000-0x000000000366A000-memory.dmp

memory/2704-28-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2704-26-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2704-25-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2704-31-0x0000000002AD0000-0x000000000304D000-memory.dmp

memory/2704-30-0x0000000000400000-0x0000000000C3A000-memory.dmp

memory/2704-32-0x0000000007A80000-0x0000000007AF7000-memory.dmp

memory/2704-33-0x0000000007A80000-0x0000000007AF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lic.txt

MD5 9fa75c99fd0c714972d063b78a9407e2
SHA1 3cd6a2a603bd383c44227d47a50a47c34ab92447
SHA256 b10e360b974c7ebefecaed9e863b01b07676fc8593962afa678b7f88028920c9
SHA512 e053230315c21da0e2b2febc256bd33f6649e173096df9919f6383fbf76c14041c153d9924998226dc5608230a66bb5bba4145bcfa0c05519c5411109b88836c

memory/2704-39-0x0000000002AD0000-0x000000000304D000-memory.dmp

memory/2704-35-0x0000000007A80000-0x0000000007AF7000-memory.dmp

memory/2704-37-0x0000000002AD0000-0x000000000304D000-memory.dmp

memory/2704-38-0x0000000002AD0000-0x000000000304D000-memory.dmp

memory/2704-46-0x0000000007A80000-0x0000000007AF7000-memory.dmp

memory/2704-47-0x0000000007A80000-0x0000000007AF7000-memory.dmp

memory/2704-48-0x0000000000400000-0x0000000000C3A000-memory.dmp

memory/2704-49-0x0000000002AD0000-0x000000000304D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 07:00

Reported

2024-06-26 07:02

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lic.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruan.dat N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lic.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lic.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruan.dat N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\lic.dat N/A
File opened for modification C:\Windows\SysWOW64\ESPI11.dll C:\Users\Admin\AppData\Local\Temp\lic.dat N/A

Processes

C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe

"C:\Users\Admin\AppData\Local\Temp\afefe6e2dc5345610466661d10d0f4be7a8879c43acb7b28c87e742f25371182.exe"

C:\Users\Admin\AppData\Local\Temp\lic.dat

C:\Users\Admin\AppData\Local\Temp\lic.dat

C:\Users\Admin\AppData\Local\Temp\ruan.dat

C:\Users\Admin\AppData\Local\Temp\ruan.dat

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 v2.noran.cc udp
CN 49.235.205.45:6001 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
BE 88.221.83.227:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 227.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\lic.dat

MD5 0a0ba4cc253e12830c7b2645f4844f0e
SHA1 a264bd5ac72b3e5102241fdeb1863e1dcae2a4a3
SHA256 3e183983c5721d92fc699c4ac9549c25a4169bcc48228503648025d820b1f55a
SHA512 495a7e7675335b10d89e1b74ee20683d3aa9077e5fb9f04c0101e0c9efae73cda8ec9b25cab0dde898c8ef927b782020a354e0afd48eba7e6d32c4637a4c0170

C:\Users\Admin\AppData\Local\Temp\econnect.dll

MD5 471b98da9b92d5e74b4aba84705bdad3
SHA1 1398cad906e1fe7a814a55838a8518a562b3341d
SHA256 8f73b2d0cc300fc637f9c71858d8390fac78360397e64b8ddaf751e81cc3e68d
SHA512 a382e610789f8a60246055cb807f9479dddaffd08e887d79ccda82077470339c4bd7747618ed8e3515c068b79cadba511255426602960ff7e7d9fd50b69a3109

C:\Users\Admin\AppData\Local\Temp\ruan.dat

MD5 e3d1633fb6d3203f010908612212c22c
SHA1 5de2daf278db3f94273671ffacbe584fdc73e8ee
SHA256 992597951b73ff1193cbcdee202aaf6758838d6a6b5e4b14d35c9a5d339b8705
SHA512 c026a8bb757dd64b05a4769a5b8ec35f9d3bf9197abc3544cdf1736f207e8cee20c154a38d456f45d5044ec75a86458cc3eb6974e7256e14b1279409385784d1

memory/2388-27-0x0000000000400000-0x0000000000C3A000-memory.dmp

memory/2388-28-0x0000000002D10000-0x000000000328D000-memory.dmp

memory/2388-26-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/2388-24-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/2388-23-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/2388-36-0x0000000002D10000-0x000000000328D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lic.txt

MD5 9fa75c99fd0c714972d063b78a9407e2
SHA1 3cd6a2a603bd383c44227d47a50a47c34ab92447
SHA256 b10e360b974c7ebefecaed9e863b01b07676fc8593962afa678b7f88028920c9
SHA512 e053230315c21da0e2b2febc256bd33f6649e173096df9919f6383fbf76c14041c153d9924998226dc5608230a66bb5bba4145bcfa0c05519c5411109b88836c

memory/2388-35-0x0000000002D10000-0x000000000328D000-memory.dmp

memory/2388-34-0x0000000002D10000-0x000000000328D000-memory.dmp

memory/2388-32-0x00000000087A0000-0x0000000008817000-memory.dmp

memory/2388-30-0x00000000087A0000-0x0000000008817000-memory.dmp

memory/2388-29-0x00000000087A0000-0x0000000008817000-memory.dmp

memory/2388-42-0x00000000087A0000-0x0000000008817000-memory.dmp

memory/2388-44-0x00000000087A0000-0x0000000008817000-memory.dmp

memory/2388-45-0x0000000000400000-0x0000000000C3A000-memory.dmp

memory/2388-46-0x0000000002D10000-0x000000000328D000-memory.dmp