File name:	41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56
Full analysis:	https://app.any.run/tasks/5e022701-7cc1-415a-80aa-390d811f2fe5
Verdict:	Malicious activity
Analysis date:	December 13, 2024, 20:13:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion upx blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	E18D7BAAAD2AC7A7682A5346D599C08C
SHA1:	5F0A22CFD5DCDCD68099173282564E13E0F7BA7B
SHA256:	41586B7B51BA4F076D95D20CF5C36325801FF402363D8C6F89FEF9B57AE8BF56
SSDEEP:	98304:OUKVHlO6NBQ55bbuDLCjA/UUSkSB58czqcL9yFTxsUtU3cxxVZ3TbicGd2LsmaN9:5q0

.exe	\|	Win32 Executable MS Visual C++ (generic) (22.1)
.exe	\|	Win64 Executable (generic) (19.6)
.exe	\|	UPX compressed Win32 Executable (19.2)
.exe	\|	Win32 EXE Yoda's Crypter (18.8)
.scr	\|	Windows screen saver (9.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:11 01:25:18+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	905216
InitializedDataSize:	2027520
UninitializedDataSize:	-
EntryPoint:	0xbbac1
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	易语言程序
ProductName:	易语言程序
ProductVersion:	1.0.0.0
LegalCopyright:	作者版权所有请尊重并使用正版
Comments:	本程序使用易语言编写(http://www.eyuyan.com)


(PID) Process:	(1228) 41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:	write	Name:	JITDebug
Value: 0
(PID) Process:	(1228) 41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: E17F130000000000
(PID) Process:	(1228) 41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	9a3151e658cbaf38b15d2fdfe439149f
Value: 41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1228	41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe	GET	200	42.120.158.5:80	http://www.net.cn/static/customercare/yourip.asp	unknown	—	—	—
2736	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2736	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1228	41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe	GET	200	8.141.58.141:80	http://www.fm4000888.cn/a/zhinenchanpin/2024/0718/38.html	unknown	—	—	—
—	—	GET	200	103.235.47.188:443	https://sp0.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=14.192.213.7&resource_id=6006	unknown	binary	395 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	2.23.209.133:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
2736	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1228	41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56.exe	8.141.58.141:80	www.fm4000888.cn	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
2736	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2736	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
www.bing.com	2.23.209.133 2.23.209.189 2.23.209.140 2.23.209.148 2.23.209.149 2.23.209.176 2.23.209.182 2.23.209.185 2.23.209.179	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
google.com	216.58.212.142	whitelisted
www.fm4000888.cn	8.141.58.141	unknown
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
www.net.cn	42.120.158.5	unknown
sp0.baidu.com	103.235.47.188 103.235.46.96	whitelisted
self.events.data.microsoft.com	104.208.16.91	whitelisted

General Info

41586b7b51ba4f076d95d20cf5c36325801ff402363d8c6f89fef9b57ae8bf56

E18D7BAAAD2AC7A7682A5346D599C08C

5F0A22CFD5DCDCD68099173282564E13E0F7BA7B

41586B7B51BA4F076D95D20CF5C36325801FF402363D8C6F89FEF9B57AE8BF56

98304:OUKVHlO6NBQ55bbuDLCjA/UUSkSB58czqcL9yFTxsUtU3cxxVZ3TbicGd2LsmaN9:5q0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Checks for external IP

Connects to unusual port

INFO

Reads the computer name

Checks supported languages

UPX packer has been detected

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings