File name:	70111b7c38e6c42abaea323aa7230fd63ce86e65b669f1ac08bce787224c5b72
Full analysis:	https://app.any.run/tasks/7e41165f-9342-46d9-b59e-baf5ae6fbac8
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 16:27:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	32B3A4B6F25B2EB3466828F20B53CD6B
SHA1:	A19BE9549021FC4E95E9B34D05F11BE8B3754048
SHA256:	70111B7C38E6C42ABAEA323AA7230FD63CE86E65B669F1AC08BCE787224C5B72
SSDEEP:	98304:vKOlBcIt0ML1CXN0RqfaSfS251BWO7thGjLK/cVYRrs47iZEcF2W7rxLyDzsRncD:8oxjraH

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.4)
.dll	\|	Win32 Dynamic Link Library (generic) (13.5)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:15 17:54:42+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1421312
InitializedDataSize:	536576
UninitializedDataSize:	-
EntryPoint:	0x87f838
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	固定打怪,新手村任务,门派任务
ProductName:	千年3_新手任务
ProductVersion:	1.0.0.0
CompanyName:	QQ:6365272
LegalCopyright:	QQ:6365272
Comments:	本程序使用易语言编写(http://www.eyuyan.com)

PID	Process	Filename		Type
3028	ognicyukmn.exe	C:\Users\admin\Desktop\lajvbtbxsl.exe		executable
		MD5:4EE893ACF10A5F7A2418588AB9DD3DD5	SHA256:DFF55910557FC99C59D743E88DF31DC57778A7F091B4D3B7230268106135E0F3
2032	lajvbtbxsl.exe	C:\Users\admin\Desktop\osbgkkwwox.exe		executable
		MD5:DF3A08462D17AAA79F2E993C150A13CD	SHA256:ECA5FF8A859F14E4BEEAA771E9148371A23BAE2D09856162828419ABB7CD3151
1132	okcyexgmcr.exe	C:\Users\admin\Desktop\rrqjuohiwd.exe		executable
		MD5:2DBE8B6D9E4642D5AB5B3CF788EB0B9E	SHA256:DD66E745C30FF5C2604DB024FC32FB5779F3D7F5DBFCA33C5AEFA89B565BAB13
6800	osbgkkwwox.exe	C:\Users\admin\Desktop\okcyexgmcr.exe		executable
		MD5:C90A651062A95DB667E1B2FE2998EB8D	SHA256:0D7F73029E13BC49AD09E142897707F1E8F132A23C1326B9B29D81CD7DCBABE0
5080	70111b7c38e6c42abaea323aa7230fd63ce86e65b669f1ac08bce787224c5b72.exe	C:\Users\admin\Desktop\ognicyukmn.exe		executable
		MD5:0D389F654AC1D88277B995E9480CFD93	SHA256:8F123ACEC27BFFBB0FA93286F4A4E7C345D1B059063AF0713623BD54052C4B6B
5372	lwiuyxrqhl.exe	C:\Users\admin\Desktop\odyctbhclp.exe		executable
		MD5:D146F0791EDED9B9A407AB3017F78F0C	SHA256:25F4374A9F369D6266975E46B5D3A2AC08831507365693AA68F923E96F533E56
5432	zwzjqspddx.exe	C:\Users\admin\Desktop\efshfsargb.exe		executable
		MD5:1C49B861A5F0EFD2273B356CD5B41BF6	SHA256:97A0934525B65837BAAFC929DCD8BA40BDB06B823C6DF5175A3BCB307E6553CC
6756	gmehmtanri.exe	C:\Users\admin\Desktop\wgmfvjqeam.exe		executable
		MD5:D728CB8A14F98A11EA9B03AF412144F1	SHA256:413620AC1231D01A44B1E932CCADEA8645BA95804D39EE85F98524988435EE2E
7020	wgmfvjqeam.exe	C:\Users\admin\Desktop\ddzweofuyr.exe		executable
		MD5:95B06860139AEE0528CE83EA6EBB3187	SHA256:5B517F5E4532C8980922664171297DC43606D5CE36F28D5AD48C96BF18C1B0B3
3396	odyctbhclp.exe	C:\Users\admin\Desktop\elvnrnqrhg.exe		executable
		MD5:06736EEC112BE062A937062C1FBD2952	SHA256:E6FF51B417E62BFF171EE6B10E7C13E88E1A3FF4461E574EDB2B8615D29ACBAC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4156	RUXIMICS.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4156	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4156	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.41:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.24.77.41:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4156	RUXIMICS.exe	184.24.77.41:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	184.24.77.41 184.24.77.6 184.24.77.42 184.24.77.36 184.24.77.31 184.24.77.43 184.24.77.34 184.24.77.30 184.24.77.38	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	13.69.109.130	whitelisted

General Info

70111b7c38e6c42abaea323aa7230fd63ce86e65b669f1ac08bce787224c5b72

32B3A4B6F25B2EB3466828F20B53CD6B

A19BE9549021FC4E95E9B34D05F11BE8B3754048

70111B7C38E6C42ABAEA323AA7230FD63CE86E65B669F1AC08BCE787224C5B72

98304:vKOlBcIt0ML1CXN0RqfaSfS251BWO7thGjLK/cVYRrs47iZEcF2W7rxLyDzsRncD:8oxjraH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Application launched itself

Starts itself from another location

There is functionality for taking screenshot (YARA)

INFO

The sample compiled with chinese language support

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings