File name:	9841bb3a9a66c3ef3eebe760fa4e9175c3c2088bc8d510a5603ded9f81631d0b
Full analysis:	https://app.any.run/tasks/3bba4402-533c-4088-944b-75ead49ef666
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 22:13:42
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion upx aspack blackmoon ip-check
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	28E2B09D0A1797053FF85EC31FC5CF44
SHA1:	D93BF01E7F41E62851E9EA44B5B1B252D1CDE428
SHA256:	9841BB3A9A66C3EF3EEBE760FA4E9175C3C2088BC8D510A5603DED9F81631D0B
SSDEEP:	98304:vdNfopqI27alB+Ltl3FUTG9yo9AnxOY7V53V3fezDR19ZwSZSP5AByHANZnd58Ms:ruDp9

.exe	\|	Win32 Executable MS Visual C++ (generic) (24.4)
.exe	\|	Win64 Executable (generic) (21.6)
.exe	\|	UPX compressed Win32 Executable (21.2)
.exe	\|	Win32 EXE Yoda's Crypter (20.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:12 05:38:44+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1118208
InitializedDataSize:	1970176
UninitializedDataSize:	-
EntryPoint:	0xeee9c
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	易语言程序
ProductName:	易语言程序
ProductVersion:	1.0.0.0
LegalCopyright:	作者版权所有请尊重并使用正版
Comments:	本程序使用易语言编写(http://www.dywt.com.cn)

PID	Process	Filename		Type
1580	9841bb3a9a66c3ef3eebe760fa4e9175c3c2088bc8d510a5603ded9f81631d0b.exe	C:\Users\admin\AppData\Local\Temp\MY.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\Lock.lock		text
		MD5:C1EF95B5E310736A156C55145251FE5D	SHA256:653A1BA7323B59ECC93D83EB39688919F3EAD432152AFDD5811A8748F9402ABD

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1580	9841bb3a9a66c3ef3eebe760fa4e9175c3c2088bc8d510a5603ded9f81631d0b.exe	GET	301	123.129.219.142:80	http://ip.chinaz.com/getip.aspx	unknown	—	—	whitelisted
1580	9841bb3a9a66c3ef3eebe760fa4e9175c3c2088bc8d510a5603ded9f81631d0b.exe	GET	—	59.57.13.182:80	http://2017.ip138.com/ic.asp	unknown	—	—	unknown
4712	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	404	123.129.219.142:443	https://ip.chinaz.com/getip.aspx	unknown	html	28.4 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
1468	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1580	9841bb3a9a66c3ef3eebe760fa4e9175c3c2088bc8d510a5603ded9f81631d0b.exe	123.129.219.142:80	ip.chinaz.com	CHINA UNICOM China169 Backbone	CN	whitelisted
1580	9841bb3a9a66c3ef3eebe760fa4e9175c3c2088bc8d510a5603ded9f81631d0b.exe	123.129.219.142:443	ip.chinaz.com	CHINA UNICOM China169 Backbone	CN	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1468	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.46	whitelisted
ip.chinaz.com	123.129.219.142	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.166	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
2017.ip138.com	59.57.13.182 59.57.13.133 59.57.14.11 110.81.155.137 110.81.155.138	unknown
self.events.data.microsoft.com	20.189.173.28	whitelisted

General Info

9841bb3a9a66c3ef3eebe760fa4e9175c3c2088bc8d510a5603ded9f81631d0b

28E2B09D0A1797053FF85EC31FC5CF44

D93BF01E7F41E62851E9EA44B5B1B252D1CDE428

9841BB3A9A66C3EF3EEBE760FA4E9175C3C2088BC8D510A5603DED9F81631D0B

98304:vdNfopqI27alB+Ltl3FUTG9yo9AnxOY7V53V3fezDR19ZwSZSP5AByHANZnd58Ms:ruDp9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Checks for external IP

There is functionality for capture public ip (YARA)

INFO

Reads the machine GUID from the registry

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads the software policy settings

Aspack has been detected

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings