File name:	a4a55a990dde17f6a67e328c2d8427ff3f5f68c0091a39ca45d254a97c7b9044.exe
Full analysis:	https://app.any.run/tasks/f235f3dd-df8e-4147-8979-d88f46af6024
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Malware Trends Tracker >>>
Analysis date:	July 13, 2025, 23:22:41
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	08DD01A4554E02EB26E20B93A6F2B022
SHA1:	2544D33BC9C0A410B501AE64649D53531287876F
SHA256:	A4A55A990DDE17F6A67E328C2D8427FF3F5F68C0091A39CA45D254A97C7B9044
SSDEEP:	98304:vKOlBcIt0ML1CXN0RqfaSfS25hBWO7thGjLK/cVYRrs47iZEcF2W7rxLyDzsRnca:YoxjraHQ

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.4)
.dll	\|	Win32 Dynamic Link Library (generic) (13.5)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:15 17:54:42+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1421312
InitializedDataSize:	536576
UninitializedDataSize:	-
EntryPoint:	0x87f838
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	固定打怪,新手村任务,门派任务
ProductName:	千年3_新手任务
ProductVersion:	1.0.0.0
CompanyName:	QQ:6365272
LegalCopyright:	QQ:6365272
Comments:	本程序使用易语言编写(http://www.eyuyan.com)

PID	Process	Filename		Type
1036	hbvcubgugo.exe	C:\Users\admin\Desktop\huvmooqlma.exe		executable
		MD5:3DC4F5B612D7ACE358F7E3358708759D	SHA256:C1060ADEB007CBD54CF83C80AA7B543155BCFABE25A352BEA03DAE3B827AEBDA
3780	a4a55a990dde17f6a67e328c2d8427ff3f5f68c0091a39ca45d254a97c7b9044.exe	C:\Users\admin\Desktop\rapycdnovm.exe		executable
		MD5:58398DD23DD2F3376661CF168103CB9B	SHA256:6FA6B21CA1F9116337AD1ECDE644450127F33A99F95650CF5432C52E3A025776
1612	huvmooqlma.exe	C:\Users\admin\Desktop\msacbpxwha.exe		executable
		MD5:4BAE82089434AB377B6108DEF8EFDD37	SHA256:EEC5CB98546618F8710A11DCE144AE7FAEC2906C34E224C3315322C9BDCCB159
2804	zjwbnvkgfe.exe	C:\Users\admin\Desktop\hbvcubgugo.exe		executable
		MD5:B3D028B02124E0A96B2BE3F94DD3CC6E	SHA256:DCA1D90C7BEBE487A67BB9FEC69944BB707647F03DF35DFF150F233A046A8A23
5712	mvcouxwliv.exe	C:\Users\admin\Desktop\mhpgibafph.exe		executable
		MD5:D3F745941E53CB0473819D710BEBE298	SHA256:863A063BF99FDD9B1B76960D7266F3CD2604A9DCECEDBC50017E67DE38E764B0
5924	eejwffvelm.exe	C:\Users\admin\Desktop\lmisrwkwwn.exe		executable
		MD5:A3AE385D0FA7AF5C7A4D6E62B6BCF1F7	SHA256:CD38E8D91E378383EDD6871151B68FE9C8E166F1CA6E7F66DBB1E4F6E5A687AE
304	wxjavgzzat.exe	C:\Users\admin\Desktop\mrqyvwoqkw.exe		executable
		MD5:E9C2446A260162337F2FA7230E7E0F4F	SHA256:EA2CE5DE941A921F2F6FC3BAA86CDC554A3B0A0974B1D25D2A6130CF8BD2E787
6320	mhpgibafph.exe	C:\Users\admin\Desktop\uznhxpebyi.exe		executable
		MD5:B2E86FE6A182CDDFB4D301CA3FC563B7	SHA256:C960297C29DCE091EB980F4FF777D502443807AC43490205EB2D824471FE31B2
5780	a4a55a990dde17f6a67e328c2d8427ff3f5f68c0091a39ca45d254a97c7b9044.exe	C:\Users\admin\Desktop\update.exe		executable
		MD5:BF1B6ED3D8293C7DA1C939BB201DAC3C	SHA256:1A8DA24E1C05D7F63AA4A6388A7E248E736FEA480FD89A546E00FB1C351B4DAB
2072	ogqqgwzjds.exe	C:\Users\admin\Desktop\wzzgaxknmm.exe		executable
		MD5:635FD9F9EABE52809626F6199BB4F4A1	SHA256:C074340A7238F1263B8F4E110AA37AD06E75B2A3DDA2221861A4D5337049605F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7080	SIHClient.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3720	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7080	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7080	SIHClient.exe	GET	200	23.55.110.211:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3720	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5944	MoUsoCoreWorker.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
1268	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3720	RUXIMICS.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	216.58.212.174	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.28 23.216.77.6 23.55.110.211 23.55.110.193	whitelisted
www.microsoft.com	88.221.169.152 2.23.246.101	whitelisted
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
login.live.com	40.126.32.134 20.190.160.131 40.126.32.68 20.190.160.2 20.190.160.64 20.190.160.66 20.190.160.5 20.190.160.4	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
self.events.data.microsoft.com	20.42.65.88	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

General Info

a4a55a990dde17f6a67e328c2d8427ff3f5f68c0091a39ca45d254a97c7b9044.exe

08DD01A4554E02EB26E20B93A6F2B022

2544D33BC9C0A410B501AE64649D53531287876F

A4A55A990DDE17F6A67E328C2D8427FF3F5F68C0091A39CA45D254A97C7B9044

98304:vKOlBcIt0ML1CXN0RqfaSfS25hBWO7thGjLK/cVYRrs47iZEcF2W7rxLyDzsRnca:YoxjraHQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Starts itself from another location

There is functionality for taking screenshot (YARA)

INFO

Reads the machine GUID from the registry

Checks supported languages

The sample compiled with chinese language support

Reads the computer name

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings