File name:	be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4
Full analysis:	https://app.any.run/tasks/f27f3475-ba5e-441f-8807-47c34f358894
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 22:14:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blackmoon upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	EAC8654715152F8ABCEA500DDEF761A0
SHA1:	6D2455534807DE01897001CC2035597E07FB8339
SHA256:	BE39BA914D07EAAEEB4451B88CF6DFEF0F1695583C0E3D5F3D02AB55A6DFDEF4
SSDEEP:	98304:IPw0IehXa+qv/czPadtvNRSISC5aTnX4jRUjRWZlO6fHvQALCfIZTAxK+jzqVvOW:wStB

.exe	\|	Win32 Executable MS Visual C++ (generic) (22.1)
.exe	\|	Win64 Executable (generic) (19.6)
.exe	\|	UPX compressed Win32 Executable (19.2)
.exe	\|	Win32 EXE Yoda's Crypter (18.8)
.scr	\|	Windows screen saver (9.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:21 01:36:38+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1269760
InitializedDataSize:	2539520
UninitializedDataSize:	-
EntryPoint:	0x112c04
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	GTAOL养老神器
ProductName:	GTAOL养老神器
ProductVersion:	1.0.0.0
CompanyName:	superaj
LegalCopyright:	superaj 版权所有
Comments:	GTAOL养老神器


(PID) Process:	(7580) be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(7580) be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:	write	Name:	JITDebug
Value: 0
(PID) Process:	(7580) be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 5FD3100000000000
(PID) Process:	(7580) be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D19010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7580) be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7580) be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7580) be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7716) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7716) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7716) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10f6d5.TMP		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10f6d5.TMP		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10f6e5.TMP		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10f6e5.TMP		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10f6e5.TMP		—
		MD5:—	SHA256:—
7904	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	GET	200	104.21.18.58:443	https://gta5.8818888.xyz/?version=1.03211	unknown	binary	1.70 Kb	—
—	—	GET	200	20.223.36.55:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T221423Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=37d1960535b1428090c3978628da4231&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968053&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358583&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	1.31 Kb	whitelisted
—	—	POST	200	40.126.32.140:443	https://login.live.com/RST2.srf	unknown	xml	1.35 Kb	whitelisted
—	—	POST	400	20.190.159.73:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.31.3:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.159.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	GET	200	20.199.58.43:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T221423Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=f8a7f5b6e91d4fe2ae7f8df2681be41f&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968053&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358583&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	2.95 Kb	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted
—	—	POST	400	40.126.31.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	20.190.160.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7580	be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4.exe	172.67.180.111:443	gta5.8818888.xyz	CLOUDFLARENET	US	unknown
7328	backgroundTaskHost.exe	20.223.36.55:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
8168	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7904	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
8168	msedge.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	172.217.16.142	whitelisted
login.live.com	20.190.160.64 40.126.32.76 20.190.160.65 40.126.32.74 20.190.160.132 40.126.32.138 40.126.32.72 20.190.160.128 20.190.159.64 20.190.159.71 40.126.31.73 40.126.31.128 20.190.159.68 20.190.159.73 40.126.31.71 40.126.31.3	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
gta5.8818888.xyz	172.67.180.111 104.21.18.58	unknown
arc.msn.com	20.223.36.55	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239 150.171.27.11 150.171.28.11	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
superaj.lanzoue.com	106.225.240.24 223.247.106.57 106.8.246.201 120.52.95.234 116.153.39.128 60.165.116.42 218.60.101.80 221.229.162.62 120.39.165.50 218.11.1.241 61.54.86.137 218.12.77.90	unknown

PID	Process	Class	Message
8168	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
8168	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt

General Info

be39ba914d07eaaeeb4451b88cf6dfef0f1695583c0e3d5f3d02ab55a6dfdef4

EAC8654715152F8ABCEA500DDEF761A0

6D2455534807DE01897001CC2035597E07FB8339

BE39BA914D07EAAEEB4451B88CF6DFEF0F1695583C0E3D5F3D02AB55A6DFDEF4

98304:IPw0IehXa+qv/czPadtvNRSISC5aTnX4jRUjRWZlO6fHvQALCfIZTAxK+jzqVvOW:wStB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

INFO

The sample compiled with chinese language support

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Checks supported languages

UPX packer has been detected

Reads the software policy settings

Reads the computer name

Reads Environment values

Checks proxy server information

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings