File name:	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4
Full analysis:	https://app.any.run/tasks/7065db9d-a665-4f51-a0af-cd86fcde975f
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 21, 2025, 20:57:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	blackmoon xor-url generic upx vmprotect stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	E2FFA258A02F9043D926599A8D4260E4
SHA1:	EAB24157EDA25A6B7EC5D4DD875CF0392DDCA9FD
SHA256:	F7A36E5DE1DD869887C945DB07DF47F2902C014DF60DF3313FF98EF66AC465C4
SSDEEP:	98304:aGvrkVgC1XE4ITVI41fb+zowAj0E0K9lvo4NxfYzZIhKo4zEM3cvlH2OYvTqgXy4:64nRD1TGd+Up

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:11 18:59:40+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	409600
InitializedDataSize:	7872512
UninitializedDataSize:	-
EntryPoint:	0x50172
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
CompanyName:	TODO: <公司名>
FileVersion:	1.0.0.1
LegalCopyright:	TODO: (C) <公司名>。保留所有权利。
ProductName:	TODO: <产品名>
ProductVersion:	1.0.0.1

PID	Process	Filename		Type
4244	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	C:\Users\admin\Desktop\ÁúÐÜÄ§Óò.lnk		binary
		MD5:9885AE84D2CE7C2B3F2867A416132963	SHA256:F80ED665C4BAD449DAAD0B91825A2E80B92E10D6496EE52CEA0771A0C571B686
4244	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	C:\Users\admin\AppData\Roaming\ÁúÐÜÄ§Óò\f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe		executable
		MD5:E2FFA258A02F9043D926599A8D4260E4	SHA256:F7A36E5DE1DD869887C945DB07DF47F2902C014DF60DF3313FF98EF66AC465C4
128	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	C:\Users\admin\AppData\Roaming\ÁúÐÜÄ§Óò\69EC4FF133D1E22FFB17FD466BCDF925.exe		executable
		MD5:951F2DD1F4415CA24D9C3E9175F3636A	SHA256:88769E25E8596DEA423B8B2077F7DCB002B492841691056C682780B373D4B965

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4300	svchost.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4300	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
128	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	GET	200	103.40.13.188:2020	http://dsfurl.qsdun.com:2020/list.txt	unknown	—	—	malicious
128	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	GET	200	176.31.163.146:80	http://www.j1608.com/list.txt	unknown	—	—	unknown
—	—	POST	204	92.123.104.52:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	92.123.104.6:443	—	Akamai International B.V.	DE	unknown
4300	svchost.exe	23.48.23.147:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4300	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
128	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	103.40.13.188:10002	dsfurl.qsdun.com	China Mobile communications corporation	CN	malicious
128	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	103.40.13.188:2020	dsfurl.qsdun.com	China Mobile communications corporation	CN	malicious
128	f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4.exe	176.31.163.146:80	www.j1608.com	OVH SAS	FR	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5064	SearchApp.exe	92.123.104.6:443	—	Akamai International B.V.	DE	unknown

Domain	IP	Reputation
google.com	142.250.185.174	whitelisted
crl.microsoft.com	23.48.23.147 23.48.23.156 23.48.23.176 23.48.23.194 23.48.23.180 23.48.23.166 23.48.23.167 23.48.23.145 23.48.23.177	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
dsfurl.qsdun.com	103.40.13.188	malicious
ip3.qsdun.com	103.40.13.188	unknown
www.j1608.com	176.31.163.146	unknown
ip1.qsdun.com	103.40.13.188	unknown
ip2.qsdun.com	103.40.13.188	unknown
self.events.data.microsoft.com	13.69.116.109	whitelisted

General Info

f7a36e5de1dd869887c945db07df47f2902c014df60df3313ff98ef66ac465c4

E2FFA258A02F9043D926599A8D4260E4

EAB24157EDA25A6B7EC5D4DD875CF0392DDCA9FD

F7A36E5DE1DD869887C945DB07DF47F2902C014DF60DF3313FF98EF66AC465C4

98304:aGvrkVgC1XE4ITVI41fb+zowAj0E0K9lvo4NxfYzZIhKo4zEM3cvlH2OYvTqgXy4:64nRD1TGd+Up

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

BLACKMOON has been detected (YARA)

XORed URL has been found (YARA)

Steals credentials from Web Browsers

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

Connects to unusual port

INFO

Reads the computer name

Checks supported languages

The sample compiled with chinese language support

Creates files or folders in the user directory

VMProtect protector has been detected

UPX packer has been detected

Malware configuration

xor-url

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

xor-url

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings