File name:	f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1
Full analysis:	https://app.any.run/tasks/e9d2f71f-e6db-4890-aad8-ed4a5187cb81
Verdict:	Malicious activity
Analysis date:	December 13, 2024, 20:19:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion upx blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	F652B01615EFECE78B8964BE17E4D7B1
SHA1:	BA24039EBA075F24DD2FC9B22F01E5EC13C1FDDE
SHA256:	F8FE7BBF5D67878DF4FD23AF3D0F97678CA362274110022D2D522FEC822DE4B1
SSDEEP:	98304:qpdpNexs6rfzZXZb/g78GjWwSkSh5AczqcL9yFTxsUtU3cxxVZ3TbicGd2LsmaNA:JqP

.exe	\|	Win32 Executable MS Visual C++ (generic) (22.1)
.exe	\|	Win64 Executable (generic) (19.6)
.exe	\|	UPX compressed Win32 Executable (19.2)
.exe	\|	Win32 EXE Yoda's Crypter (18.8)
.scr	\|	Windows screen saver (9.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:11 03:14:49+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	913408
InitializedDataSize:	2027520
UninitializedDataSize:	-
EntryPoint:	0xbcfe1
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	易语言程序
ProductName:	易语言程序
ProductVersion:	1.0.0.0
LegalCopyright:	作者版权所有请尊重并使用正版
Comments:	本程序使用易语言编写(http://www.eyuyan.com)


(PID) Process:	(6264) f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:	write	Name:	JITDebug
Value: 0
(PID) Process:	(6264) f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: D871130000000000

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1596	RUXIMICS.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6264	f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1.exe	GET	200	8.141.58.141:80	http://www.fm4000888.cn/a/zhinenchanpin/2024/0718/38.html	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1596	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1472	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6264	f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1.exe	GET	200	42.120.158.5:80	http://www.net.cn/static/customercare/yourip.asp	unknown	—	—	—
1472	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	103.235.47.188:443	https://sp0.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=128.127.113.47&resource_id=6006	unknown	binary	403 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
1472	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1596	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6264	f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1.exe	8.141.58.141:80	www.fm4000888.cn	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
6264	f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1.exe	8.141.58.141:6699	www.fm4000888.cn	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
1472	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1596	RUXIMICS.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
google.com	142.250.186.142	whitelisted
www.fm4000888.cn	8.141.58.141	unknown
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.net.cn	42.120.158.5	unknown
www.microsoft.com	88.221.169.152	whitelisted
sp0.baidu.com	103.235.47.188 103.235.46.96	whitelisted
self.events.data.microsoft.com	20.50.73.4	whitelisted

General Info

f8fe7bbf5d67878df4fd23af3d0f97678ca362274110022d2d522fec822de4b1

F652B01615EFECE78B8964BE17E4D7B1

BA24039EBA075F24DD2FC9B22F01E5EC13C1FDDE

F8FE7BBF5D67878DF4FD23AF3D0F97678CA362274110022D2D522FEC822DE4B1

98304:qpdpNexs6rfzZXZb/g78GjWwSkSh5AczqcL9yFTxsUtU3cxxVZ3TbicGd2LsmaNA:JqP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

Connects to unusual port

There is functionality for taking screenshot (YARA)

Checks for external IP

INFO

UPX packer has been detected

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings