File name:

0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09

Full analysis: https://app.any.run/tasks/abad4396-ac93-4ecf-9cbe-6b7ff69b84f3
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: January 26, 2025, 19:52:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blackmoon
xor-url
generic
upx
vmprotect
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

FA4091BC106B15791E0DBFE7F7E15CE5

SHA1:

93AF07BD7FB9AF642BB4B85FACE882202CC373BB

SHA256:

0DD21D2AB93C40FF7F1F1FE7C9D3326506F22BCFB5AF5D8EE76AABFD8B7C2A09

SSDEEP:

98304:HX36VzVggHTmtYl42Zty98yo5rnfUzlIh1KzzdMVmB2Ha3YvMrNBeKDrzeeoXp6I:yoy9deRo4YAl/Tfm5IN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

    • XORed URL has been found (YARA)

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

    • Actions looks like stealing of personal data

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

    • Steals credentials from Web Browsers

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

  • INFO

    • Checks supported languages

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

    • Reads the computer name

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

    • VMProtect protector has been detected

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)

    • UPX packer has been detected

      • 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe (PID: 6464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6464) 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe
Decrypted-URLs (3)http://c1.5yyz.com
http://cc.ys168.com/f_ht/ajcx/ml.aspx?cz=ml_dq&_dlmc=979033318&_dlmm=
https://dfgdfq.oss-cn-beijing.aliyuncs.com/
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (12.1)
.exe | Win64 Executable (generic) (10.7)
.exe | UPX compressed Win32 Executable (10.5)
.exe | Win32 EXE Yoda's Crypter (10.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:04 10:57:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 684032
InitializedDataSize: 8589312
UninitializedDataSize: -
EntryPoint: 0x93fd8
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6288"C:\Users\admin\Desktop\0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe" C:\Users\admin\Desktop\0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6464"C:\Users\admin\Desktop\0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe" C:\Users\admin\Desktop\0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(6464) 0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09.exe
Decrypted-URLs (3)http://c1.5yyz.com
http://cc.ys168.com/f_ht/ajcx/ml.aspx?cz=ml_dq&_dlmc=979033318&_dlmm=
https://dfgdfq.oss-cn-beijing.aliyuncs.com/
Total events
25
Read events
25
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1804
RUXIMICS.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1804
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
92.123.104.34:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1356
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1804
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1804
RUXIMICS.exe
23.48.23.159:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.159:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1804
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3976
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.34
  • 92.123.104.32
  • 92.123.104.21
  • 92.123.104.60
  • 92.123.104.40
  • 92.123.104.33
  • 92.123.104.64
  • 92.123.104.61
  • 92.123.104.7
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.159
  • 23.48.23.169
  • 23.48.23.145
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
self.events.data.microsoft.com
  • 13.69.239.74
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0dd21d2ab93c40ff7f1f1fe7c9d3326506f22bcfb5af5d8ee76aabfd8b7c2a09