File name:

天赐不限速下载器.exe

Full analysis: https://app.any.run/tasks/1eeb6d2f-ad02-40b5-a338-bd476c5097bd
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: July 31, 2024, 03:45:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blackmoon
ip-check
upx
dyndns
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F436575DA87B0014BD9007BA910C1866

SHA1:

306E05DF0E6F766BC081BE0AD9C5315002D28477

SHA256:

223D166E92912A180B97936162CDC2416D1B7164562EE36EC05ED3835D8F5647

SSDEEP:

98304:Avydj0JTmfmcOPwXFAhVpXR/4ZvnYXNQng8Bvl+y7EqiJfBvJ0F4cm42MYRoyO+/:rr1JgFkTxcokEKw11/rPDw9o7Je+5osU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 天赐不限速下载器.exe (PID: 6512)

    • BLACKMOON has been detected (YARA)

      • 天赐不限速下载器.exe (PID: 6512)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 天赐不限速下载器.exe (PID: 6512)

    • Reads security settings of Internet Explorer

      • 天赐不限速下载器.exe (PID: 6512)

    • There is functionality for communication dyndns network (YARA)

      • 天赐不限速下载器.exe (PID: 6512)

    • Reads the date of Windows installation

      • 天赐不限速下载器.exe (PID: 6512)

    • There is functionality for capture public ip (YARA)

      • 天赐不限速下载器.exe (PID: 6512)

  • INFO

    • Creates files or folders in the user directory

      • 天赐不限速下载器.exe (PID: 6512)

    • Reads the computer name

      • 天赐不限速下载器.exe (PID: 6512)
      • aria2c.exe (PID: 5040)

    • Checks supported languages

      • 天赐不限速下载器.exe (PID: 6512)
      • aria2c.exe (PID: 5040)

    • Reads Environment values

      • 天赐不限速下载器.exe (PID: 6512)

    • Reads the machine GUID from the registry

      • 天赐不限速下载器.exe (PID: 6512)
      • aria2c.exe (PID: 5040)

    • Process checks computer location settings

      • 天赐不限速下载器.exe (PID: 6512)

    • Checks proxy server information

      • slui.exe (PID: 2888)
      • 天赐不限速下载器.exe (PID: 6512)

    • UPX packer has been detected

      • 天赐不限速下载器.exe (PID: 6512)

    • Reads the software policy settings

      • slui.exe (PID: 2888)

    • Create files in a temporary directory

      • aria2c.exe (PID: 5040)

    • Dropped object may contain TOR URL's

      • 天赐不限速下载器.exe (PID: 6512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:01 14:07:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 13508608
InitializedDataSize: 290816
UninitializedDataSize: 13221888
EntryPoint: 0x197d7b0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: 专业下载器
ProductName: 专业下载器
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 天赐不限速下载器.exe aria2c.exe conhost.exe no specs slui.exe slui.exe no specs 天赐不限速下载器.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1772C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2888C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4012"C:\Users\admin\AppData\Local\Temp\天赐不限速下载器.exe" C:\Users\admin\AppData\Local\Temp\天赐不限速下载器.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
专业下载器
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\天赐不限速下载器.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5040"C:\Users\admin\AppData\Roaming\Downloader\aria2c.exe" --conf-path="C:\Users\admin\AppData\Roaming\Downloader\aria2.conf" #--save-session="C:\Users\admin\AppData\Roaming\Downloader\aria2.session" --input-file="C:\Users\admin\AppData\Roaming\Downloader\aria2.session" --rpc-listen-port=6288 --listen-port=6388 --dht-listen-port=6390 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path="C:\Users\admin\AppData\Roaming\Downloader\dht.dat" --dht-file-path6="C:\Users\admin\AppData\Roaming\Downloader\dht6.dat" --bt-external-ip=84.17.49.22 --stop-with-process=6512 --check-certificate=falseC:\Users\admin\AppData\Roaming\Downloader\aria2c.exe
天赐不限速下载器.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\downloader\aria2c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6340\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exearia2c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6512"C:\Users\admin\AppData\Local\Temp\天赐不限速下载器.exe" C:\Users\admin\AppData\Local\Temp\天赐不限速下载器.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
专业下载器
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\天赐不限速下载器.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
6 480
Read events
6 469
Write events
11
Delete events
0

Modification events

(PID) Process:(6512) 天赐不限速下载器.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6512) 天赐不限速下载器.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6512) 天赐不限速下载器.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6512) 天赐不限速下载器.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6512) 天赐不限速下载器.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6512) 天赐不限速下载器.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6512) 天赐不限速下载器.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
3
Suspicious files
11
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6512天赐不限速下载器.exeC:\Users\admin\AppData\Roaming\Downloader\dht.datbinary
MD5:97D35135C0094CBAD988D5E19C60D738
SHA256:2DB72D1BBC336C1FE4032AAE924D3A0DD0FF63943CD32B1A917263F79DFDFF82
6512天赐不限速下载器.exeC:\Users\admin\AppData\Roaming\Downloader\log.txttext
MD5:F786FC92744631A499BA41078231D7F5
SHA256:8D294AA1FAE5FF03C39D6609B0F67A2DADC04FA5863BFD8CE235FAAFDDCC78E4
6512天赐不限速下载器.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\jsonrpc[1]binary
MD5:D00E5639FB0086118819C0069DE6F841
SHA256:6D3B92F5EF029B8E7C0F69FF7FF03225BEB2FDA2EBB297ADDEB5EB68DBC7D4F2
6512天赐不限速下载器.exeC:\Users\admin\AppData\Roaming\Downloader\libcurl.txtexecutable
MD5:C827ADD774456C759D2A7B35A2AE3525
SHA256:5EB7C4723ACAB028D8BFEA807CAE6DAD1F38D2C21B11586D77A69A716FBC4F2A
5040aria2c.exeC:\Users\admin\AppData\Local\Temp\Download_auto.zip.aria2__temppi2
MD5:28F53BC368DCFBC7355102761214BFE6
SHA256:DBACC68262805AB88E1B2576A7FFD7703EF641912767A52E06A1DE19B220A949
6512天赐不限速下载器.exeC:\Users\admin\AppData\Roaming\Downloader\dht6.datbinary
MD5:C561B953363493106E86C015936D64FD
SHA256:74470DCD03301112DB1E9FD4766A08C577AC92C8B4F2BFA25924CE1D1B99FD1E
5040aria2c.exeC:\Users\admin\AppData\Local\Temp\Download_auto.zip.aria2binary
MD5:28F53BC368DCFBC7355102761214BFE6
SHA256:DBACC68262805AB88E1B2576A7FFD7703EF641912767A52E06A1DE19B220A949
6512天赐不限速下载器.exeC:\Users\admin\AppData\Roaming\Downloader\aria2.conftext
MD5:BE2848313251CC4BDC3F4D83FBB678EE
SHA256:35A633EC422857CE9D27F0E6B948D8B871AF90C0430754BDD3F7CA70970E866D
6512天赐不限速下载器.exeC:\Users\admin\AppData\Roaming\Downloader\aria2c.exeexecutable
MD5:A5C047F169471BD325552C255D6C04AF
SHA256:CEC8BB942475690363C1558FDF55E3CF59F29607967A822A626D4976A348334A
6512天赐不限速下载器.exeC:\Users\admin\AppData\Roaming\Downloader\libcurl.dllexecutable
MD5:C827ADD774456C759D2A7B35A2AE3525
SHA256:5EB7C4723ACAB028D8BFEA807CAE6DAD1F38D2C21B11586D77A69A716FBC4F2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
82
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6512
天赐不限速下载器.exe
GET
200
211.91.65.194:80
http://aria2c.vip/xydown/SelectListOne.php?user=a8512514&id=U07WS&key=5a017b4fc961c4fb8e23815732371206
CN
binary
2.20 Kb
unknown
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
312 b
whitelisted
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
7008
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
6512
天赐不限速下载器.exe
GET
200
116.131.57.66:80
http://jiexi.aria2c.vip/jiexi/Get_txwy_tree.php?fileid=5cd7696b-741d-402a-8165-8c6829627c6e&user=a8512514&key=2325b93e9dfbed6d0e665c76c683c88b
CN
text
22 b
unknown
5040
aria2c.exe
GET
129.226.106.155:80
http://njc-download.weiyun.com/ftn_handler/1c499b1748823ec89f27ac66d2a3d070d743250d67212669edfa2e437984b894/%E5%A4%A9%E8%B5%90DNF%E5%AE%A2%E6%88%B7%E7%AB%AFv8.zip?fname=%E5%A4%A9%E8%B5%90DNF%E5%AE%A2%E6%88%B7%E7%AB%AFv8.zip&from=30120&version=3.3.3.3
HK
whitelisted
5040
aria2c.exe
GET
129.226.106.155:80
http://njc-download.weiyun.com/ftn_handler/1c499b1748823ec89f27ac66d2a3d070d743250d67212669edfa2e437984b894/%E5%A4%A9%E8%B5%90DNF%E5%AE%A2%E6%88%B7%E7%AB%AFv8.zip?fname=%E5%A4%A9%E8%B5%90DNF%E5%AE%A2%E6%88%B7%E7%AB%AFv8.zip&from=30120&version=3.3.3.3
HK
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
unknown
6412
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2856
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
3188
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.178
  • 104.126.37.160
  • 104.126.37.152
  • 104.126.37.161
  • 104.126.37.176
  • 104.126.37.163
  • 104.126.37.146
  • 104.126.37.130
  • 104.126.37.154
  • 2.23.209.149
  • 2.23.209.193
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.140
  • 2.23.209.177
  • 2.23.209.133
  • 2.23.209.176
whitelisted
google.com
  • 142.250.185.238
whitelisted
aria2c.vip
  • 211.91.65.194
  • 123.6.40.213
  • 221.204.72.204
  • 61.240.220.214
  • 118.212.138.171
  • 119.36.226.137
  • 116.131.57.66
  • 116.196.148.74
  • 112.132.119.60
  • 119.167.229.212
  • 42.56.81.104
  • 123.6.37.241
  • 59.80.47.124
  • 36.248.54.85
  • 116.131.57.65
unknown
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.42
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.136
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.76
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
天赐不限速下载器.exe