File name:

342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1

Full analysis: https://app.any.run/tasks/fd3b31ee-d160-47dd-804f-19b9a1930720
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: January 18, 2025, 20:52:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
upx
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

9745AECA19E4DFC3496C859230E7DD21

SHA1:

1B7A0CDC7FFD50690DA8FA14A932DF87CCB5EEA7

SHA256:

342B151200E9408CB3A3DD278901BB136BF8093D0E9CB1DAE3C191B811C1C1F1

SSDEEP:

49152:EIkRoaeBPf+O4XDtKB4TIwXAk+TcYlFnbglZ0lnt7FhkJDNGiufCG+fLoQ0jhZ1J:Exq/efJxA3c2F030ldFhkJDNGDKCQ0FW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • update.exe (PID: 6832)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • Reads security settings of Internet Explorer

      • update.exe (PID: 6832)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • Checks Windows Trust Settings

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • update.exe (PID: 6832)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • There is functionality for communication over UDP network (YARA)

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • There is functionality for taking screenshot (YARA)

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

  • INFO

    • Checks proxy server information

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • update.exe (PID: 6832)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • Creates files or folders in the user directory

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • Reads the software policy settings

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)
      • update.exe (PID: 6832)

    • Checks supported languages

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • update.exe (PID: 6832)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • Reads the computer name

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • update.exe (PID: 6832)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)

    • Process checks computer location settings

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • update.exe (PID: 6832)

    • The process uses the downloaded file

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)
      • update.exe (PID: 6832)

    • Reads the machine GUID from the registry

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)
      • update.exe (PID: 6832)
      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6504)

    • UPX packer has been detected

      • 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe (PID: 6900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (39.5)
.exe | UPX compressed Win32 Executable (38.7)
.dll | Win32 Dynamic Link Library (generic) (9.4)
.exe | Win32 Executable (generic) (6.4)
.exe | Generic Win/DOS Executable (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:14 11:42:33+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 1306624
InitializedDataSize: 53248
UninitializedDataSize: 2707456
EntryPoint: 0x3d4b90
OSVersion: 4.1
ImageVersion: -
SubsystemVersion: 4.1
Subsystem: Windows GUI
FileVersionNumber: 0.9.1.0
ProductVersionNumber: 0.9.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0009)
CharacterSet: Unicode
CompanyName: -
FileDescription: 大唐工具箱
FileVersion: 0.9.1.0
InternalName: 大唐工具箱
LegalCopyright: -
OriginalFileName: 大唐工具箱.exe
ProductName: 大唐工具箱
ProductVersion: 0.9.1.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe svchost.exe update.exe #BLACKMOON 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6376"C:\Users\admin\Desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe" C:\Users\admin\Desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
大唐工具箱
Exit code:
3221226540
Version:
0.9.1.0
Modules
Images
c:\users\admin\desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6504"C:\Users\admin\Desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe" C:\Users\admin\Desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
大唐工具箱
Exit code:
0
Version:
0.9.1.0
Modules
Images
c:\users\admin\desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6832"C:\Users\admin\Desktop\update.exe" 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe https://dqprop.oss-cn-hangzhou.aliyuncs.com/app/datangKit.exeC:\Users\admin\Desktop\update.exe
342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
User:
admin
Company:
2024/02/19
Integrity Level:
HIGH
Description:
update
Exit code:
0
Version:
0.0.0.6
Modules
Images
c:\users\admin\desktop\update.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6900"C:\Users\admin\Desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe" C:\Users\admin\Desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
update.exe
User:
admin
Integrity Level:
HIGH
Description:
大唐工具箱
Version:
0.9.5.0
Modules
Images
c:\users\admin\desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
10 973
Read events
10 967
Write events
6
Delete events
0

Modification events

(PID) Process:(6504) 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6504) 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6504) 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6900) 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6900) 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6900) 342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
5
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6504342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\update[1].exeexecutable
MD5:AE3A19C21AFEEEEC79FE74183A292BCE
SHA256:267868C90FFC4B13550063C3356204BE42C61AD7DE1DB8F837B100055471DE13
6504342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\config[1].jsonbinary
MD5:6EF4EEAF98FA695E20551E5208E2D886
SHA256:21D9C760DC3F19AD11875E46DE492D68470F96D70CD65C39F627A7ED76951E73
6900342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\config[1].jsonbinary
MD5:6EF4EEAF98FA695E20551E5208E2D886
SHA256:21D9C760DC3F19AD11875E46DE492D68470F96D70CD65C39F627A7ED76951E73
6504342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\Desktop\update.exeexecutable
MD5:AE3A19C21AFEEEEC79FE74183A292BCE
SHA256:267868C90FFC4B13550063C3356204BE42C61AD7DE1DB8F837B100055471DE13
6900342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\Desktop\大唐工具箱.lnkbinary
MD5:9EF147B8F8D3F9484BB41FCC5A16F601
SHA256:40FBEDD337D12888FA43DFDB2BD3B42EA8BE31B89649D98B960459B8EDEE02B2
6900342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\大唐工具箱.lnkbinary
MD5:B08C65842AEF9C913D78E486FE8D8DBA
SHA256:7B7FBB6FBCED71B6A82B7BB444230F08F487C5BD9F21BC6A9CA56606154F1E6C
6900342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\datangWebView[1].exeexecutable
MD5:BCF42B0136A341B106B2982A31B329EA
SHA256:5736104F9CBF321B626244D642CE07054055D2C1136E8AE29F2F67E4C11CAA82
6900342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\Desktop\datangWebView.exeexecutable
MD5:BCF42B0136A341B106B2982A31B329EA
SHA256:5736104F9CBF321B626244D642CE07054055D2C1136E8AE29F2F67E4C11CAA82
6832update.exeC:\Users\admin\Desktop\342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeexecutable
MD5:21D07D1668B952F848D1F5363C3BD2D7
SHA256:97E1409814A26CF2E8267A94AD306E954E3188604670096B1B5FE555FCD1F841
6900342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exeC:\Users\admin\Desktop\version.jsonbinary
MD5:F77C9AA0C4143862EEE4BC4694CF2649
SHA256:4F06E1C299C3468A394D08470FF042AA93ED79AAE1CCAC53422B364895FC37DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
30
DNS requests
10
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
3700
svchost.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
118.178.60.54:443
https://dqprop.oss-cn-hangzhou.aliyuncs.com/app/update.exe
CN
executable
486 Kb
unknown
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?linkid=2124701
US
unknown
GET
23.48.23.14:443
https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/5438194f-50fd-42d4-a059-6ed4e13b4f9a/MicrosoftEdgeWebView2RuntimeInstallerX64.exe
US
unknown
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
3700
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
118.178.94.142:443
https://www.xmdatang.com/api/datang/config?key=version
CN
binary
423 b
unknown
GET
200
118.178.60.54:443
https://dqprop.oss-cn-hangzhou.aliyuncs.com/app/datangKit.exe
CN
executable
1.29 Mb
unknown
GET
200
118.178.94.142:443
https://www.xmdatang.com/api/datang/config?key=version
CN
binary
423 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.136:443
Akamai International B.V.
DE
unknown
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3700
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3700
svchost.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3700
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.177
  • 23.48.23.173
  • 23.48.23.164
  • 23.48.23.150
  • 23.48.23.166
  • 23.48.23.158
  • 23.48.23.180
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.xmdatang.com
  • 118.178.94.142
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
dqprop.oss-cn-hangzhou.aliyuncs.com
  • 118.178.60.54
unknown
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.19.126.139
  • 2.19.126.136
whitelisted
self.events.data.microsoft.com
  • 20.42.73.30
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
6504
342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
6832
update.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
6900
342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
342b151200e9408cb3a3dd278901bb136bf8093d0e9cb1dae3c191b811c1c1f1