File name:

2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys

Full analysis: https://app.any.run/tasks/6e71e264-1c7c-4a8c-83f6-c07d8bc989dd
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 09:45:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

242BCCB635CD8609F5C054CBDF84F2FF

SHA1:

23E4CE51E4D7A8624848EB002CDFA03D38C96A5B

SHA256:

3F71F0E2B3C67B6B78A4229F77A7CC216D6B7A1C1E37E00B8DFFF3D695EE63EC

SSDEEP:

49152:bEHilT9g+1Br4K6a4kDKYkFt/WDnKxjLS7Rg5scUhCi:4ClT9g+12K6a4kDKYk3WA6lg5scc7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Executable content was dropped or overwritten

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Process drops legitimate windows executable

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Potential Corporate Privacy Violation

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Reads security settings of Internet Explorer

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

  • INFO

    • Checks supported languages

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Creates files or folders in the user directory

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • The sample compiled with english language support

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Failed to create an executable file in Windows directory

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Checks proxy server information

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)
      • slui.exe (PID: 4880)

    • Reads the computer name

      • 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe (PID: 7576)

    • Reads the software policy settings

      • slui.exe (PID: 4880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:07 02:06:26+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 122880
InitializedDataSize: 167936
UninitializedDataSize: -
EntryPoint: 0xb0d1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLACKMOON 2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7576"C:\Users\admin\Desktop\2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe" C:\Users\admin\Desktop\2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 815
Read events
3 815
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:50580F1C6AD3AF8F7C9325A48070214F
SHA256:D1F7282149B4DBEA3557FF02308264CFC5AA13AE33490B8692F392C1132371DB
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exeexecutable
MD5:659153659772B6DA39F1BE1CF49B04B4
SHA256:1A85E0235F7F0F810B2B8C2B81351AB631DAB5B351FFA30A49606682C8869A9C
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:3D1882B40B05C9A125A0E2C5E834595F
SHA256:1A6E19EA41D5368D318DC97BDB09F269E5B33BE9972BB936FC4DBAE7F83DD8BE
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:91F58CC9DB0169D917E8F5BE3EE6BC8A
SHA256:C9E60F0E9BE20953A351B12E4B0F9F861FF2B9BEBAE0B6E95C406F73D213CB3C
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:6280AC1831E499B972405890FFF0B5AF
SHA256:1650105226B7E52E26E98A467BA83F58333F9BB72EA2274B2ABABE598AEF8D65
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:CF1A1B2A6F227D5B06AB0B3C8B88618B
SHA256:1FD250A499B2912B1ACEC31A03CAA32F1B328F2861E1383E94F23386F724FB36
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:FEB6CDB50748CFC474E44E55F0CED78E
SHA256:3949C66B4D54FF803689A1813B984C463E91E754DC1E686CC44D2CDC2A9B0D56
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:B8C2662506EDBCE24EA549C8B7B006CF
SHA256:5F3AC320F6262749C10B0AB4C8F17F228573BD2D19BA598EFDC2DEFE1397EC87
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\Êý¾Ý¿â.initext
MD5:52D06900772290EBE825BA6C108AA257
SHA256:315403DFCDF22E406E4716C4EB2EDC4D20E8435289E44747C6E5AD066EA41F6E
75762025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:BDFF068C4C23E586A2013708D6A75C9A
SHA256:7C965138CD0AAC6920C9C7E2E68F2432A0F32F6B6CC0210E44E4CE7CA4B2C59B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
52
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7576
2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe
GET
200
18.234.103.197:80
http://www.blackievirus.com/
unknown
malicious
7900
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.9:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7900
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.216.77.9
  • 23.216.77.29
  • 23.216.77.11
  • 23.216.77.25
  • 23.216.77.33
  • 23.216.77.43
  • 23.216.77.19
  • 23.216.77.15
  • 2.16.168.114
  • 2.16.168.124
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.128
  • 20.190.160.14
  • 20.190.160.4
  • 40.126.32.140
  • 20.190.160.131
  • 40.126.32.74
  • 20.190.160.130
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.blackievirus.com
  • 18.234.103.197
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7576
2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys.exe
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_242bccb635cd8609f5c054cbdf84f2ff_black-basta_elex_hijackloader_rhadamanthys