File name:	2025-06-21_cfa2253cf9e3a2e9a9ae6d4a84aef344_amadey_elex_smoke-loader_stop
Full analysis:	https://app.any.run/tasks/a61ba9fb-6dc3-48b0-8adb-3833033fdc34
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 21:07:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	CFA2253CF9E3A2E9A9AE6D4A84AEF344
SHA1:	D197741EE73603BE51E795E9C820654AF98B7D16
SHA256:	414C8B873000C09E3B11EEC5A3D219F6A0CC45A55F8C2C9FE77766590DA58B76
SSDEEP:	98304:hcusHHRqyk4ER1fRVSYSn5MhKM3zjl04I2D/iC4/XO5mL2bwzc5ZdZu0cH208KVG:bca1kBgBs+qW

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.4)
.dll	\|	Win32 Dynamic Link Library (generic) (13.5)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:10 19:51:56+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1601536
InitializedDataSize:	585728
UninitializedDataSize:	-
EntryPoint:	0x98caa5
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	易语言程序
ProductName:	千年3_多开
ProductVersion:	1.0.0.0
CompanyName:	QQ:6365272
LegalCopyright:	QQ:6365272
Comments:	本程序使用易语言编写(http://www.eyuyan.com)

PID	Process	Filename		Type
5628	rgsxwydwwq.exe	C:\Users\admin\Desktop\zhzxcfhswa.exe		executable
		MD5:F3881AB69DA67C4678A5EE37A04A5C32	SHA256:559F6AF6FC691AFE75B966020F8B496103843251FE192EA2EA3630BCA9A65342
4968	2025-06-21_cfa2253cf9e3a2e9a9ae6d4a84aef344_amadey_elex_smoke-loader_stop.exe	C:\Users\admin\Desktop\update.exe		executable
		MD5:914FB249B54113FE0374423A98DAA401	SHA256:C2E5D45478CF32703EA224DD4644A25C5F16273B65CE9254CD9A03E22C51CFD7
6656	jrejkwgdat.exe	C:\Users\admin\Desktop\rgsxwydwwq.exe		executable
		MD5:5000D4D0A01DD772FC075B842B04A3A4	SHA256:E1B5DD0B4FF0BBA1ADF0B9CA87A10930753C9A34D371EE06CBECFA7DEA40B8E0
2696	zhzxcfhswa.exe	C:\Users\admin\Desktop\emkfwpmsqb.exe		executable
		MD5:5569E56379469525FF1F7712B8A6D840	SHA256:E4E7D38672B977F57FC1E3A64619F07EECFA6F4E588AE55CC3056E22F8899E82
6160	mjgszzjley.exe	C:\Users\admin\Desktop\opmdprspyk.exe		executable
		MD5:123A7EDE9E8BE8942C876D481345E4AA	SHA256:01D507AFE0D571550B45EACEB65DB24E04E49BBE6D5033367A8584DEBA7F7D9A
1700	emkfwpmsqb.exe	C:\Users\admin\Desktop\mjgszzjley.exe		executable
		MD5:D6AC60AE7F675CC621A0335E84BC0D71	SHA256:92100DD38282984A6B90142DDE73313A8B4FC7E1FB33B36B1B3A767490269232
1180	rrsgzjxrfn.exe	C:\Users\admin\Desktop\gkyzvwxhgh.exe		executable
		MD5:4F681136AD08CC89517A605BE652D945	SHA256:32D360760867B8AE5007C51738CE14052BDE90A855CE649CF133DCE2B03EF426
5744	gkyzvwxhgh.exe	C:\Users\admin\Desktop\jrejkwgdat.exe		executable
		MD5:6BA802343BCE27C5DCC1AD902C5ED34D	SHA256:3B85F2FB5E05BEFFB0E67A67BD970173B0648E00E731D45A57B820AFE372F8F1
6232	ydofyycdsh.exe	C:\Users\admin\Desktop\bkcioqehuc.exe		executable
		MD5:8087E92D9159CC236DBB7785AC2EFDA5	SHA256:D54E110B56B6742E2B909E4B37C1A5DF24D28A8D27F7F68E831E4F5F6C8F483A
2120	ywibsfzukj.exe	C:\Users\admin\Desktop\gphtyuvhkt.exe		executable
		MD5:06164624F71B4C72627AE84C593DBB03	SHA256:8471865984F9413A88CA2C08C2C799C7D4FEB3CBA6C440BCFF494DFF4EA13309

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	2.18.121.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2792	RUXIMICS.exe	GET	200	2.18.121.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.18.121.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2792	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2792	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.18.121.147:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
2792	RUXIMICS.exe	2.18.121.147:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
1268	svchost.exe	2.18.121.147:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2792	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	2.18.121.147 2.18.121.139	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	40.79.167.8	whitelisted

General Info

2025-06-21_cfa2253cf9e3a2e9a9ae6d4a84aef344_amadey_elex_smoke-loader_stop

CFA2253CF9E3A2E9A9AE6D4A84AEF344

D197741EE73603BE51E795E9C820654AF98B7D16

414C8B873000C09E3B11EEC5A3D219F6A0CC45A55F8C2C9FE77766590DA58B76

98304:hcusHHRqyk4ER1fRVSYSn5MhKM3zjl04I2D/iC4/XO5mL2bwzc5ZdZu0cH208KVG:bca1kBgBs+qW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

Starts itself from another location

Executable content was dropped or overwritten

Application launched itself

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

The sample compiled with chinese language support

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings