File name:

4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe

Full analysis: https://app.any.run/tasks/42fcaf80-307c-467d-a159-94800a1d0612
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 02:26:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

07B72D4DF1AC3FEE4E4C366ACD9A416E

SHA1:

7216DAA61FB0860D7A42A929EF6AF4600CF06E12

SHA256:

4926588806A3061CFE02780830B0467398DFA14BB7C88704D05C2785B393A7FE

SSDEEP:

98304:dcXitMXp0VutUYPSESl599y3wR1qUYIlNSySd5c+dJ4TkPa:1/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 2100)

    • BLACKMOON has been detected (YARA)

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 1072)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 1072)

    • Executable content was dropped or overwritten

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 2100)

    • Connects to unusual port

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 1072)

    • There is functionality for taking screenshot (YARA)

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 1072)

  • INFO

    • The sample compiled with chinese language support

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 2100)

    • Failed to create an executable file in Windows directory

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 2100)
      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 1072)

    • Checks supported languages

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 2100)
      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 1072)

    • Checks proxy server information

      • slui.exe (PID: 2092)

    • Reads the computer name

      • 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe (PID: 1072)

    • Reads the software policy settings

      • slui.exe (PID: 2092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (60.4)
.scr | Windows screen saver (18.3)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Generic Win/DOS Executable (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:02 11:22:03+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 950272
InitializedDataSize: 1761280
UninitializedDataSize: -
EntryPoint: 0xc8235
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.1.0.0
FileDescription: 易语言程序
ProductName: 易语言程序
ProductVersion: 1.1.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe #BLACKMOON 4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1072C:\Users\admin\Desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe --C:\Users\admin\Desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe
4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2092C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2100"C:\Users\admin\Desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe" C:\Users\admin\Desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 685
Read events
3 685
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
21004926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exeC:\Users\admin\Desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exeexecutable
MD5:2E99FF43F79000F1DF2F320D3369B892
SHA256:8BCF8D523DBAB9D576598F10AB2F524E1906124057E552302BF0EF499129F511
21004926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exeC:\Users\admin\Desktop\4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe.bakexecutable
MD5:07B72D4DF1AC3FEE4E4C366ACD9A416E
SHA256:4926588806A3061CFE02780830B0467398DFA14BB7C88704D05C2785B393A7FE
21004926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exeC:\Users\admin\AppData\Local\Temp\_@C9DA.tmpexecutable
MD5:2E99FF43F79000F1DF2F320D3369B892
SHA256:8BCF8D523DBAB9D576598F10AB2F524E1906124057E552302BF0EF499129F511
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
52
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/sls/ping
unknown
3180
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3180
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3180
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
3180
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3180
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
3180
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1072
4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe.exe
154.204.181.102:9003
IncomparableHKNetwork Co., Limited
HK
unknown
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5376
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3180
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.129
  • 40.126.31.0
  • 20.190.159.131
  • 20.190.159.23
  • 20.190.159.128
  • 20.190.159.73
  • 40.126.31.1
  • 40.126.31.131
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4926588806a3061cfe02780830b0467398dfa14bb7c88704d05c2785b393a7fe