File name:

2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid

Full analysis: https://app.any.run/tasks/a54f9b35-8511-4a7e-9d83-18351b392f00
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 09:08:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5534C4D35C6654D14DA8DCB42651778B

SHA1:

3EAE9D7033913BCDDD6574E1ACDEE6DBC5F07BAB

SHA256:

54C330BEBA05F277ADB29E80C5F782EA38EB56CEAF519130469CAD7284565D50

SSDEEP:

98304:N4Cc6CF5FKwPOlZSFSA5DDcz5h0g+TNjSmS55kdkEb:0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • ippatch.exe (PID: 5808)
      • ipsee.exe (PID: 3584)

    • BLACKMOON has been detected (YARA)

      • ippatch.exe (PID: 5808)

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ippatch.exe (PID: 5808)

    • Executable content was dropped or overwritten

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ippatch.exe (PID: 5808)
      • ippatch.exe (PID: 5628)
      • ipsee.exe (PID: 3584)

    • Reads security settings of Internet Explorer

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ippatch.exe (PID: 5808)

    • Creates file in the systems drive root

      • ippatch.exe (PID: 5808)
      • ipsee.exe (PID: 3584)

    • There is functionality for taking screenshot (YARA)

      • ippatch.exe (PID: 5808)
      • ipsee.exe (PID: 3584)

  • INFO

    • Creates files or folders in the user directory

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ippatch.exe (PID: 5808)
      • ipsee.exe (PID: 3584)

    • The sample compiled with chinese language support

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ippatch.exe (PID: 5808)
      • ipsee.exe (PID: 3584)
      • ippatch.exe (PID: 5628)

    • Checks supported languages

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ipsee.exe (PID: 3584)
      • ippatch.exe (PID: 5808)
      • ippatch.exe (PID: 5628)

    • Reads the computer name

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ippatch.exe (PID: 5808)
      • ipsee.exe (PID: 3584)
      • ippatch.exe (PID: 5628)

    • Process checks computer location settings

      • 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe (PID: 1044)
      • ippatch.exe (PID: 5808)

    • Launching a file from the Startup directory

      • ippatch.exe (PID: 5808)
      • ipsee.exe (PID: 3584)

    • Create files in a temporary directory

      • ipsee.exe (PID: 3584)

    • Checks proxy server information

      • slui.exe (PID: 4708)

    • Reads the software policy settings

      • slui.exe (PID: 4708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.exe | DOS Executable Borland C++ (14.9)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:08:05 03:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 634880
InitializedDataSize: 1490944
UninitializedDataSize: -
EntryPoint: 0x7a41a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: ipsee234371112788424
CompanyName: ipsee234371112788424
FileDescription: ipsee234371112788424
FileVersion: 1,0,0,0
Tag412: D
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
33
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs ippatch.exe no specs #BLACKMOON ippatch.exe taskkill.exe no specs conhost.exe no specs ipsee.exe ippatch.exe no specs ippatch.exe taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
504taskkill /im ipsee.exe /fC:\Windows\SysWOW64\taskkill.exeippatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
516taskkill /im QQ .EXE /fC:\Windows\SysWOW64\taskkill.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
768taskkill /im QQ .EXE /fC:\Windows\SysWOW64\taskkill.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1044"C:\Users\admin\Desktop\2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe" C:\Users\admin\Desktop\2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1560taskkill /im QQ.EXE /fC:\Windows\SysWOW64\taskkill.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1944"C:\Users\admin\AppData\Roaming\ippatch.exe" C:\Users\admin\AppData\Roaming\ippatch.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\ippatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2188taskkill /im QQ .EXE /fC:\Windows\SysWOW64\taskkill.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2460taskkill /im QQ.EXE /fC:\Windows\SysWOW64\taskkill.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2492taskkill /im ippatch.exe /fC:\Windows\SysWOW64\taskkill.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2492taskkill /im QQ .EXE /fC:\Windows\SysWOW64\taskkill.exe2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
5 906
Read events
5 906
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dlltext
MD5:40B80BDA339FAAE4739D77CAA3EBD0EB
SHA256:C551BE73CDF086D8B11A4B92910C939CEC35E1A8805EE3099B18C5A26F14AFF3
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCX6581.tmpexecutable
MD5:26C8F407D61C104AB15953C92A3E9935
SHA256:A8A82A072013CC36632159A5409F28EC2B7C6533B077FC7C01756EFB6C760152
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCX66EA.tmpexecutable
MD5:4997089386820807970BCB8C4FC7F933
SHA256:079508F5AE59BA7BBA5E870FEB95BD129F7BC9AAEF3B3BEC5EEAEDB108AADD70
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCX668C.tmpexecutable
MD5:83B2C14C666CB8AD9C5623AC90673F39
SHA256:3FAFCD0E094B8AEBFCB29898529F7D5A349EA641AD340A9231176B49122D8990
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\mydll.dllexecutable
MD5:AD692428AE8ED6D3F38A7E31D4CF5901
SHA256:3A18CF19C5034C357AA8C8E2921489405159E4034A80FA9B3DACE6B25F751D0A
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCX6570.tmpexecutable
MD5:AD692428AE8ED6D3F38A7E31D4CF5901
SHA256:3A18CF19C5034C357AA8C8E2921489405159E4034A80FA9B3DACE6B25F751D0A
5808ippatch.exeC:\Users\admin\AppData\Roaming\mydll.dllexecutable
MD5:6EDA19871DC46D1B5B1FCDECA05763AF
SHA256:293A237D9A534BBA6E889260F57A70A76D19194C501F7EA2DB11C347071C94BB
5808ippatch.exeC:\Users\admin\AppData\Roaming\RCX6A92.tmpexecutable
MD5:1EBB99B3E095D9ED13415197B47A8D23
SHA256:F76EDFB696DB4E36411B0825750AB55C2BAA295BB00D863693DAA84B01B0B060
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\ippatch.exeexecutable
MD5:5534C4D35C6654D14DA8DCB42651778B
SHA256:54C330BEBA05F277ADB29E80C5F782EA38EB56CEAF519130469CAD7284565D50
10442025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\1.jpgimage
MD5:3E6A6EEF02A43BAB4E580C30FA8DDF05
SHA256:33264A92E66EA4BC57DDCF38BF8807F4E98656091D47F2CAFAFC67459411BABB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1488
RUXIMICS.exe
GET
200
184.25.50.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1488
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1488
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.25.50.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
RUXIMICS.exe
184.25.50.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1488
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 184.25.50.8
  • 184.25.50.10
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_5534c4d35c6654d14da8dcb42651778b_elex_hacktools_icedid