File name:

7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8

Full analysis: https://app.any.run/tasks/1be85884-0285-435b-89b1-d61dc69d0c5c
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: November 03, 2024, 06:47:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blackmoon
vmprotect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

ADBCBCAB0F96A8943F89E33D1BDBEE7F

SHA1:

ED5D72949EBC12DBEF551A6B84B3F39F2688AF95

SHA256:

7B98EAB672752A3DE97E3624F2CB34E93F013C11292EA7707A3196BD3EFBA6C8

SSDEEP:

98304:knkdiF+curL0JnGZyUV+JxcuSoSK5MVtuBNV+b0EwwO1uxGKPbBXMCtG/5hgSepf:bVaVTdZYbc8gpZxH9VC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • RKCO.PKQ (PID: 5832)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • RKCO.PKQ (PID: 5832)
      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Executable content was dropped or overwritten

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Starts itself from another location

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Starts application with an unusual extension

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Starts CMD.EXE for commands execution

      • RKCO.PKQ (PID: 5832)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • RKCO.PKQ (PID: 5832)

    • Mutex name with non-standard characters

      • RKCO.PKQ (PID: 5832)
      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

  • INFO

    • Checks supported languages

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)
      • RKCO.PKQ (PID: 5832)

    • Reads the computer name

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)
      • RKCO.PKQ (PID: 5832)

    • VMProtect protector has been detected

      • RKCO.PKQ (PID: 5832)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4436)

    • Reads the machine GUID from the registry

      • RKCO.PKQ (PID: 5832)

    • Reads the software policy settings

      • RKCO.PKQ (PID: 5832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:20 14:26:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 1134592
InitializedDataSize: 1036288
UninitializedDataSize: -
EntryPoint: 0x7d2a3d
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe THREAT rkco.pkq cmd.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe" C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
764"C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe" C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2620cmd /c echo t>c:\windows\system32\administratortestpermissions28647C:\Windows\SysWOW64\cmd.exeRKCO.PKQ
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3836\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4436wmic BaseBoard get SerialNumberC:\Windows\SysWOW64\wbem\WMIC.exeRKCO.PKQ
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5832"C:\Users\admin\Desktop\RKCO.PKQ"C:\Users\admin\Desktop\RKCO.PKQ
7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\rkco.pkq
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
3 498
Read events
3 498
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3007b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exeC:\Users\admin\Desktop\RKCO.PKQexecutable
MD5:35A2746D3B6771BF66E39339552EDE9C
SHA256:C6EAB143F1B0576FBAAE6B0793DC8BA9713A54DB7A26AA992FC045D05174B9A0
5832RKCO.PKQC:\Users\admin\Desktop\soft.initext
MD5:242493406746B6E44516EB9D9E4F5CF4
SHA256:D141568A360ECBB7531BAFEEF02FED90CE3BB48C82CA10A8F36F44CF55A9424F
2620cmd.exeC:\Windows\SysWOW64\administratortestpermissions28647text
MD5:5696FEB53A6AD364E3DA313D7BB865C2
SHA256:9E8B03EA3B48312F8E3A15BEC7AA85C96A362E2776AC6BC3DFD74A40022BCC8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
24
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
103.235.47.188:443
https://www.baidu.com/
unknown
unknown
6944
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1764
RUXIMICS.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1764
RUXIMICS.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1764
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
5832
RKCO.PKQ
103.235.47.188:443
www.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
whitelisted
6944
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1764
RUXIMICS.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.193
  • 2.23.209.140
  • 2.23.209.179
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.baidu.com
  • 103.235.47.188
  • 103.235.46.96
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.32.185.131
whitelisted
admin.yemanb.com
unknown
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8