File name:	2025-06-21_d2e3f0fec1a2b27806b413cbf3b1e8ea_amadey_elex_smoke-loader_stop
Full analysis:	https://app.any.run/tasks/b528ed22-1840-4bda-8cc3-ef344b3eb02d
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 06:04:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	D2E3F0FEC1A2B27806B413CBF3B1E8EA
SHA1:	08475F1DA2D43AEEA743A9BF28E018EB5062E6FC
SHA256:	8F4B016FE95AE9B087116A589447B1B4E719F20A3237710F0DBC05033E0D4866
SSDEEP:	98304:vKOlBcIt0ML1CXN0RqfaSfS25dBWO7thGjLK/cVYRrs47iZEcF2W7rxLyDzsRncD:koxjraH

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.4)
.dll	\|	Win32 Dynamic Link Library (generic) (13.5)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:07:15 17:54:42+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	1421312
InitializedDataSize:	536576
UninitializedDataSize:	-
EntryPoint:	0x87f838
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	固定打怪,新手村任务,门派任务
ProductName:	千年3_新手任务
ProductVersion:	1.0.0.0
CompanyName:	QQ:6365272
LegalCopyright:	QQ:6365272
Comments:	本程序使用易语言编写(http://www.eyuyan.com)

PID	Process	Filename		Type
2280	ryhqscxais.exe	C:\Users\admin\Desktop\rrqjuohiwd.exe		executable
		MD5:CA7F9A57FA48552BC8D8FB94C3AF778C	SHA256:3783A867F29581D17DBA47AB5F5CE7248B476FA45C2F949D6760886DAEF10DC0
3908	wpxoncwcsw.exe	C:\Users\admin\Desktop\hzmusayftu.exe		executable
		MD5:69E9AF8507F9F906EE02FAF2E2AC58BB	SHA256:420F4B4FC7C2D3887DA67F9BC813A6841326C873102932804C138A651D45BBE0
1356	2025-06-21_d2e3f0fec1a2b27806b413cbf3b1e8ea_amadey_elex_smoke-loader_stop.exe	C:\Users\admin\Desktop\update.exe		executable
		MD5:22C473A29E1684BBD8D8B7BC68A3D7E1	SHA256:CB0E404A5D41AA05A78B63B208E55E5EDAC6FA146B1C1F3AC7165FC42D8059B5
5616	hzmusayftu.exe	C:\Users\admin\Desktop\mfjcftxqou.exe		executable
		MD5:7AD05308463F128BB664B9CA117CC9DC	SHA256:A50A785D8222B92D27F2F902A8E1931565494F344C2C2F7BF7174DADF26931D3
1180	rccbismcdp.exe	C:\Users\admin\Desktop\rcdhuaruyn.exe		executable
		MD5:AE363DBED45784D8D3763BF69BDA09C0	SHA256:5E69045133F5289E4C293FF220C7485B7AF7074E65F85592C1638BB56326BB7D
6980	mjgszzjley.exe	C:\Users\admin\Desktop\zhaynchxhs.exe		executable
		MD5:74F1289D87A51105EFDEACF34E4CB796	SHA256:7408C48E7652F3A436DCA9DE052002D2AE731A03A5EAB7A203D56457FFCABE62
5708	gxgkvlprpj.exe	C:\Users\admin\Desktop\iluqqfrrmm.exe		executable
		MD5:4B20F0E5D800D40687A803E0525CDBCA	SHA256:02EFC1EB829AAA12D5CE7D6091E304C625531A94D741E3EA9487AAF85B800CB8
5552	iluqqfrrmm.exe	C:\Users\admin\Desktop\ojcjuaddkd.exe		executable
		MD5:2D07F630B4164202407341FCC4B4A35F	SHA256:ECE0FFEBAE585F3B5ECB2EA7546D7F982C1914C71C79120FD55F3FF88741A66D
684	zhaynchxhs.exe	C:\Users\admin\Desktop\wthoczabzg.exe		executable
		MD5:BC5791D4C7B95D3F9A9C81D6DAB23C53	SHA256:57BB4A38F677FC9FD42AAE48D96B38708F9E8FCFC1D2348168D23773AD65D35D
5348	ojcjuaddkd.exe	C:\Users\admin\Desktop\bmtcfhumbt.exe		executable
		MD5:EDB5993D363703EAAB676AF7C51CA1EB	SHA256:C98B45608357BD561273990D97E9FF0CDBD7ACE3A4E2E84FFF947D410A683DD8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5904	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5904	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5904	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5904	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted
self.events.data.microsoft.com	52.168.117.171	whitelisted

General Info

2025-06-21_d2e3f0fec1a2b27806b413cbf3b1e8ea_amadey_elex_smoke-loader_stop

D2E3F0FEC1A2B27806B413CBF3B1E8EA

08475F1DA2D43AEEA743A9BF28E018EB5062E6FC

8F4B016FE95AE9B087116A589447B1B4E719F20A3237710F0DBC05033E0D4866

98304:vKOlBcIt0ML1CXN0RqfaSfS25dBWO7thGjLK/cVYRrs47iZEcF2W7rxLyDzsRncD:koxjraH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Starts itself from another location

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

The sample compiled with chinese language support

Reads the machine GUID from the registry

Reads the computer name

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings