File name:

2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys

Full analysis: https://app.any.run/tasks/d2b788d7-d1c1-47de-a0f0-5447b4bc268f
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 02:11:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

F56F926B7038C2B2AF0080A3FB991E9F

SHA1:

33C151C5C753B63D0B214D730862E5278F27EAA3

SHA256:

993F1B01352F5A97D8FCC0FD9CB131156D2C4C956F3CF6462572BB8DC9EC3E2D

SSDEEP:

98304:yCrC4AulxsaEe2B+yCrCrCrC4AulxsaEe2B+yCrCrCrCrCrC4AulxsaEe2B+yCr1:Dt51BJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Process drops legitimate windows executable

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Executable content was dropped or overwritten

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • There is functionality for taking screenshot (YARA)

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Potential Corporate Privacy Violation

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Reads security settings of Internet Explorer

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

  • INFO

    • Creates files or folders in the user directory

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Checks supported languages

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • The sample compiled with english language support

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Failed to create an executable file in Windows directory

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Checks proxy server information

      • slui.exe (PID: 7976)
      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Reads the computer name

      • 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe (PID: 7364)

    • Reads the software policy settings

      • slui.exe (PID: 7976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:07 02:06:26+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 122880
InitializedDataSize: 167936
UninitializedDataSize: -
EntryPoint: 0xb0d1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLACKMOON 2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7364"C:\Users\admin\Desktop\2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe" C:\Users\admin\Desktop\2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7976C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 815
Read events
3 815
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:3D1882B40B05C9A125A0E2C5E834595F
SHA256:1A6E19EA41D5368D318DC97BDB09F269E5B33BE9972BB936FC4DBAE7F83DD8BE
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\Êý¾Ý¿â.initext
MD5:52D06900772290EBE825BA6C108AA257
SHA256:315403DFCDF22E406E4716C4EB2EDC4D20E8435289E44747C6E5AD066EA41F6E
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:B8C2662506EDBCE24EA549C8B7B006CF
SHA256:5F3AC320F6262749C10B0AB4C8F17F228573BD2D19BA598EFDC2DEFE1397EC87
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:91F58CC9DB0169D917E8F5BE3EE6BC8A
SHA256:C9E60F0E9BE20953A351B12E4B0F9F861FF2B9BEBAE0B6E95C406F73D213CB3C
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exeexecutable
MD5:659153659772B6DA39F1BE1CF49B04B4
SHA256:1A85E0235F7F0F810B2B8C2B81351AB631DAB5B351FFA30A49606682C8869A9C
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:CF1A1B2A6F227D5B06AB0B3C8B88618B
SHA256:1FD250A499B2912B1ACEC31A03CAA32F1B328F2861E1383E94F23386F724FB36
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:50580F1C6AD3AF8F7C9325A48070214F
SHA256:D1F7282149B4DBEA3557FF02308264CFC5AA13AE33490B8692F392C1132371DB
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:BDFF068C4C23E586A2013708D6A75C9A
SHA256:7C965138CD0AAC6920C9C7E2E68F2432A0F32F6B6CC0210E44E4CE7CA4B2C59B
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:6280AC1831E499B972405890FFF0B5AF
SHA256:1650105226B7E52E26E98A467BA83F58333F9BB72EA2274B2ABABE598AEF8D65
73642025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:FEB6CDB50748CFC474E44E55F0CED78E
SHA256:3949C66B4D54FF803689A1813B984C463E91E754DC1E686CC44D2CDC2A9B0D56
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
51
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7708
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7708
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7708
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7708
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7708
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.128
  • 20.190.159.71
  • 40.126.31.131
  • 20.190.159.64
  • 40.126.31.128
  • 40.126.31.1
  • 40.126.31.69
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
www.blackievirus.com
  • 18.234.103.197
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_f56f926b7038c2b2af0080a3fb991e9f_black-basta_elex_luca-stealer_rhadamanthys