File name:	2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop
Full analysis:	https://app.any.run/tasks/a833389b-225f-4011-8342-ce9d6705cab9
Verdict:	Malicious activity
Threats:	BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods. Malware Trends Tracker >>>
Analysis date:	May 29, 2025, 10:51:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	2642FA53627640E526A0C36F772F9956
SHA1:	2BF90CFFF140016D82C4275CBB4B9A8B6272C46E
SHA256:	C144D9490BF8749637878661B9661FE59F613CB59A1D1E5B71B631C36675B844
SSDEEP:	49152:XFxUhnky7BM7W88988Nt5KBBDhzsf9hS1Sx5F2b35tZOP3E/4VhH3QLBf8XcHZ8m:3Uhnkyi8qDpsVhS1Sx5HPznWnNHqc

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:08:17 08:34:04+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	368640
InitializedDataSize:	1241088
UninitializedDataSize:	-
EntryPoint:	0x4fd00
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	5.6.1.1
ProductVersionNumber:	5.6.1.1
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	5.6.1.1
FileDescription:
ProductName:
ProductVersion:	5.6.1.1
CompanyName:
LegalCopyright:
Comments:	本程序使用易语言编写(http://www.dywt.com.cn)


(PID) Process:	(6032) 2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:	write	Name:	JITDebug
Value: 0
(PID) Process:	(6032) 2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2420) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6032) 2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6032) 2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6032) 2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2420) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2420) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2420) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 65F5B75FDA942F00
(PID) Process:	(2420) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0

PID	Process	Filename		Type
2420	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF11eb57.TMP		—
		MD5:—	SHA256:—
2420	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
2420	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11eb67.TMP		—
		MD5:—	SHA256:—
2420	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6032	2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop.exe	C:\Users\admin\AppData\Local\Temp\gmiomp.exe		executable
		MD5:2642FA53627640E526A0C36F772F9956	SHA256:C144D9490BF8749637878661B9661FE59F613CB59A1D1E5B71B631C36675B844
660	gmiomp.exe	C:\Users\admin\AppData\Local\Temp\6864218195\....\TemporaryFile		executable
		MD5:2642FA53627640E526A0C36F772F9956	SHA256:C144D9490BF8749637878661B9661FE59F613CB59A1D1E5B71B631C36675B844
2420	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variations		binary
		MD5:CF51C24E444F50F86D6149814130A476	SHA256:195D5778197A31A34D0E9E4431271194C0673FE1240DF9BD7A08C409D05E3414
660	gmiomp.exe	C:\Users\admin\AppData\Roaming\Download\545516.exe		executable
		MD5:2976DBF7D305D1E2549F290EC95C970E	SHA256:0352EC3A0742982571EA65D56614E1B6E6448F4E112695BBA1B37219FCE188D0
2420	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old		text
		MD5:43177E17EA12FD833ABD2E5B4E22AD68	SHA256:BCACFDDDB8694D7266513F9769D27D54938DA8C689AD8B42986347594BAD2271
6032	2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop.exe	C:\Users\admin\AppData\Local\Temp\ldsajdklsajdlkjsalkda.bat		text
		MD5:8D429A42926EE993FD964B694D838812	SHA256:20CEFB599F8C1ACAED3C65CE14B8ADB23F0FFDD0EB65A511DC614AA74CEE02DD

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	503	13.107.6.158:443	https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox	unknown	html	13.7 Kb	whitelisted
—	—	GET	404	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	GET	200	40.90.65.34:443	https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable	unknown	binary	16.0 Kb	whitelisted
—	—	GET	200	150.171.27.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	446 b	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=47&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted
7464	RUXIMICS.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7464	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	—	106.63.24.67:443	https://hao.360.cn/?src=lm&ls=n6abbbb598c	unknown	—	—	—
2140	msedge.exe	GET	301	101.198.2.134:80	http://hao.360.cn/?src=lm&ls=n6abbbb598c	unknown	—	—	whitelisted
—	—	GET	404	13.107.6.158:443	https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
7464	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
7464	RUXIMICS.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7464	RUXIMICS.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2140	msedge.exe	13.107.6.158:443	business.bing.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2140	msedge.exe	150.171.28.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2140	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2420	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted

Domain	IP	Reputation
google.com	142.250.185.142	whitelisted
dt.hebchengjiu.com	—	unknown
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
hao.360.cn	101.198.2.134	whitelisted
edge.microsoft.com	150.171.28.11 150.171.27.11	whitelisted
edge-mobile-static.azureedge.net	13.107.253.45	whitelisted
business.bing.com	13.107.6.158	whitelisted
hao.360.com	106.63.24.67	whitelisted

General Info

2025-05-29_2642fa53627640e526a0c36f772f9956_elex_icedid_stop

2642FA53627640E526A0C36F772F9956

2BF90CFFF140016D82C4275CBB4B9A8B6272C46E

C144D9490BF8749637878661B9661FE59F613CB59A1D1E5B71B631C36675B844

49152:XFxUhnky7BM7W88988Nt5KBBDhzsf9hS1Sx5F2b35tZOP3E/4VhH3QLBf8XcHZ8m:3Uhnkyi8qDpsVhS1Sx5HPznWnNHqc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Starts itself from another location

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Application launched itself

Searches for installed software

Explorer used for Indirect Command Execution

There is functionality for taking screenshot (YARA)

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

INFO

Checks supported languages

Checks proxy server information

Reads the computer name

The sample compiled with chinese language support

Process checks computer location settings

Create files in a temporary directory

Reads the machine GUID from the registry

Application launched itself

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Manual execution by a user

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings