File name:

c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796

Full analysis: https://app.any.run/tasks/49220b22-988d-4a05-85d1-12f1ca750db5
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: June 13, 2025, 18:46:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

15816CDDADFC7CF02630AEC1283E66EB

SHA1:

C3E5785D1CA2608C5BBE0326138622374E6410F6

SHA256:

C748A60592EFFAF962D28B5A8FB11AEAD3A59E03372C0F7F874D075AD17C1796

SSDEEP:

6144:oP/2WHKst8swjymFTR3vGvQrCHTwb2qWWYBc8gH0rHLI:IgngqWWYBcErHLI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe (PID: 4684)

    • BLACKMOON has been detected (YARA)

      • c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe (PID: 6360)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe (PID: 6360)

    • The sample compiled with chinese language support

      • c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe (PID: 6360)

    • Reads the computer name

      • c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe (PID: 6360)

    • Checks proxy server information

      • slui.exe (PID: 3980)

    • Reads the software policy settings

      • slui.exe (PID: 3980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:26 10:23:37+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 413696
InitializedDataSize: 45056
UninitializedDataSize: -
EntryPoint: 0x5be90
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.150
ProductVersionNumber: 1.0.0.150
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.150
FileDescription: RiotClientCrashHandler
ProductName: RiotClientCrashHandler
ProductVersion: 1.0.0.150
CompanyName: Tencent
LegalCopyright: Tencent 版权所有
Comments: RiotClientCrashHandler
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #BLACKMOON c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe slui.exe c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3980C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4684"C:\Users\admin\Desktop\c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe" C:\Users\admin\Desktop\c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
RiotClientCrashHandler
Exit code:
3221226540
Version:
1.0.0.150
Modules
Images
c:\users\admin\desktop\c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6360"C:\Users\admin\Desktop\c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe" C:\Users\admin\Desktop\c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
RiotClientCrashHandler
Exit code:
0
Version:
1.0.0.150
Modules
Images
c:\users\admin\desktop\c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
Total events
3 504
Read events
3 504
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
POST
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
888
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6024
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6164
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3980
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.189.173.16
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c748a60592effaf962d28b5a8fb11aead3a59e03372c0f7f874d075ad17c1796