File name:

2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader

Full analysis: https://app.any.run/tasks/7d11dcf5-84a5-4996-b1d1-ad789b758ac9
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: June 22, 2025, 00:17:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

FC1CEFD4E76A280B177C23CE88007146

SHA1:

C3A75087701DFF5C435F625A04D7ADE815BF6118

SHA256:

ED99412BD853F059A4E3BC2CB4DE0EA76224E91F7C6A81FFCE7194A72BFB131A

SSDEEP:

98304:DFJslDED01HF/fS19g+UEvjhvxMIs4klURu71sDRaJs8Nps+/CoQBFqImfd3sBxy:xq9C1x0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Potential Corporate Privacy Violation

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Creates file in the systems drive root

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Reads security settings of Internet Explorer

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Process drops legitimate windows executable

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

  • INFO

    • The sample compiled with english language support

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Checks supported languages

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Creates files or folders in the user directory

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Reads the computer name

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Failed to create an executable file in Windows directory

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)

    • Checks proxy server information

      • 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe (PID: 6832)
      • slui.exe (PID: 1472)

    • Reads the software policy settings

      • slui.exe (PID: 1472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (32.3)
.exe | Win32 Executable MS Visual C++ (generic) (24.2)
.exe | Win64 Executable (generic) (21.4)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:07 02:06:26+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 122880
InitializedDataSize: 167936
UninitializedDataSize: -
EntryPoint: 0xb0d1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLACKMOON 2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1472C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6832"C:\Users\admin\Desktop\2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe" C:\Users\admin\Desktop\2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 962
Read events
3 962
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:3D1882B40B05C9A125A0E2C5E834595F
SHA256:1A6E19EA41D5368D318DC97BDB09F269E5B33BE9972BB936FC4DBAE7F83DD8BE
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:B8C2662506EDBCE24EA549C8B7B006CF
SHA256:5F3AC320F6262749C10B0AB4C8F17F228573BD2D19BA598EFDC2DEFE1397EC87
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:6280AC1831E499B972405890FFF0B5AF
SHA256:1650105226B7E52E26E98A467BA83F58333F9BB72EA2274B2ABABE598AEF8D65
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:91F58CC9DB0169D917E8F5BE3EE6BC8A
SHA256:C9E60F0E9BE20953A351B12E4B0F9F861FF2B9BEBAE0B6E95C406F73D213CB3C
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:FEB6CDB50748CFC474E44E55F0CED78E
SHA256:3949C66B4D54FF803689A1813B984C463E91E754DC1E686CC44D2CDC2A9B0D56
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:50580F1C6AD3AF8F7C9325A48070214F
SHA256:D1F7282149B4DBEA3557FF02308264CFC5AA13AE33490B8692F392C1132371DB
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:CF1A1B2A6F227D5B06AB0B3C8B88618B
SHA256:1FD250A499B2912B1ACEC31A03CAA32F1B328F2861E1383E94F23386F724FB36
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:BDFF068C4C23E586A2013708D6A75C9A
SHA256:7C965138CD0AAC6920C9C7E2E68F2432A0F32F6B6CC0210E44E4CE7CA4B2C59B
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exeexecutable
MD5:659153659772B6DA39F1BE1CF49B04B4
SHA256:1A85E0235F7F0F810B2B8C2B81351AB631DAB5B351FFA30A49606682C8869A9C
68322025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\Êý¾Ý¿â.initext
MD5:52D06900772290EBE825BA6C108AA257
SHA256:315403DFCDF22E406E4716C4EB2EDC4D20E8435289E44747C6E5AD066EA41F6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
49
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4708
RUXIMICS.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4708
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4708
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
4708
RUXIMICS.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.2
  • 20.190.160.67
  • 20.190.160.3
  • 20.190.160.65
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
www.blackievirus.com
  • 50.16.27.236
malicious
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
6832
2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader.exe
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_fc1cefd4e76a280b177c23ce88007146_amadey_darkgate_elex_hawkeye_rhadamanthys_smoke-loader