File name:

exe.exe.v

Full analysis: https://app.any.run/tasks/fdb85b9f-bcfb-46ee-9e90-ca0e5fb0d54a
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: September 20, 2024, 16:54:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
aspack
blackmoon
loader
vmprotect
fatalrat
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C1105B325208B94C7F2A054901EE7122

SHA1:

6D43A222928259AFED09081427CEA7EFBE64CD33

SHA256:

EECE8F6AA859EEC0D58FDE08B08D6716D0DF66AACD180D102B4DF5B4896BC23E

SSDEEP:

3072:rCSggQw9qtFWeQ0h549jikGJOlpVxd6N/xe4:rZg9wktFWeQ0P3ZJ8pVx4Ng4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • exe.exe.v.exe (PID: 4980)

    • Connects to the CnC server

      • svchost.exe (PID: 1044)

    • FATALRAT has been detected (SURICATA)

      • svchost.exe (PID: 1044)

    • Uses Task Scheduler to autorun other applications

      • exe.exe.v.exe (PID: 4980)

  • SUSPICIOUS

    • Application launched itself

      • exe.exe.v.exe (PID: 7116)

    • Reads security settings of Internet Explorer

      • exe.exe.v.exe (PID: 7116)
      • exe.exe.v.exe (PID: 4980)

    • There is functionality for taking screenshot (YARA)

      • exe.exe.v.exe (PID: 4980)

    • Checks Windows Trust Settings

      • exe.exe.v.exe (PID: 4980)

    • Process drops legitimate windows executable

      • exe.exe.v.exe (PID: 4980)

    • Executable content was dropped or overwritten

      • exe.exe.v.exe (PID: 4980)

    • The process drops C-runtime libraries

      • exe.exe.v.exe (PID: 4980)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 7092)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 1044)

  • INFO

    • Reads the computer name

      • exe.exe.v.exe (PID: 7116)
      • exe.exe.v.exe (PID: 4980)

    • Checks supported languages

      • exe.exe.v.exe (PID: 7116)
      • exe.exe.v.exe (PID: 4980)

    • The process uses the downloaded file

      • exe.exe.v.exe (PID: 7116)

    • Reads the machine GUID from the registry

      • exe.exe.v.exe (PID: 4980)

    • Process checks computer location settings

      • exe.exe.v.exe (PID: 7116)

    • Creates files in the program directory

      • exe.exe.v.exe (PID: 4980)

    • Checks proxy server information

      • exe.exe.v.exe (PID: 4980)

    • Aspack has been detected

      • exe.exe.v.exe (PID: 4980)

    • Reads the software policy settings

      • exe.exe.v.exe (PID: 4980)

    • Manual execution by a user

      • mesvc.exe (PID: 2356)
      • mesvc.exe (PID: 4152)

    • VMProtect protector has been detected

      • spower.exe (PID: 2608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:19 11:09:26+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 192512
InitializedDataSize: 372736
UninitializedDataSize: -
EntryPoint: 0xa4001
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.1
FileDescription: 系统基础应用程序
ProductName: 系统基础应用程序
ProductVersion: 1.0.0.1
CompanyName: 系统基础应用程序
LegalCopyright: 系统基础应用程序
Comments: 系统基础应用程序
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exe.exe.v.exe no specs THREAT exe.exe.v.exe mesvc.exe no specs mesvc.exe THREAT spower.exe no specs upssvc.exe no specs conhost.exe no specs #FATALRAT svchost.exe svchost.exe schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1044C:\ProgramData\NVIDIARV\svchost.exeC:\ProgramData\NVIDIARV\svchost.exe
exe.exe.v.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\nvidiarv\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2356"C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe" -EmbeddingC:\Program Files\Microvirt\MEmuHyperv\mesvc.exeexplorer.exe
User:
admin
Company:
Maiwei Corporation
Integrity Level:
MEDIUM
Description:
MemuHyperv Interface
Exit code:
3221226540
Version:
5.1.34.121010
2580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeupssvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\textshaping.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\dwmapi.dll
2608C:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\spower.exeC:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\spower.exe
exe.exe.v.exe
User:
admin
Company:
©Microsoft Corporation. AlI rights reserved.
Integrity Level:
HIGH
Description:
Windows 服务主进程
Exit code:
0
Version:
10.0.19041.3636
Modules
Images
c:\users\admin\appdata\local\temp\kdv8bs3dzsz0k0z\spower.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
4152"C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe" -EmbeddingC:\Program Files\Microvirt\MEmuHyperv\mesvc.exe
explorer.exe
User:
admin
Company:
Maiwei Corporation
Integrity Level:
HIGH
Description:
MemuHyperv Interface
Version:
5.1.34.121010
Modules
Images
c:\program files\microvirt\memuhyperv\mesvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\powrprof.dll
4444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4980"C:\Users\admin\Desktop\exe.exe.v.exe" C:\Users\admin\Desktop\exe.exe.v.exe
exe.exe.v.exe
User:
admin
Company:
系统基础应用程序
Integrity Level:
HIGH
Description:
系统基础应用程序
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\exe.exe.v.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6704C:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\upssvc.exeC:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\upssvc.exeexe.exe.v.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
7092SCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Pictureskdv8bs3d\CCCef3Render.exeC:\Windows\SysWOW64\schtasks.exeexe.exe.v.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\bcryptprimitives.dll
Total events
3 896
Read events
3 888
Write events
8
Delete events
0

Modification events

(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe
Value:
~ RUNASADMIN
(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\ProgramData\NVIDIARV\svchost.exe
Value:
~ RUNASADMIN
(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\spower.exe
Value:
~ RUNASADMIN
(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\upssvc.exe
Value:
~ RUNASADMIN
(PID) Process:(4980) exe.exe.v.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Users\Public\Pictureskdv8bs3d\CCCef3Render.exe
Value:
~ RUNASADMIN
Executable files
14
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4980exe.exe.v.exeC:\Users\Public\Pictures\temp.tmp
MD5:
SHA256:
4980exe.exe.v.exeC:\Program Files\Microvirt\MEmuHyperv\MEmuRT.dllexecutable
MD5:56719CC92AF72F56F46A5798B1430D9E
SHA256:CA5E9919A5B3612A2FAAAB0F08F3E95DB69E3D88D821A706C5D68D3F0D86D060
4980exe.exe.v.exeC:\Program Files\Microvirt\MEmuHyperv\libssl-1_1-x64.dllexecutable
MD5:2B242983D5FC098515105268EB22F0B7
SHA256:1679808A0A410E73D7807C1FACFD0CE0EE1E6270B35D29DCDF0A8977C17418AC
4980exe.exe.v.exeC:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\msvcp60.dllexecutable
MD5:BC3B4FF915515CD02E2A3112FFD29250
SHA256:E7776A96CEC56CD207B38BB0A7C4A41516331F636210A16E9712E2EE2FBC3742
4980exe.exe.v.exeC:\Users\admin\AppData\Local\Temp\kdv8bs3dzsz0k0z\spower.exeexecutable
MD5:3C124149591ABC905E07753AD7BF5A35
SHA256:1520FA7E27EB0B310BC83946594251B570F1D4042345EEA243010260E7676AC6
4980exe.exe.v.exeC:\Program Files\Microvirt\MEmuHyperv\libcurl.dllexecutable
MD5:75B9BBFCF9581252474A5D1DAA6E6641
SHA256:C78B0AA24630B35DFD3030626F873A89A39944FFA620B6AFB42AE50EB1618F4B
4980exe.exe.v.exeC:\Program Files\Microvirt\MEmuHyperv\libcrypto-1_1-x64.dllexecutable
MD5:6DEF652FD7E5207C374FC51534BDA953
SHA256:80677A75588101CA6DA2A22B74C02BD5B91ABA2A62D1BCE20D07370A9DDF0118
4980exe.exe.v.exeC:\Users\Public\Pictureskdv8bs3d\libcef.dllexecutable
MD5:27F4C9A9B60AE51613877CD811616634
SHA256:7E3025A6986B3E3329BCB529C60F6BE2D63DA1188DCA0499CC9D915067159811
4980exe.exe.v.exeC:\ProgramData\Packas\mesvc.lnklnk
MD5:0860C8BCD8C42FFF99AA07950F250301
SHA256:1E1904606A4A103474E11566C34D9BE05A0ECF68BDF7CB5527B33B7D2B771B6F
4980exe.exe.v.exeC:\ProgramData\NVIDIARV\svchost.exeexecutable
MD5:3670ADFC30D5B2719002B7DFCE6192B5
SHA256:56C03D3A3E962AD2C0167B1BAA48F309A368F1C132E4B9B10142EEB2B862679A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
36
DNS requests
7
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5768
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/2.ini
unknown
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/1.ini
unknown
text
4 b
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/hj/MEmuSVC.exe
unknown
executable
4.60 Mb
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/hj/libcurl.dll
unknown
executable
365 Kb
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/hj/MEmuSVC.exe
unknown
executable
4.60 Mb
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/hj/libcrypto-1_1-x64.dll
unknown
executable
2.58 Mb
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/hj/libcrypto-1_1-x64.dll
unknown
executable
2.58 Mb
GET
200
47.79.64.169:443
https://a18qqq1.oss-cn-hongkong.aliyuncs.com/hj/MEmuDDU.dll
unknown
executable
355 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5768
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6924
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.189.173.23:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.126.37.162:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
4980
exe.exe.v.exe
47.79.64.169:443
a18qqq1.oss-cn-hongkong.aliyuncs.com
WINDSTREAM
US
unknown
5768
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
a18qqq1.oss-cn-hongkong.aliyuncs.com
  • 47.79.64.169
unknown
www.microsoft.com
  • 88.221.169.152
whitelisted
a18.nbdsnb2.top
unknown
a18.yydsnb1.top
  • 198.44.170.193
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4980
exe.exe.v.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
exe.exe.v