File name:

2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid

Full analysis: https://app.any.run/tasks/3a580363-182b-410c-b23f-a71865f87c7d
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 13:47:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DC9E9ABA44047CB8A1723F990DDB3235

SHA1:

52D4A0DA958405173B59CF70138E7ACBEBC3CBF6

SHA256:

F2D3BAB501FD04C0ED6B3EBF6181AF922EEFCCCDDCA577D767D88164ACAA2A5A

SSDEEP:

98304:64Cc6CF5FKwPOlZSFSA5VDcz5h0g+TNjSmS55kdkE:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • BLACKMOON has been detected (YARA)

      • ippatch.exe (PID: 680)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 6048)
      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • Reads security settings of Internet Explorer

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)

    • Uses TASKKILL.EXE to kill process

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)

    • Creates file in the systems drive root

      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • There is functionality for taking screenshot (YARA)

      • ipsee.exe (PID: 672)
      • ippatch.exe (PID: 680)

  • INFO

    • Reads the computer name

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)
      • ippatch.exe (PID: 6048)
      • ipsee.exe (PID: 672)

    • The sample compiled with chinese language support

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ipsee.exe (PID: 672)

    • Creates files or folders in the user directory

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • Checks supported languages

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 6048)
      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • Process checks computer location settings

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)

    • Auto-launch of the file from Startup directory

      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • Create files in a temporary directory

      • ipsee.exe (PID: 672)

    • Checks proxy server information

      • slui.exe (PID: 1328)

    • Reads the software policy settings

      • slui.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.exe | DOS Executable Borland C++ (14.9)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:08:05 03:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 634880
InitializedDataSize: 1490944
UninitializedDataSize: -
EntryPoint: 0x7a41a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: ipsee122911112788424
CompanyName: ipsee122911112788424
FileDescription: ipsee122911112788424
FileVersion: 1,0,0,0
Tag412: D
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
33
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs ippatch.exe no specs ippatch.exe ippatch.exe no specs #BLACKMOON ippatch.exe taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs ipsee.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672"C:\Users\admin\AppData\Roaming\ipsee.exe" C:\Users\admin\AppData\Roaming\ipsee.exe
ippatch.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\ipsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
680"C:\Users\admin\AppData\Roaming\ippatch.exe" C:\Users\admin\AppData\Roaming\ippatch.exe
2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\ippatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164taskkill /im ipsee.exe /fC:\Windows\SysWOW64\taskkill.exe2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1348"C:\Users\admin\AppData\Roaming\ippatch.exe" C:\Users\admin\AppData\Roaming\ippatch.exe2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\ippatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 778
Read events
5 778
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
672ipsee.exeC:\Users\admin\AppData\Roaming\ippatch.exe.tmp
MD5:
SHA256:
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCXCC2B.tmpexecutable
MD5:C0D0EAECCEB680C447046027BC0AFBC4
SHA256:123F25E0D5507428B0D1A623E382AB060381F8F6BFD16D5AED62E2B0496DE0A0
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCXCC4C.tmpexecutable
MD5:8EB502EC1FB9562EBDDFF8026BF0AB1B
SHA256:9B8593A25BEC441B12912EB92F8E0F522904382C9A66C0E7F8076298F0FA0C68
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\ippatch.exeexecutable
MD5:DC9E9ABA44047CB8A1723F990DDB3235
SHA256:F2D3BAB501FD04C0ED6B3EBF6181AF922EEFCCCDDCA577D767D88164ACAA2A5A
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\mydll.dllexecutable
MD5:C0D0EAECCEB680C447046027BC0AFBC4
SHA256:123F25E0D5507428B0D1A623E382AB060381F8F6BFD16D5AED62E2B0496DE0A0
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\1.jpgimage
MD5:3E6A6EEF02A43BAB4E580C30FA8DDF05
SHA256:33264A92E66EA4BC57DDCF38BF8807F4E98656091D47F2CAFAFC67459411BABB
6048ippatch.exeC:\Users\admin\AppData\Roaming\mydll.dllexecutable
MD5:669453B11E15C03A17D111B7F87A8F87
SHA256:0BAB2DA72E646D49932823805F644EA16A6CD75C60C3BBCC604B5B03A3F0BDE0
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCXCF99.tmpexecutable
MD5:7DA80C99B5C374F0663C37BCA6DAAA9E
SHA256:39B620A247DFADF7DAB0ED9A32AD37B96D6D59FC9067CE55775D53DF393DA1D3
6048ippatch.exeC:\Users\admin\AppData\Roaming\RCXDE7C.tmpexecutable
MD5:669453B11E15C03A17D111B7F87A8F87
SHA256:0BAB2DA72E646D49932823805F644EA16A6CD75C60C3BBCC604B5B03A3F0BDE0
680ippatch.exeC:\RCXDF76.tmpexecutable
MD5:353B01B676F971109AB6DD54D3A71A4C
SHA256:F2097C08FAE812D08921FA214D3C7271B3D3980516A286FA39F46A0C579BF239
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5176
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1328
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid