File name:

2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid

Full analysis: https://app.any.run/tasks/3a580363-182b-410c-b23f-a71865f87c7d
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 13:47:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DC9E9ABA44047CB8A1723F990DDB3235

SHA1:

52D4A0DA958405173B59CF70138E7ACBEBC3CBF6

SHA256:

F2D3BAB501FD04C0ED6B3EBF6181AF922EEFCCCDDCA577D767D88164ACAA2A5A

SSDEEP:

98304:64Cc6CF5FKwPOlZSFSA5VDcz5h0g+TNjSmS55kdkE:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • BLACKMOON has been detected (YARA)

      • ippatch.exe (PID: 680)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)

    • Uses TASKKILL.EXE to kill process

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)

    • Executable content was dropped or overwritten

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 6048)
      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • Creates file in the systems drive root

      • ipsee.exe (PID: 672)
      • ippatch.exe (PID: 680)

    • There is functionality for taking screenshot (YARA)

      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

  • INFO

    • Checks supported languages

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 6048)
      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • The sample compiled with chinese language support

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ipsee.exe (PID: 672)

    • Reads the computer name

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)
      • ippatch.exe (PID: 6048)
      • ipsee.exe (PID: 672)

    • Creates files or folders in the user directory

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • Process checks computer location settings

      • 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe (PID: 6872)
      • ippatch.exe (PID: 680)

    • Auto-launch of the file from Startup directory

      • ippatch.exe (PID: 680)
      • ipsee.exe (PID: 672)

    • Create files in a temporary directory

      • ipsee.exe (PID: 672)

    • Reads the software policy settings

      • slui.exe (PID: 1328)

    • Checks proxy server information

      • slui.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.exe | DOS Executable Borland C++ (14.9)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:08:05 03:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 634880
InitializedDataSize: 1490944
UninitializedDataSize: -
EntryPoint: 0x7a41a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: ipsee122911112788424
CompanyName: ipsee122911112788424
FileDescription: ipsee122911112788424
FileVersion: 1,0,0,0
Tag412: D
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
33
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs ippatch.exe no specs ippatch.exe ippatch.exe no specs #BLACKMOON ippatch.exe taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs ipsee.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672"C:\Users\admin\AppData\Roaming\ipsee.exe" C:\Users\admin\AppData\Roaming\ipsee.exe
ippatch.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\ipsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
680"C:\Users\admin\AppData\Roaming\ippatch.exe" C:\Users\admin\AppData\Roaming\ippatch.exe
2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\ippatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164taskkill /im ipsee.exe /fC:\Windows\SysWOW64\taskkill.exe2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1348"C:\Users\admin\AppData\Roaming\ippatch.exe" C:\Users\admin\AppData\Roaming\ippatch.exe2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\ippatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 778
Read events
5 778
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
672ipsee.exeC:\Users\admin\AppData\Roaming\ippatch.exe.tmp
MD5:
SHA256:
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\1.jpgimage
MD5:3E6A6EEF02A43BAB4E580C30FA8DDF05
SHA256:33264A92E66EA4BC57DDCF38BF8807F4E98656091D47F2CAFAFC67459411BABB
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCXCC2B.tmpexecutable
MD5:C0D0EAECCEB680C447046027BC0AFBC4
SHA256:123F25E0D5507428B0D1A623E382AB060381F8F6BFD16D5AED62E2B0496DE0A0
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\RCXCE8F.tmpexecutable
MD5:40F1E7B84CB2F04F36263F24A7E65886
SHA256:C1BFD4E5922C5198BCBFD6811A600ABE16581112E47442F0F38450030B0BF118
672ipsee.exeC:\Users\admin\AppData\Local\Temp\rar.exeexecutable
MD5:818270317D9E33B1D498C7E93DF51CC3
SHA256:97924DA59C4619BA66CF78259F1565A12DE4A322386DB9C2D3EEE9CC71FEE013
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\mydll.dllexecutable
MD5:C0D0EAECCEB680C447046027BC0AFBC4
SHA256:123F25E0D5507428B0D1A623E382AB060381F8F6BFD16D5AED62E2B0496DE0A0
680ippatch.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnkbinary
MD5:6DA319F02E6E6F715B46EF2E064F6055
SHA256:CE905FC6586C550AA25B518D49BABBC35A29D292A37E8E5701F51C65842D31FF
6048ippatch.exeC:\Users\admin\AppData\Roaming\RCXDEAB.tmpexecutable
MD5:578FAB9E918D2E3EF19DAF824FFF9790
SHA256:4FBEA11D8993866D28D1BF3F7543A22D6C8AB2D5CC07D0FD194729D08669F7E7
68722025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dlltext
MD5:40B80BDA339FAAE4739D77CAA3EBD0EB
SHA256:C551BE73CDF086D8B11A4B92910C939CEC35E1A8805EE3099B18C5A26F14AFF3
6048ippatch.exeC:\Users\admin\AppData\Roaming\RCXDE7C.tmpexecutable
MD5:669453B11E15C03A17D111B7F87A8F87
SHA256:0BAB2DA72E646D49932823805F644EA16A6CD75C60C3BBCC604B5B03A3F0BDE0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5176
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1328
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_dc9e9aba44047cb8a1723f990ddb3235_elex_hacktools_icedid