File name:

.exe

Full analysis: https://app.any.run/tasks/ff1f3bef-732c-44c9-82b9-69f3701829a5
Verdict: Malicious activity
Threats:

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 08:56:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmoon
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

39FA913A75EE47FD04F5C15380CB7406

SHA1:

03DC6C6C2A7D9F76CD81AAFAF287EE0E1A3EBAD0

SHA256:

FCB64796C4C4DBC8EE365E49196BF02E96E2992EB72212181C4FFBE8BEB1EB0E

SSDEEP:

98304:ziOeBSz3P8Tztpu+e08dDqGF6/ZQoHOAHT3l0ABnmENAtU40m63bsROGyqS0Gt14:ogv939VeL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • MicrosoftLibrary.exe (PID: 7452)

  • SUSPICIOUS

    • Suspicious use of NETSH.EXE

      • MicrosoftLibrary.exe (PID: 7452)

    • Executable content was dropped or overwritten

      • ff1f3bef-732c-44c9-82b9-69f3701829a5.exe (PID: 7360)
      • MicrosoftLibrary.exe (PID: 7452)

    • Reads security settings of Internet Explorer

      • MicrosoftLibrary.exe (PID: 7452)

    • There is functionality for taking screenshot (YARA)

      • MicrosoftLibrary.exe (PID: 7452)

    • Connects to unusual port

      • MicrosoftLibrary.exe (PID: 7452)

  • INFO

    • The sample compiled with chinese language support

      • ff1f3bef-732c-44c9-82b9-69f3701829a5.exe (PID: 7360)

    • Manual execution by a user

      • MicrosoftLibrary.exe (PID: 7452)

    • Checks supported languages

      • ff1f3bef-732c-44c9-82b9-69f3701829a5.exe (PID: 7360)
      • MicrosoftLibrary.exe (PID: 7452)

    • Reads the computer name

      • MicrosoftLibrary.exe (PID: 7452)

    • Create files in a temporary directory

      • ff1f3bef-732c-44c9-82b9-69f3701829a5.exe (PID: 7360)
      • MicrosoftLibrary.exe (PID: 7452)

    • Checks proxy server information

      • MicrosoftLibrary.exe (PID: 7452)
      • slui.exe (PID: 2980)

    • Disables trace logs

      • netsh.exe (PID: 7496)
      • netsh.exe (PID: 7624)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • MicrosoftLibrary.exe (PID: 7452)

    • Application based on Golang

      • MicrosoftLibrary.exe (PID: 7452)

    • Detects GO elliptic curve encryption (YARA)

      • MicrosoftLibrary.exe (PID: 7452)

    • Reads the software policy settings

      • slui.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (39.8)
.exe | Win32 EXE Yoda's Crypter (38.3)
.dll | Win32 Dynamic Link Library (generic) (9.4)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:17 13:27:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 5206016
InitializedDataSize: 4096
UninitializedDataSize: 9220096
EntryPoint: 0xdc22a0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription:
ProductName:
ProductVersion: 1.0.0.0
CompanyName:
LegalCopyright:
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ff1f3bef-732c-44c9-82b9-69f3701829a5.exe #BLACKMOON microsoftlibrary.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7360"C:\Users\admin\Desktop\ff1f3bef-732c-44c9-82b9-69f3701829a5.exe" C:\Users\admin\Desktop\ff1f3bef-732c-44c9-82b9-69f3701829a5.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\ff1f3bef-732c-44c9-82b9-69f3701829a5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7452"C:\Users\admin\AppData\Local\Temp\MicrosoftLibrary.exe"C:\Users\admin\AppData\Local\Temp\MicrosoftLibrary.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Microsoft
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\microsoftlibrary.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7496netsh int ipv4 set dynamicport tcp start=10000 num=55000C:\Windows\SysWOW64\netsh.exeMicrosoftLibrary.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7624netsh int ipv6 set dynamicport tcp start=10000 num=55000C:\Windows\SysWOW64\netsh.exeMicrosoftLibrary.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7740certutil -addstore root C:\Users\admin\AppData\Local\Temp\ca.crtC:\Windows\SysWOW64\certutil.exeMicrosoftLibrary.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
2147943140
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7748\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 452
Read events
5 445
Write events
7
Delete events
0

Modification events

(PID) Process:(7496) netsh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7496) netsh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7496) netsh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7496) netsh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7496) netsh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7496) netsh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7496) netsh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MPRAPI
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
5
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7452MicrosoftLibrary.exeC:\Users\admin\AppData\Local\Temp\ca.crttext
MD5:29B54579BACED4DAF7153B961D02837D
SHA256:9F42EB74EED9E79DE2D2D9862676BCBD1043D74901813D01CB7FD5956BC4B55C
7452MicrosoftLibrary.exeC:\Users\admin\AppData\Local\Temp\1106859\....\TemporaryFileexecutable
MD5:21535DDB964333C1158E2D3A0B6E2D99
SHA256:28C6AA16596265FA4E6D8FD9B16F32465D5BF5AC8490BF6D197880A89AC628FF
7360ff1f3bef-732c-44c9-82b9-69f3701829a5.exeC:\Users\admin\AppData\Local\Temp\1098859\....\TemporaryFileexecutable
MD5:39FA913A75EE47FD04F5C15380CB7406
SHA256:FCB64796C4C4DBC8EE365E49196BF02E96E2992EB72212181C4FFBE8BEB1EB0E
7360ff1f3bef-732c-44c9-82b9-69f3701829a5.exeC:\Users\admin\AppData\Local\Temp\MicrosoftLibrary.exeexecutable
MD5:21535DDB964333C1158E2D3A0B6E2D99
SHA256:28C6AA16596265FA4E6D8FD9B16F32465D5BF5AC8490BF6D197880A89AC628FF
7360ff1f3bef-732c-44c9-82b9-69f3701829a5.exeC:\Users\admin\AppData\Local\Temp\HTTP.dllexecutable
MD5:A5E3D1EE481A88583700E9B7AB592B01
SHA256:42BDFFE019C589039360658DFCB6D6B7BBE1A5A2993CAD9BE1BB05567E6A99E8
7360ff1f3bef-732c-44c9-82b9-69f3701829a5.exeC:\Users\admin\AppData\Local\Temp\Sunny.dllexecutable
MD5:4CC60B87A27A79A5BBBD34EE91E64E37
SHA256:CAA264903DF557539DAA73DAC4DD634A9B88D5F34E55E0ABAC0296061936062C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
60
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5352
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8076
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8076
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8076
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8076
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8076
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8076
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8076
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5352
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5352
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.131
  • 20.190.159.129
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.23
  • 40.126.31.3
  • 40.126.31.69
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

No threats detected
No debug info