File name:

2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/685ebd8a-a77c-4b2b-a872-0caeac92e74c
Verdict: Malicious activity
Analysis date: May 15, 2025, 21:07:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
upx
mimikatz
tools
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

909E5DF4E91C278841840C1208593FC8

SHA1:

ED8BB0F09BCC1C691BF5506F62D1A8FF1EE84404

SHA256:

08932923F6A1032002885C16616AA9EDEAA283C46BCA3E19169A62161E73894B

SSDEEP:

98304:5cDNEiELzKEDjXW/SLMQkjMNWQPr83AVW6aLrWjZTo2tj5GVFq/T+5977UXoA4gM:A9ejZckiR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe (PID: 7516)
      • icsys.icn.exe (PID: 7680)
      • explorer.exe (PID: 7716)
      • svchost.exe (PID: 7800)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 7716)
      • svchost.exe (PID: 7800)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe (PID: 7516)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7680)
      • spoolsv.exe (PID: 7780)

    • Starts itself from another location

      • 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe (PID: 7516)
      • explorer.exe (PID: 7716)
      • spoolsv.exe (PID: 7780)
      • svchost.exe (PID: 7800)
      • icsys.icn.exe (PID: 7680)

    • Executable content was dropped or overwritten

      • 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe (PID: 7516)
      • icsys.icn.exe (PID: 7680)
      • spoolsv.exe (PID: 7780)
      • explorer.exe (PID: 7716)

    • Creates or modifies Windows services

      • svchost.exe (PID: 7800)

  • INFO

    • The sample compiled with english language support

      • 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe (PID: 7516)

    • Checks supported languages

      • icsys.icn.exe (PID: 7680)
      • svchost.exe (PID: 7800)
      • spoolsv.exe (PID: 7828)
      • explorer.exe (PID: 7716)
      • spoolsv.exe (PID: 7780)

    • Create files in a temporary directory

      • icsys.icn.exe (PID: 7680)
      • spoolsv.exe (PID: 7828)
      • svchost.exe (PID: 7800)
      • spoolsv.exe (PID: 7780)
      • explorer.exe (PID: 7716)

    • Reads the computer name

      • svchost.exe (PID: 7800)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 7716)
      • svchost.exe (PID: 7800)

    • Manual execution by a user

      • explorer.exe (PID: 7876)
      • explorer.exe (PID: 7892)
      • svchost.exe (PID: 7944)

    • Checks proxy server information

      • slui.exe (PID: 5364)

    • Reads the software policy settings

      • slui.exe (PID: 5364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
13
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe  no specs {3eb5ee86-ab73-4c31-aa12-b51cc7a90b5c}.exe no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs explorer.exe no specs explorer.exe no specs svchost.exe no specs slui.exe 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5364C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7424"C:\Users\admin\Desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7516"C:\Users\admin\Desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
7540c:\users\admin\desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe  C:\Users\admin\Desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe 2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
TDSS rootkit removing tool
Version:
3.1.0.28
7560"C:\Users\admin\AppData\Local\Temp\{7F885770-6E2F-4242-AED3-54A7A3274E44}\{3EB5EE86-AB73-4C31-AA12-B51CC7A90B5C}.exe" C:\Users\admin\AppData\Local\Temp\{7F885770-6E2F-4242-AED3-54A7A3274E44}\{3EB5EE86-AB73-4C31-AA12-B51CC7A90B5C}.exe2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe 
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
TDSS rootkit removing tool
Version:
3.1.0.28
7680C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7716c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7780c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7800c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7828c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
3 705
Read events
3 687
Write events
14
Delete events
4

Modification events

(PID) Process:(7680) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7716) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7716) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7716) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7716) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7800) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7800) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(7800) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(7800) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(7800) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule
Operation:writeName:Start
Value:
2
Executable files
5
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75162025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exe executable
MD5:FF1EFF0E0F1F2EABE1199AE71194E560
SHA256:2D823C8B6076E932D696E8CB8A2C5C5DF6D392526CBA8E39B64C43635F683009
7716explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:2D08D81C8AEC0E234BDEB12CC3778018
SHA256:121A7878BE3EBAF66FE26CAF00BD0F9D593116326FAAAE051D06AE2C6D84EEF9
75162025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DF6B9252E1AC399C06.TMPbinary
MD5:E400E9EF0AF16B1DA1B0C9E2D18C87AC
SHA256:9C0D691AAC73A1FF6FE365E94DB55E87D3D21321BE5402EA9D40E7E00DA1724B
7680icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF99B94CACFD7DE5C7.TMPbinary
MD5:C8525F036C26E71E539820A2A3BBC12B
SHA256:82B73EBE4DC9D977355C5AC4C28A76796DFACA4B76BFC27D2F122D01B58357EC
7780spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:D83E9B08BFAAE1F5E131E3CBC8832C8A
SHA256:B748773FFF04AC382C8F5B592B3A3A131351D06566FF49C9D0B30A7598C23039
7780spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFD20E41730897691A.TMPbinary
MD5:991BB2A49BAE78E006D16D3985B39C96
SHA256:55065BB31766C20521D445C2BCC53FD2BF6B281080A8E86713E5304FF8779895
7828spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF5E5664D0E7198EF9.TMPbinary
MD5:5FEBADE089C708F77DBFE336936DB3AD
SHA256:9B2D16E7B5C144E4FC4E8A04DB212E929747CC6F4C659EAC3C113EAA0598C844
7680icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:D500FCC1606BE14A8131A1BED87573DB
SHA256:2160C6C0413E41D9335DC0EC52BF9FF0F819984B5EBE33F284C2321B9CFECAC6
75162025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:9997EE9C3F9949B57B4CA8EA4E46A547
SHA256:675196F1B3E896BBCB3E09AE0A52A6F40E49383037F2055FB26C2B33F874D820
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
63
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
301
185.85.15.38:80
http://support.kaspersky.com/viruses/tdsskiller.xml
unknown
whitelisted
8056
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8056
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8056
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8056
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8056
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8056
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8056
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
185.85.15.38:80
support.kaspersky.com
Kaspersky Lab Switzerland GmbH
DE
whitelisted
185.85.15.38:443
support.kaspersky.com
Kaspersky Lab Switzerland GmbH
DE
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.133
  • 20.190.160.2
  • 20.190.160.3
  • 20.190.160.14
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.74
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 23.216.77.32
  • 23.216.77.31
  • 23.216.77.29
  • 23.216.77.30
  • 23.216.77.27
  • 23.216.77.19
  • 23.216.77.25
  • 23.216.77.23
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
support.kaspersky.com
  • 185.85.15.38
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_909e5df4e91c278841840c1208593fc8_black-basta_elex_luca-stealer_swisyn