File name:

2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer

Full analysis: https://app.any.run/tasks/380f1366-2cbf-435a-b156-0c73e972db52
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: April 05, 2025, 18:12:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
dcrat
rat
api-base64
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

FEF8D34CD220A6CBB1AFEB3724F07326

SHA1:

4071FC42DE39CA2113EF210D491520CF2755F238

SHA256:

0FDCE8A1AE85AD4A8901E5990D5A28A7914CFC73ED1E24E7132DBD9C6999D08D

SSDEEP:

98304:iRl6UB2Rzv2nR5J5Ki40A9re1eeU+jIAOejXjAJDLgeZlwKlCmDfTlW/T2kVK+pa:EmU0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • conhost.exe (PID: 7256)
      • conhost.exe (PID: 6640)
      • dllhost.exe (PID: 5668)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7904)

    • Changes Windows Defender settings

      • conhost.exe (PID: 6640)

    • Adds path to the Windows Defender exclusion list

      • conhost.exe (PID: 6640)

    • DARKCRYSTAL has been detected (SURICATA)

      • dllhost.exe (PID: 5668)

    • Connects to the CnC server

      • dllhost.exe (PID: 5668)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exe (PID: 7740)
      • Extreme Injector 3.7.3.exe (PID: 7800)
      • conhost.exe (PID: 7256)
      • dllhost.exe (PID: 5668)
      • conhost.exe (PID: 6640)

    • Reads security settings of Internet Explorer

      • 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exe (PID: 7740)
      • Extreme Injector v3.exe (PID: 7784)
      • conhost.exe (PID: 7256)
      • Extreme Injector 3.7.3.exe (PID: 7800)
      • conhost.exe (PID: 6640)

    • The process creates files with name similar to system file names

      • Extreme Injector 3.7.3.exe (PID: 7800)
      • conhost.exe (PID: 6640)

    • Reads the date of Windows installation

      • Extreme Injector v3.exe (PID: 7784)
      • conhost.exe (PID: 7256)
      • conhost.exe (PID: 6640)

    • Application launched itself

      • Extreme Injector v3.exe (PID: 7784)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7904)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7904)
      • conhost.exe (PID: 7256)
      • conhost.exe (PID: 6640)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7904)
      • conhost.exe (PID: 6640)

    • The executable file from the user directory is run by the CMD process

      • conhost.exe (PID: 7256)
      • conhost.exe (PID: 6640)

    • Executed via WMI

      • schtasks.exe (PID: 4040)
      • schtasks.exe (PID: 536)
      • schtasks.exe (PID: 920)
      • schtasks.exe (PID: 6272)
      • schtasks.exe (PID: 1056)
      • schtasks.exe (PID: 4988)
      • schtasks.exe (PID: 1452)
      • schtasks.exe (PID: 6468)
      • schtasks.exe (PID: 4892)
      • schtasks.exe (PID: 5508)
      • schtasks.exe (PID: 672)
      • schtasks.exe (PID: 5256)
      • schtasks.exe (PID: 5176)
      • schtasks.exe (PID: 616)
      • schtasks.exe (PID: 7344)
      • schtasks.exe (PID: 7220)
      • schtasks.exe (PID: 7664)
      • schtasks.exe (PID: 7608)

    • Starts POWERSHELL.EXE for commands execution

      • conhost.exe (PID: 6640)

    • Script adds exclusion path to Windows Defender

      • conhost.exe (PID: 6640)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6268)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6268)

  • INFO

    • Checks supported languages

      • 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exe (PID: 7740)
      • Extreme Injector 3.7.3.exe (PID: 7800)
      • Extreme Injector v3.exe (PID: 8024)
      • conhost.exe (PID: 7256)
      • conhost.exe (PID: 6640)
      • Extreme Injector v3.exe (PID: 7784)
      • chcp.com (PID: 4040)
      • dllhost.exe (PID: 5668)

    • Create files in a temporary directory

      • 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exe (PID: 7740)
      • Extreme Injector 3.7.3.exe (PID: 7800)
      • conhost.exe (PID: 6640)

    • Process checks computer location settings

      • 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exe (PID: 7740)
      • conhost.exe (PID: 7256)
      • Extreme Injector 3.7.3.exe (PID: 7800)
      • Extreme Injector v3.exe (PID: 7784)
      • conhost.exe (PID: 6640)

    • Reads the computer name

      • Extreme Injector v3.exe (PID: 7784)
      • Extreme Injector 3.7.3.exe (PID: 7800)
      • 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exe (PID: 7740)
      • Extreme Injector v3.exe (PID: 8024)
      • conhost.exe (PID: 7256)
      • conhost.exe (PID: 6640)
      • dllhost.exe (PID: 5668)

    • Reads the machine GUID from the registry

      • Extreme Injector v3.exe (PID: 7784)
      • Extreme Injector v3.exe (PID: 8024)
      • conhost.exe (PID: 7256)
      • conhost.exe (PID: 6640)
      • dllhost.exe (PID: 5668)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Extreme Injector 3.7.3.exe (PID: 7800)

    • Disables trace logs

      • Extreme Injector v3.exe (PID: 8024)
      • dllhost.exe (PID: 5668)

    • Reads the software policy settings

      • Extreme Injector v3.exe (PID: 8024)
      • slui.exe (PID: 9776)

    • Reads Environment values

      • conhost.exe (PID: 7256)
      • Extreme Injector v3.exe (PID: 8024)
      • conhost.exe (PID: 6640)
      • dllhost.exe (PID: 5668)

    • Checks proxy server information

      • Extreme Injector v3.exe (PID: 8024)
      • dllhost.exe (PID: 5668)
      • slui.exe (PID: 9776)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • Extreme Injector v3.exe (PID: 8024)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • Extreme Injector v3.exe (PID: 8024)

    • Creates files in the program directory

      • conhost.exe (PID: 6640)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6268)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7744)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 7584)
      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 6132)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 7436)
      • powershell.exe (PID: 7536)
      • powershell.exe (PID: 7704)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 744)
      • powershell.exe (PID: 6244)
      • powershell.exe (PID: 7708)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 4812)
      • powershell.exe (PID: 7852)
      • powershell.exe (PID: 7576)
      • powershell.exe (PID: 7612)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7852)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 7576)
      • powershell.exe (PID: 7584)
      • powershell.exe (PID: 7704)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 7612)
      • powershell.exe (PID: 7536)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 7708)
      • powershell.exe (PID: 744)
      • powershell.exe (PID: 4812)
      • powershell.exe (PID: 7436)
      • powershell.exe (PID: 6244)
      • powershell.exe (PID: 7744)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 7688)
      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 6132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (53.2)
.exe | Win32 Executable Delphi generic (17.5)
.scr | Windows screen saver (16.1)
.exe | Win32 Executable (generic) (5.5)
.exe | Win16/32 Executable Delphi generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 5120
InitializedDataSize: 3643904
UninitializedDataSize: -
EntryPoint: 0x20cc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.7.3.0
ProductVersionNumber: 3.7.3.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: master131
FileDescription: Extreme Injector
FileVersion: 3.7.3.0
InternalName: Extreme Injector.exe
LegalCopyright: Copyright © 2017
LegalTrademarks: master131
OriginalFileName: Extreme Injector.exe
ProductName: Extreme Injector
ProductVersion: 3.7.3.0
AssemblyVersion: 3.7.3.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
74
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exe extreme injector v3.exe no specs extreme injector 3.7.3.exe wscript.exe no specs extreme injector v3.exe cmd.exe no specs conhost.exe no specs #DCRAT conhost.exe cmd.exe conhost.exe no specs #DCRAT conhost.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT dllhost.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
536schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
616schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\StartMenuExperienceHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\OEM\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
744"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execonhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\Logs\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1056schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\Logs\RuntimeBroker.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\Logs\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
118 014
Read events
117 979
Write events
35
Delete events
0

Modification events

(PID) Process:(7784) Extreme Injector v3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7800) Extreme Injector 3.7.3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(7740) 2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(8024) Extreme Injector v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8024) Extreme Injector v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8024) Extreme Injector v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8024) Extreme Injector v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(8024) Extreme Injector v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(8024) Extreme Injector v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(8024) Extreme Injector v3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Extreme Injector v3_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
20
Suspicious files
2
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
77402025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\Extreme Injector 3.7.3.exeexecutable
MD5:D0A2EAAEE2BE28946BE99E4AA2B3DBAA
SHA256:3567BA838987AD5C30FC74726805CC07388A24B384AEB8CC97E00D3D93644114
7800Extreme Injector 3.7.3.exeC:\Users\admin\AppData\Local\Temp\componentfontcrtNet\QkdwQjwBCaUMagRPPi2SRPwyhQS8NmZ9moDL7FaWB2P0sBk6uE4kcSS.vbebinary
MD5:37FCCBD9D2935AAFF6E4276F1A0AA536
SHA256:5D0B3ACE856B889AE26C44CD3C36EB8E0E2CB182F9D712808F7D9E9FC413F599
7256conhost.exeC:\Users\admin\Desktop\DatnSgPH.logexecutable
MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
77402025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\Extreme Injector v3.exeexecutable
MD5:EC801A7D4B72A288EC6C207BB9FF0131
SHA256:B65F40618F584303CA0BCF9B5F88C233CC4237699C0C4BF40BA8FACBE8195A46
7800Extreme Injector 3.7.3.exeC:\Users\admin\AppData\Local\Temp\componentfontcrtNet\conhost.exeexecutable
MD5:C1CF148183E5AB214567801AE767AA34
SHA256:3ACAA756C027E659C1398CE5242DB8DEC6115E7DA0B9A0623BC0577C6B6FE21C
7800Extreme Injector 3.7.3.exeC:\Users\admin\AppData\Local\Temp\componentfontcrtNet\H1f9DwWnqZ5wh8yqjK.battext
MD5:0174A9F4993254748FC46E5F2BB985FC
SHA256:182A5497B3F1EA1D579D20DF80BFC9B1D0C74B49A7D018EAD5F3B42DD4294A59
8024Extreme Injector v3.exeC:\Users\admin\Desktop\settings.xmlxml
MD5:8B3583811F0359238EA376CC060F03DF
SHA256:6C8307892999C37BC66AFB91B22423C2A76438D1920ABDDE2F67EEE4E8ADE3A7
6640conhost.exeC:\Windows\bcastdvr\ea1d8f6d871115text
MD5:FCF1F7094837C3EFB703734579DB3345
SHA256:
6640conhost.exeC:\Users\admin\AppData\Local\Temp\componentfontcrtNet\088424020bedd6text
MD5:47177FFCE5657ACFD2E655ED2FFA6E4F
SHA256:58047A182C1AFFA0BD0F4FDE329FE7694A1C57AC1B4DD3649EBC2920DB9E9A10
6640conhost.exeC:\Users\admin\Desktop\MSkDmvom.logexecutable
MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
25
DNS requests
6
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
5668
dllhost.exe
POST
200
172.67.159.138:80
http://703035cm.nyashk.ru/ExternaleternalVmJavascriptgeneratorlocal.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
8024
Extreme Injector v3.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
5668
dllhost.exe
172.67.159.138:80
703035cm.nyashk.ru
CLOUDFLARENET
US
malicious
7508
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
9776
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted
703035cm.nyashk.ru
  • 172.67.159.138
  • 104.21.33.71
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (nyashk .ru)
5668
dllhost.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
5668
dllhost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-05_fef8d34cd220a6cbb1afeb3724f07326_black-basta_cova_luca-stealer