File name:	2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil
Full analysis:	https://app.any.run/tasks/87fb5f91-2cb0-48a9-9233-ef31eb5b5bed
Verdict:	Malicious activity
Analysis date:	April 24, 2025, 13:35:40
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	D05E928ECAFD559A02956694940B9176
SHA1:	BF20C79B7898283BC249435C1CEAFD12947B5BCA
SHA256:	152EA2E237C6475BB22E51F359967666C12D0D06539E322BCF64A3B136046991
SSDEEP:	98304:3Xs0vea5lKyFeTrsqqK8aVkwQC2QVQkP6RQ7ki3vxzWG/5p:fi3FWo

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:11:16 12:53:45+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	1657856
InitializedDataSize:	1036288
UninitializedDataSize:	-
EntryPoint:	0x87d47
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.83.11.16
ProductVersionNumber:	1.83.11.16
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	www.BitComet.com
FileDescription:	BitComet disk boost service
FileVersion:	1.83
InternalName:	BitCometService.exe
LegalCopyright:	Copyright(C) 2003-2021 All Rights Reserved.
ProductName:	BitComet
ProductVersion:	1.83


(PID) Process:	(7744) 2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7744) 2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7744) 2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
7744	2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil.exe	C:\Users\admin\AppData\Local\Temp\conres.dll		executable
		MD5:7574CF2C64F35161AB1292E2F532AABF	SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7744	2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil.exe	GET	—	45.33.20.235:80	http://www.aieov.com/logo.gif	unknown	—	—	malicious
2104	svchost.exe	GET	—	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7744	2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil.exe	45.33.20.235:80	www.aieov.com	Linode, LLC	US	malicious
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7444	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
5isohu.com	—	whitelisted
www.aieov.com	45.33.20.235 72.14.178.174 173.255.194.134 45.33.2.79 198.58.118.167 45.33.18.44 45.56.79.23 45.33.23.183 45.79.19.196 45.33.30.197 96.126.123.244 72.14.185.43	malicious
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

2025-04-24_d05e928ecafd559a02956694940b9176_amadey_black-basta_coinminer_elex_floxif_luca-stealer_revil

D05E928ECAFD559A02956694940B9176

BF20C79B7898283BC249435C1CEAFD12947B5BCA

152EA2E237C6475BB22E51F359967666C12D0D06539E322BCF64A3B136046991

98304:3Xs0vea5lKyFeTrsqqK8aVkwQC2QVQkP6RQ7ki3vxzWG/5p:fi3FWo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Connects to the CnC server

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Executable content was dropped or overwritten

INFO

The sample compiled with english language support

Checks supported languages

Checks proxy server information

Failed to create an executable file in Windows directory

Reads the computer name

Create files in a temporary directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings