File name:

2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos

Full analysis: https://app.any.run/tasks/713da1f5-e600-4537-9cd0-7e07db3fd031
Verdict: Malicious activity
Analysis date: May 17, 2025, 20:46:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

9A8CD38F387B9F98A287A965EDEF0146

SHA1:

28B73B20624A82ACC042064E07E51C9F8F9A7A92

SHA256:

1EA20047AF4831B20C1FC9901ADCE4D5014D079461F27D45AC02ABDAAAD3B20B

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyH:5MGB2U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CANBIS mutex has been found

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)

    • Reads security settings of Internet Explorer

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)

  • INFO

    • Reads the computer name

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)

    • Failed to create an executable file in Windows directory

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)

    • Checks supported languages

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)
      • 6285974742.exe (PID: 4988)

    • Process checks computer location settings

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)

    • The sample compiled with english language support

      • 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7048)

    • Reads the software policy settings

      • slui.exe (PID: 5968)

    • Checks proxy server information

      • slui.exe (PID: 5968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (52)
.exe | Win32 Executable Borland Delphi 5 (35.3)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe 6285974742.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4988"C:\Users\admin\Desktop\6285974742.exe" C:\Users\admin\Desktop\6285974742.exe2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Exit code:
255
Version:
22.3.20322.0
Modules
Images
c:\users\admin\desktop\6285974742.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5968C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7048"C:\Users\admin\Desktop\2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe" C:\Users\admin\Desktop\2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
5
Modules
Images
c:\users\admin\desktop\2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 993
Read events
3 993
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
70482025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exeC:\Users\admin\Desktop\6285974742.exeexecutable
MD5:19E25386A9C5CB66495E0D4BE8869822
SHA256:95368B34947BDDC17AE6F095878585DDE107C083FB3911BF451D73DA4B9C6A39
70482025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos.exeC:\Users\admin\Desktop\1552661184.exeexecutable
MD5:9A8CD38F387B9F98A287A965EDEF0146
SHA256:1EA20047AF4831B20C1FC9901ADCE4D5014D079461F27D45AC02ABDAAAD3B20B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6808
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5968
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.158
  • 23.48.23.174
  • 23.48.23.175
  • 23.48.23.155
  • 23.48.23.172
  • 23.48.23.163
  • 23.48.23.177
  • 23.48.23.151
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
uk.undernet.org
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_9a8cd38f387b9f98a287a965edef0146_black-basta_elex_gcleaner_hijackloader_remcos