File name:

2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader

Full analysis: https://app.any.run/tasks/6f631b78-a190-4e85-8e91-169bfbdf004c
Verdict: Malicious activity
Analysis date: April 18, 2025, 17:03:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
irc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

D798432196E334AA1D4A23A3CF1155AE

SHA1:

2B3A123CAA1DB627D458309D561CF39906B8BBAA

SHA256:

2C4C276633C85887D93111FC337539A329E8E87894AFE78561DB1E409E8CEE14

SSDEEP:

24576:yRxD6yR4u3hIkurDTCyrGJXVLkht/VG8:yRxD6yRn3hIkGDTVrGJXVLktl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO has been detected

      • 2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe (PID: 5112)
      • tmp1103406.exe (PID: 5380)

    • YERO mutex has been found

      • tmp1103406.exe (PID: 5380)

    • Attempting to scan the network

      • tmp1103406.exe (PID: 5380)

    • SMBSCAN has been detected (SURICATA)

      • tmp1103406.exe (PID: 5380)
      • System (PID: 4)

    • IRC has been detected (SURICATA)

      • tmp1103406.exe (PID: 5380)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe (PID: 5112)
      • tmp1103406.exe (PID: 5380)

    • Reads security settings of Internet Explorer

      • tmp1103406.exe (PID: 5380)

    • Uses pipe srvsvc via SMB (transferring data)

      • tmp1103406.exe (PID: 5380)

    • The process creates files with name similar to system file names

      • tmp1103406.exe (PID: 5380)

    • Connects to unusual port

      • tmp1103406.exe (PID: 5380)

    • Potential Corporate Privacy Violation

      • tmp1103406.exe (PID: 5380)
      • System (PID: 4)

  • INFO

    • The sample compiled with english language support

      • 2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe (PID: 5112)

    • Checks supported languages

      • 2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe (PID: 5112)
      • tmp1103406.exe (PID: 5380)
      • tmp1103437.exe (PID: 3100)

    • Create files in a temporary directory

      • 2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe (PID: 5112)

    • Creates files or folders in the user directory

      • tmp1103406.exe (PID: 5380)

    • Reads the computer name

      • tmp1103406.exe (PID: 5380)

    • Checks proxy server information

      • tmp1103406.exe (PID: 5380)
      • slui.exe (PID: 7968)

    • UPX packer has been detected

      • tmp1103406.exe (PID: 5380)

    • Reads the software policy settings

      • slui.exe (PID: 7968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 12288
InitializedDataSize: 4096
UninitializedDataSize: 106496
EntryPoint: 0x1cee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #YERO 2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe #SMBSCAN tmp1103406.exe tmp1103437.exe no specs #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
3100C:\Users\admin\AppData\Local\Temp\tmp1103437.exeC:\Users\admin\AppData\Local\Temp\tmp1103437.exe2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Exit code:
255
Version:
25.1.20435.0
Modules
Images
c:\users\admin\appdata\local\temp\tmp1103437.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5112"C:\Users\admin\Desktop\2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe" C:\Users\admin\Desktop\2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5380C:\Users\admin\AppData\Local\Temp\tmp1103406.exeC:\Users\admin\AppData\Local\Temp\tmp1103406.exe
2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmp1103406.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7968C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 496
Read events
4 496
Write events
0
Delete events
0

Modification events

No data
Executable files
228
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
51122025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1103453.exe
MD5:
SHA256:
5380tmp1103406.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
5380tmp1103406.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
5380tmp1103406.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe-executable
MD5:792731DA1960621CDD3C029D16026A34
SHA256:0741C5F7EA5E7222A39356D29CBF98D3D6280E0FE74A6B81CA5B4749151CAA21
51122025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1103437.exeexecutable
MD5:29DBE809256152AC903656116FF6009F
SHA256:B56F17280584CC2A205F1A9929271CD68F5FB8749ACEF5F984491282911D23BD
5380tmp1103406.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:4148F8AE4490EF5ED0993A411463D363
SHA256:B0AA7158E7A3FC1918DBC793D3040FBB2F642010BE1664B8F01887A5EADB473F
51122025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1103406.exeexecutable
MD5:40481686BA79E195019E246BA086DD46
SHA256:B605CFC3DAE39B83B79B33DC02FA1A7CF261E6DBD88B560B677A1CA58DEBCB0A
5380tmp1103406.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe-executable
MD5:7F74FBEABF3C00D713ADFCE9CFDD3A12
SHA256:ADF8FB81EC171F35B3D80149F77FEFA0C9E1D1C0CF4D0FCE56DD40CE5E1F60DD
5380tmp1103406.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.stbexecutable
MD5:280B12E4717C3A7CF2C39561B30BC9E6
SHA256:F6AB4BA25B6075AA5A76D006C434E64CAD37FDB2FF242C848C98FAD5167A1BFC
5380tmp1103406.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe-executable
MD5:8AFE6E31981FBFA50EA8AAFCDAE54558
SHA256:271B78F4B7DB5839EBA069D01BE65C1F6E0E031CEBB35FBF8158528DC752ADEE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
1 358
DNS requests
12
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7672
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7672
SIHClient.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7672
SIHClient.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7672
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7672
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7672
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
40.69.42.241:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7672
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5380
tmp1103406.exe
82.3.97.99:6667
Virgin Media Limited
GB
malicious
5380
tmp1103406.exe
200.155.227.245:139
BR
unknown
5380
tmp1103406.exe
201.37.123.103:139
Claro NXT Telecomunicacoes Ltda
BR
unknown
5380
tmp1103406.exe
177.153.97.33:139
Locaweb Servicos de Internet SA
BR
unknown
5380
tmp1103406.exe
145.62.170.240:139
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.21
  • 23.216.77.30
  • 23.216.77.18
  • 23.216.77.19
  • 23.216.77.26
  • 23.216.77.27
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.17
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.22
  • 40.126.32.72
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.64
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

PID
Process
Class
Message
5380
tmp1103406.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5380
tmp1103406.exe
Misc activity
ET CHAT IRC NICK command
5380
tmp1103406.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5380
tmp1103406.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5380
tmp1103406.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-18_d798432196e334aa1d4a23a3cf1155ae_black-basta_elex_hijackloader