File name:

2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos

Full analysis: https://app.any.run/tasks/9caa95d4-7743-447c-813c-42d35030d978
Verdict: Malicious activity
Analysis date: May 16, 2025, 15:50:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

467E55C524DD01B06E00BE38E7151A0E

SHA1:

7250582746A80D54EB0F4C8520FFEB6F845C0146

SHA256:

30C832170ED8B795F21A97819C06EA24F8C9DB242A02B36E912DF76BF547BDF3

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyr:5MGddJMGVqWMpdLTW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 4972954724.exe (PID: 5552)
      • 4972954724.exe (PID: 4120)
      • install.exe (PID: 4448)

    • CANBIS mutex has been found

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)
      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)

    • Reads security settings of Internet Explorer

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)
      • install.exe (PID: 4448)

    • Executable content was dropped or overwritten

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)
      • 4972954724.exe (PID: 4120)
      • TiWorker.exe (PID: 4200)

    • Starts a Microsoft application from unusual location

      • 4972954724.exe (PID: 5552)
      • 4972954724.exe (PID: 4120)

    • Creates file in the systems drive root

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5400)
      • install.exe (PID: 4448)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

  • INFO

    • The sample compiled with english language support

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)
      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • Reads the computer name

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)
      • 4972954724.exe (PID: 4120)
      • install.exe (PID: 4448)
      • msiexec.exe (PID: 5400)

    • Checks supported languages

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)
      • 4972954724.exe (PID: 4120)
      • install.exe (PID: 4448)
      • msiexec.exe (PID: 5400)

    • Process checks computer location settings

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)

    • Failed to create an executable file in Windows directory

      • 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 3784)

    • Reads the machine GUID from the registry

      • 4972954724.exe (PID: 4120)
      • install.exe (PID: 4448)
      • msiexec.exe (PID: 5400)

    • The sample compiled with korean language support

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • The sample compiled with french language support

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)

    • The sample compiled with japanese language support

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • The sample compiled with Italian language support

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • The sample compiled with german language support

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • The sample compiled with spanish language support

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • The sample compiled with chinese language support

      • 4972954724.exe (PID: 4120)
      • msiexec.exe (PID: 5400)
      • TiWorker.exe (PID: 4200)

    • Create files in a temporary directory

      • install.exe (PID: 4448)

    • Reads the software policy settings

      • install.exe (PID: 4448)
      • msiexec.exe (PID: 5400)
      • slui.exe (PID: 5392)
      • TiWorker.exe (PID: 4200)

    • Checks proxy server information

      • install.exe (PID: 4448)
      • slui.exe (PID: 5392)

    • Creates files or folders in the user directory

      • install.exe (PID: 4448)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5400)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe slui.exe 4972954724.exe no specs 4972954724.exe install.exe msiexec.exe tiworker.exe

Process information

PID
CMD
Path
Indicators
Parent process
3784"C:\Users\admin\Desktop\2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe" C:\Users\admin\Desktop\2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
5
Modules
Images
c:\users\admin\desktop\2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4120"C:\Users\admin\Desktop\4972954724.exe" C:\Users\admin\Desktop\4972954724.exe
2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
0
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\4972954724.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4200C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
4448c:\43da19558e196340877fcb02\.\install.exeC:\43da19558e196340877fcb02\install.exe
4972954724.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Exit code:
0
Version:
9.0.21022.8 built by: RTM
Modules
Images
c:\43da19558e196340877fcb02\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
5392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5400C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5552"C:\Users\admin\Desktop\4972954724.exe" C:\Users\admin\Desktop\4972954724.exe2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\4972954724.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
16 439
Read events
15 982
Write events
386
Delete events
71

Modification events

(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:c:\Config.Msi\
Value:
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B35AE21A043D5F31BCBA4B3CEA4987A
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CC1E60A59C989BD3B98CB5AF655BB8BF
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A175F2FF45C63E132BE3A20682B3808A
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
>mfc90cht.dll\Microsoft.VC90.MFCLOC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32"
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F04C2F9CDC82C2930A3CA3DACE31C0A0
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EC2108D4EC2B3943198B8B9A9B286F8B
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D8ABEF022D5A3D349D755E992FB70FD
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
>\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy"
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\64C620F6CB6D50833A0B11A78F749382
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AA35D58AD6095C13693E2EB19B51E4C2
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
(PID) Process:(5400) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3F4F115D119AFC23CA11C979FE49B8CF
Operation:writeName:6F9E66FF7E38E3A3FA41D89E8A906A4A
Value:
>vcomp90.dll\Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32"
Executable files
86
Suspicious files
47
Text files
101
Unknown types
6

Dropped files

PID
Process
Filename
Type
37842025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos.exeC:\Users\admin\Desktop\4972954724.exeexecutable
MD5:B936F0F378B9A35489353E878154E899
SHA256:C6A7E484F4D84883BC1205BCCEA3114C0521025712922298EDE9B2A1CD632357
41204972954724.exeC:\43da19558e196340877fcb02\eula.1033.txttext
MD5:99C22D4A31F4EAD4351B71D6F4E5F6A1
SHA256:93A3C629FECFD10C1CF614714EFD69B10E89CFCAF94C2609D688B27754E4AB41
41204972954724.exeC:\43da19558e196340877fcb02\vc_red.msiexecutable
MD5:E0951D3CB1038EB2D2B2B2F336E1AB32
SHA256:507AC60E145057764F13CF1AD5366A7E15DDC0DA5CC22216F69E3482697D5E88
41204972954724.exeC:\43da19558e196340877fcb02\install.res.1033.dllexecutable
MD5:9EDEB8B1C5C0A4CD3A3016B85108127D
SHA256:9BF7026A47DAAB7BB2948FD23E8CF42C06DD2E19EF8CDEA0AF7367453674A8F9
41204972954724.exeC:\43da19558e196340877fcb02\install.res.1041.dllexecutable
MD5:13ED4517152203DE4BC52ACC0255D952
SHA256:6183324FE24006BC3D8928029DCACCBDAE517EB09727F5DD47EA5AAEED3EE26D
41204972954724.exeC:\43da19558e196340877fcb02\install.res.3082.dllexecutable
MD5:41BB37A347121F3E5E88D85100638B79
SHA256:320C305177AB4EC6E00883A2CF0886019B5D36557219E4A188CF9DF3768F157F
41204972954724.exeC:\43da19558e196340877fcb02\install.res.1036.dllexecutable
MD5:5B6FF470CFA7087690E61F87E81EF78A
SHA256:2D1C0A1B17266CFF3BE7D46CF3020B176E4A058FD7FC57F7B6B97E0760CC45DB
41204972954724.exeC:\43da19558e196340877fcb02\install.res.2052.dllexecutable
MD5:D7366B34E8AFB605C39EF56E2201FE85
SHA256:F7AA6EBF1413A6E4816BCAD5B77C47B6BBE0CFC05CAFDE4AA872ABE3FBD5E62B
41204972954724.exeC:\43da19558e196340877fcb02\install.res.1028.dllexecutable
MD5:4151A4D07640863783F837E588235837
SHA256:58475A90250C6818F73763775EEA6379E06DA6C38E8D2CF0F54EB6112A0A6AEE
41204972954724.exeC:\43da19558e196340877fcb02\install.res.1031.dllexecutable
MD5:3B8A82E04238655EAEF97E074FB29911
SHA256:5E49C21B9A15C3A0FDDDE7DDC32FDA220302EE57B8AFF66F4F78B370E049410D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4448
install.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6040
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4448
install.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5392
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
uk.undernet.org
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_467e55c524dd01b06e00be38e7151a0e_black-basta_elex_gcleaner_hijackloader_remcos