File name:

2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer

Full analysis: https://app.any.run/tasks/01362e41-c7b3-4bbd-ae80-bb46e5d7b955
Verdict: Malicious activity
Analysis date: May 17, 2025, 23:58:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

EEEBEB4FCA1ECADBD33F19EFE48A9A7D

SHA1:

D588DC129B15F1FE8F1B9910E544AF4272347A65

SHA256:

3690E0D27EBE9789815F7C2FAF515A4B5627C48F917C1938ECA3DED701B0538F

SSDEEP:

98304:yR3RL0EjM7jMehTJJVolr44LrzNF8Hjqzl8MnmWedzpOejlfJPY+CCQS/175UFlV:4QlL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO has been detected

      • 2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe (PID: 6516)
      • tmp1100937.exe (PID: 5968)

    • YERO mutex has been found

      • tmp1100937.exe (PID: 5968)

    • SMBSCAN has been detected (SURICATA)

      • System (PID: 4)
      • tmp1100937.exe (PID: 5968)

    • Attempting to scan the network

      • System (PID: 4)
      • tmp1100937.exe (PID: 5968)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • 2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe (PID: 6516)

    • Executable content was dropped or overwritten

      • 2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe (PID: 6516)
      • tmp1100937.exe (PID: 5968)

    • Potential Corporate Privacy Violation

      • System (PID: 4)
      • tmp1100937.exe (PID: 5968)

    • Reads security settings of Internet Explorer

      • tmp1100937.exe (PID: 5968)

    • Uses pipe srvsvc via SMB (transferring data)

      • tmp1100937.exe (PID: 5968)

    • The process creates files with name similar to system file names

      • tmp1100937.exe (PID: 5968)

  • INFO

    • Checks supported languages

      • 2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe (PID: 6516)
      • tmp1100937.exe (PID: 5968)

    • Create files in a temporary directory

      • 2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe (PID: 6516)

    • Creates files or folders in the user directory

      • tmp1100937.exe (PID: 5968)

    • The sample compiled with english language support

      • 2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe (PID: 6516)

    • Reads the computer name

      • tmp1100937.exe (PID: 5968)

    • Checks proxy server information

      • slui.exe (PID: 7768)
      • tmp1100937.exe (PID: 5968)

    • Reads the software policy settings

      • slui.exe (PID: 7768)

    • UPX packer has been detected

      • tmp1100937.exe (PID: 5968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (36.9)
.exe | UPX compressed Win32 Executable (24)
.exe | Win32 EXE Yoda's Crypter (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.8)
.exe | Win32 Executable (generic) (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 12288
InitializedDataSize: 4096
UninitializedDataSize: 106496
EntryPoint: 0x1cee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #YERO 2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe #SMBSCAN tmp1100937.exe tmp1101171.exe no specs #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
5244C:\Users\admin\AppData\Local\Temp\tmp1101171.exeC:\Users\admin\AppData\Local\Temp\tmp1101171.exe2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Uninstaller
Exit code:
3221226540
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\temp\tmp1101171.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5968C:\Users\admin\AppData\Local\Temp\tmp1100937.exeC:\Users\admin\AppData\Local\Temp\tmp1100937.exe
2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmp1100937.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6516"C:\Users\admin\Desktop\2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe" C:\Users\admin\Desktop\2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7768C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 543
Read events
4 543
Write events
0
Delete events
0

Modification events

No data
Executable files
228
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe-executable
MD5:1686C666516F2F57BB049046BA5BBC8A
SHA256:FE286A988A60DA5505938B4AE1084E54D7EEBBADEFC7871A6492E668BF08E35F
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:5B792AD25A606B3FEB2194052BF9D329
SHA256:DA46DA1E1F76BBEB409058EA210079C7A9F7A8560D9E7D3064B7BE0499589256
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.tmpexecutable
MD5:CDBD846F0992EBCAA2ABAC9E88AB93C6
SHA256:53F5066948C371BCB852DBE4876135D7551C7C0844CBC0ADB5195CB516A96F09
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe-executable
MD5:9EE2B4A69F2E67C56A2162FF66672ABC
SHA256:067D8A23CF20B731D722487F96424B27393428BF0E3144076DA9A1EC7C235E4B
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.stbexecutable
MD5:280B12E4717C3A7CF2C39561B30BC9E6
SHA256:F6AB4BA25B6075AA5A76D006C434E64CAD37FDB2FF242C848C98FAD5167A1BFC
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe-executable
MD5:848B673C5E5C9F02CB5B3357209417F3
SHA256:1856F460CC7DDEED2A4582C18784BBA69DBC984ED9D10E638262E90B94650A7B
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe-executable
MD5:66041753D0732EFED94CF37522C6AA72
SHA256:6AB827D71DFCF26EAB1DC7BE2A181121F0FBD6E66E3167A437B041F401D8481C
5968tmp1100937.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.exe-
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
1 241
DNS requests
13
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7580
SIHClient.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7580
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7580
SIHClient.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7580
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7580
SIHClient.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7580
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7580
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7580
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5968
tmp1100937.exe
39.69.96.21:139
CHINA UNICOM China169 Backbone
CN
unknown
5968
tmp1100937.exe
124.93.101.34:139
CHINA UNICOM China169 Backbone
CN
unknown
5968
tmp1100937.exe
59.246.109.247:139
CN
unknown
5968
tmp1100937.exe
72.233.209.196:139
CWU-CENTRAL-WASHINGTON-UNIVERSITY
US
unknown
5968
tmp1100937.exe
139.249.98.156:139
DNIC-AS-00749
US
unknown
5968
tmp1100937.exe
61.112.235.57:139
NTT Communications Corporation
JP
unknown
5968
tmp1100937.exe
134.166.150.39:139
DNIC-AS-00668
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
uk.undernet.org
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.20
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted

Threats

PID
Process
Class
Message
5968
tmp1100937.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
5968
tmp1100937.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5968
tmp1100937.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5968
tmp1100937.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_eeebeb4fca1ecadbd33f19efe48a9a7d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer