File name:

2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer

Full analysis: https://app.any.run/tasks/9aec3b6c-1b22-410c-a728-03c85cf48d75
Verdict: Malicious activity
Analysis date: May 17, 2025, 18:56:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 6 sections
MD5:

FE2EABC63A00BD078E1104A0A855F1C8

SHA1:

CCEF5F8E07414F18EA5CC3A85A3649AB08699362

SHA256:

3DB3AE88F0170B78D90C4E43A389213E393CFD4D45711C90151CEF6A9E41B0C1

SSDEEP:

3072:jzr+6tMYMbCJhzwmqQyXRFXsTwG0i4btFfsfFfrBOx6MaMEbtSEH1U+rEHl3+BBY:XryCU1GqtOf1OEH62BBRg5xAcTciQq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)
      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 1660)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)
      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 1660)

    • Reads security settings of Internet Explorer

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)

    • Process drops legitimate windows executable

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)
      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 1660)

    • Application launched itself

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)

  • INFO

    • The sample compiled with chinese language support

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)

    • Process checks computer location settings

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)

    • Failed to create an executable file in Windows directory

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)

    • The sample compiled with english language support

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)
      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 1660)

    • Reads the computer name

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)
      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 1660)

    • Checks supported languages

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)
      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 1660)

    • Create files in a temporary directory

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 6800)

    • Creates files in the program directory

      • 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe (PID: 1660)

    • Checks proxy server information

      • slui.exe (PID: 6480)

    • Reads the software policy settings

      • slui.exe (PID: 6480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:28 05:45:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 76800
InitializedDataSize: 41984
UninitializedDataSize: -
EntryPoint: 0x28a6
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
FileVersionNumber: 2.0.0.9
ProductVersionNumber: 2.0.0.9
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Traditional)
CharacterSet: Unicode
Comments: Design by Realtek
CompanyName: Realtek
FileDescription: WifiAutoInstall
FileVersion: 2.0.0.9
InternalName: WifiAutoInstall
LegalCopyright: Copyright (C) 2004-2017 Realtek Semiconductor Corp. All rights reserved.
LegalTrademarks: Realtek, WifiAutoInstall
OriginalFileName: WifiAutoInstall
ProductName: WifiAutoInstall
ProductVersion: 2.0.0.9
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe conhost.exe no specs 2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660"C:\Users\admin\Desktop\2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe" C:\Users\admin\Desktop\2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe
2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe
User:
admin
Company:
Realtek
Integrity Level:
HIGH
Description:
WifiAutoInstall
Exit code:
1
Version:
2.0.0.9
Modules
Images
c:\users\admin\desktop\2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
5056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6480C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6800"C:\Users\admin\Desktop\2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe" C:\Users\admin\Desktop\2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe
explorer.exe
User:
admin
Company:
Realtek
Integrity Level:
MEDIUM
Description:
WifiAutoInstall
Exit code:
1
Version:
2.0.0.9
Modules
Images
c:\users\admin\desktop\2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
Total events
3 620
Read events
3 620
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
16602025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exeC:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
68002025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2340
RUXIMICS.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2340
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4892
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4892
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4892
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2340
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2340
RUXIMICS.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2340
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.193
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.159
  • 23.48.23.180
  • 23.48.23.145
  • 23.48.23.167
  • 23.48.23.176
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.2
  • 40.126.32.140
  • 40.126.32.68
  • 20.190.160.132
  • 20.190.160.5
  • 20.190.160.130
  • 20.190.160.131
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 13.77.207.86
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_fe2eabc63a00bd078e1104a0a855f1c8_black-basta_elex_floxif_luca-stealer