File name:

2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/fc8631a8-88de-4b16-94b8-c44bf307e28f
Verdict: Malicious activity
Analysis date: May 16, 2025, 05:08:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

DA2896C05FB960BEFB69002445E5DF54

SHA1:

295EF01FD3AF68E495BD5ECDF4EBC4DB980E3106

SHA256:

3E19B392171B4844A75826124D870D66AA28BBD28F7850DB7490B933F89492A1

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyX:5MGX7LzngHM5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 5405114544.exe (PID: 2392)
      • 5405114544.exe (PID: 896)
      • install.exe (PID: 2236)

    • CANBIS mutex has been found

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)

    • Process drops legitimate windows executable

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)

    • Starts a Microsoft application from unusual location

      • 5405114544.exe (PID: 2392)
      • 5405114544.exe (PID: 896)

    • Reads security settings of Internet Explorer

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

  • INFO

    • Reads the computer name

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)
      • install.exe (PID: 2236)

    • Process checks computer location settings

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

    • Checks supported languages

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)
      • install.exe (PID: 2236)

    • The sample compiled with english language support

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)

    • Failed to create an executable file in Windows directory

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

    • Reads the machine GUID from the registry

      • 5405114544.exe (PID: 896)

    • The sample compiled with korean language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with Italian language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with spanish language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with french language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with german language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with chinese language support

      • 5405114544.exe (PID: 896)

    • Create files in a temporary directory

      • install.exe (PID: 2236)

    • Checks proxy server information

      • slui.exe (PID: 3900)

    • The sample compiled with japanese language support

      • 5405114544.exe (PID: 896)

    • Reads the software policy settings

      • slui.exe (PID: 3900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe 5405114544.exe no specs 5405114544.exe install.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
896"C:\Users\admin\Desktop\5405114544.exe" C:\Users\admin\Desktop\5405114544.exe
2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\5405114544.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2236c:\135972f1e0ca112febe33d2b\.\install.exeC:\135972f1e0ca112febe33d2b\install.exe5405114544.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Version:
9.0.21022.8 built by: RTM
Modules
Images
c:\135972f1e0ca112febe33d2b\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2392"C:\Users\admin\Desktop\5405114544.exe" C:\Users\admin\Desktop\5405114544.exe2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\5405114544.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3900C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5280"C:\Users\admin\Desktop\2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 044
Read events
4 044
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
17
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
52802025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\1282937268.exeexecutable
MD5:DA2896C05FB960BEFB69002445E5DF54
SHA256:3E19B392171B4844A75826124D870D66AA28BBD28F7850DB7490B933F89492A1
52802025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\5405114544.exeexecutable
MD5:A31DC1A74F1DEE5CAF63AEC8EBB5FE20
SHA256:BAAAEDDC17BCDA8D20C0A82A9EB1247BE06B509A820D65DDA1342F4010BDB4A0
8965405114544.exeC:\135972f1e0ca112febe33d2b\vc_red.cabcompressed
MD5:E2758D09B59904CE852E05C8F2827FAF
SHA256:B55461E4A403480A3B70099D7B622A94C0B2C1E94C7ACE3AFB2493E06EA2F8CD
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.exeexecutable
MD5:E015A2D8890E2A96A93CA818F834C45B
SHA256:DC1BA9CB15D0808DC2D80CE13ACFA0B07ACDFCFE2CDF94DA47E0E570E7345F6D
8965405114544.exeC:\135972f1e0ca112febe33d2b\vc_red.msiexecutable
MD5:D53737CEA320B066C099894ED1780705
SHA256:BE6288737EA9691F29A17202ECCBC0A2E3E1B1B4BACC090CEEE2436970AEC240
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1041.dllexecutable
MD5:A3946D3C9ED130AF89D1C1A9E63DEAA6
SHA256:AEEC0DFF47BB952F63212655525B598B66B1B17E06B93150389F264BBE2C3235
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1042.dllexecutable
MD5:A5CFFE01D83AFECCD9590B4D696AA44E
SHA256:85C532DE2266C5BA75D58E7F848F071082B802D5344A46E234CEE69A5704264F
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.3082.dllexecutable
MD5:FACD045628070999B43EB7C13AB2E0FE
SHA256:A31F7F80C1EB3CBDA64666F80CA49F41FF745DEC063203D59771DB309E31CF26
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1036.dllexecutable
MD5:37C8A4717B40540816A3B92C470FD58F
SHA256:6BA48823DD30CD857280535F303D3AAD407654BE4B7C2A6CE8843D5CA940D74B
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1028.dllexecutable
MD5:8F05FE39BDD336C8FA2A18EC3DFE418C
SHA256:29EEB7535005A69D7BC503D5A40FDB06E91DB90AEC04D95A39B7868B18AE274D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
53
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 142.250.185.206
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.128
  • 20.190.159.131
  • 40.126.31.69
  • 40.126.31.3
  • 20.190.159.128
  • 40.126.31.0
  • 20.190.159.4
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader