File name:

2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/fc8631a8-88de-4b16-94b8-c44bf307e28f
Verdict: Malicious activity
Analysis date: May 16, 2025, 05:08:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

DA2896C05FB960BEFB69002445E5DF54

SHA1:

295EF01FD3AF68E495BD5ECDF4EBC4DB980E3106

SHA256:

3E19B392171B4844A75826124D870D66AA28BBD28F7850DB7490B933F89492A1

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyX:5MGX7LzngHM5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 5405114544.exe (PID: 2392)
      • 5405114544.exe (PID: 896)
      • install.exe (PID: 2236)

    • CANBIS mutex has been found

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)

    • Process drops legitimate windows executable

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)

    • Reads security settings of Internet Explorer

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

    • Starts a Microsoft application from unusual location

      • 5405114544.exe (PID: 2392)
      • 5405114544.exe (PID: 896)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

  • INFO

    • Process checks computer location settings

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

    • Reads the computer name

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)
      • install.exe (PID: 2236)

    • The sample compiled with english language support

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)

    • Checks supported languages

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)
      • 5405114544.exe (PID: 896)
      • install.exe (PID: 2236)

    • Failed to create an executable file in Windows directory

      • 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe (PID: 5280)

    • Reads the machine GUID from the registry

      • 5405114544.exe (PID: 896)

    • The sample compiled with korean language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with japanese language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with spanish language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with french language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with german language support

      • 5405114544.exe (PID: 896)

    • Create files in a temporary directory

      • install.exe (PID: 2236)

    • The sample compiled with Italian language support

      • 5405114544.exe (PID: 896)

    • The sample compiled with chinese language support

      • 5405114544.exe (PID: 896)

    • Reads the software policy settings

      • slui.exe (PID: 3900)

    • Checks proxy server information

      • slui.exe (PID: 3900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe 5405114544.exe no specs 5405114544.exe install.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
896"C:\Users\admin\Desktop\5405114544.exe" C:\Users\admin\Desktop\5405114544.exe
2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\5405114544.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2236c:\135972f1e0ca112febe33d2b\.\install.exeC:\135972f1e0ca112febe33d2b\install.exe5405114544.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Version:
9.0.21022.8 built by: RTM
Modules
Images
c:\135972f1e0ca112febe33d2b\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2392"C:\Users\admin\Desktop\5405114544.exe" C:\Users\admin\Desktop\5405114544.exe2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
Modules
Images
c:\users\admin\desktop\5405114544.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3900C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5280"C:\Users\admin\Desktop\2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 044
Read events
4 044
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
17
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
52802025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader.exeC:\Users\admin\Desktop\5405114544.exeexecutable
MD5:A31DC1A74F1DEE5CAF63AEC8EBB5FE20
SHA256:BAAAEDDC17BCDA8D20C0A82A9EB1247BE06B509A820D65DDA1342F4010BDB4A0
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1031.dllexecutable
MD5:7D9EBB7DCA62BA75361346CAF4EC196B
SHA256:0AB18D157DC3658438BDBC097565BBDCD2F31447193F864EE327E084D7CBA382
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1041.dllexecutable
MD5:A3946D3C9ED130AF89D1C1A9E63DEAA6
SHA256:AEEC0DFF47BB952F63212655525B598B66B1B17E06B93150389F264BBE2C3235
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1033.dllexecutable
MD5:43FB29E3A676D26FCBF0352207991523
SHA256:4107F4813BC41ED6A6586D1BA01A5C3703ED60C2DF060CBA6791F449F3689DE7
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1040.dllexecutable
MD5:03576876C7E9A5B44EB7916492B5B0F6
SHA256:69F3965FB955E076424CFAA3C5CB5E5414FAA27A9864949CAC531A08BC91000F
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1036.dllexecutable
MD5:37C8A4717B40540816A3B92C470FD58F
SHA256:6BA48823DD30CD857280535F303D3AAD407654BE4B7C2A6CE8843D5CA940D74B
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1028.dllexecutable
MD5:8F05FE39BDD336C8FA2A18EC3DFE418C
SHA256:29EEB7535005A69D7BC503D5A40FDB06E91DB90AEC04D95A39B7868B18AE274D
8965405114544.exeC:\135972f1e0ca112febe33d2b\eula.1042.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
8965405114544.exeC:\135972f1e0ca112febe33d2b\install.res.1042.dllexecutable
MD5:A5CFFE01D83AFECCD9590B4D696AA44E
SHA256:85C532DE2266C5BA75D58E7F848F071082B802D5344A46E234CEE69A5704264F
8965405114544.exeC:\135972f1e0ca112febe33d2b\vc_red.msiexecutable
MD5:D53737CEA320B066C099894ED1780705
SHA256:BE6288737EA9691F29A17202ECCBC0A2E3E1B1B4BACC090CEEE2436970AEC240
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
53
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1096
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 142.250.185.206
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.128
  • 20.190.159.131
  • 40.126.31.69
  • 40.126.31.3
  • 20.190.159.128
  • 40.126.31.0
  • 20.190.159.4
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_da2896c05fb960befb69002445e5df54_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_remcos_smoke-loader