File name:

2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer

Full analysis: https://app.any.run/tasks/3f4c4664-e8e9-4a1e-b7c2-e533c4849208
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 16:31:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
hijackloader
loader
amsi-bypass
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

DCC9A4B03E126F3205E8596D4F93B4F3

SHA1:

A4FC99BD5DAFAFB8CDA5DA51D1694E2409C209DD

SHA256:

486E05B780FAD9B2281A1923F8653E0C725D2FC304894CD6E9DD5BF3ECCD705F

SSDEEP:

98304:G/9ADTpciOSTmWh5s78aXq7ltAIGYdnIEGrpfcaqJRQ5GU/KqXCJjQKL7sPG4mXT:5d5QnoCbk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • XPFix.exe (PID: 2108)
      • VectorMix32.exe (PID: 6964)

    • HIJACKLOADER has been detected (YARA)

      • LabFusion.exe (PID: 5216)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 5304)
      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 6112)
      • LabFusion.exe (PID: 6244)
      • LabFusion.exe (PID: 5216)

    • Process drops legitimate windows executable

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 6112)
      • LabFusion.exe (PID: 6244)

    • Starts itself from another location

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 5304)
      • LabFusion.exe (PID: 6244)

    • The process drops C-runtime libraries

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 6112)
      • LabFusion.exe (PID: 6244)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 6112)
      • LabFusion.exe (PID: 5216)

    • Possibly patching Antimalware Scan Interface function (YARA)

      • VectorMix32.exe (PID: 6964)

    • Connects to unusual port

      • VectorMix32.exe (PID: 6964)

  • INFO

    • The sample compiled with english language support

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 5304)
      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 6112)
      • LabFusion.exe (PID: 6244)
      • LabFusion.exe (PID: 5216)

    • Create files in a temporary directory

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 5304)
      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 6112)
      • LabFusion.exe (PID: 5216)
      • XPFix.exe (PID: 2108)

    • Checks supported languages

      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 6112)
      • 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe (PID: 5304)
      • LabFusion.exe (PID: 6244)
      • LabFusion.exe (PID: 5216)
      • VectorMix32.exe (PID: 6964)
      • XPFix.exe (PID: 2108)

    • Reads the computer name

      • LabFusion.exe (PID: 6244)
      • VectorMix32.exe (PID: 6964)
      • XPFix.exe (PID: 2108)
      • LabFusion.exe (PID: 5216)

    • Creates files in the program directory

      • LabFusion.exe (PID: 6244)

    • Creates files or folders in the user directory

      • LabFusion.exe (PID: 5216)

    • The sample compiled with chinese language support

      • LabFusion.exe (PID: 5216)

    • Reads the software policy settings

      • slui.exe (PID: 2908)

    • Reads the machine GUID from the registry

      • VectorMix32.exe (PID: 6964)

    • Checks proxy server information

      • slui.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:04:05 13:00:43+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.34
CodeSize: 442880
InitializedDataSize: 237568
UninitializedDataSize: -
EntryPoint: 0x46a50
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.6.1.0
ProductVersionNumber: 3.6.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Reclaim
FileDescription: Flagship
FileVersion: 3.6.1.0
InternalName: burn
OriginalFileName: humour.exe
ProductName: Flagship
ProductVersion: 3.6.1.0
LegalCopyright: Copyright (c) Reclaim. All rights reserved.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
8
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe 2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe labfusion.exe #HIJACKLOADER labfusion.exe vectormix32.exe xpfix.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Users\admin\AppData\Roaming\writerdebug\XPFix.exe" "C:\Users\admin\AppData\Roaming\writerdebug\XPFix.exe" /updateC:\Users\admin\AppData\Roaming\writerdebug\XPFix.exeLabFusion.exe
User:
admin
Company:
360.cn
Integrity Level:
MEDIUM
Description:
360安全卫士 安全防护中心模块
Exit code:
0
Version:
1, 0, 0, 1013
Modules
Images
c:\windows\syswow64\input.dll
c:\users\admin\appdata\roaming\writerdebug\xpfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2908C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5216C:\ProgramData\writerdebug\LabFusion.exeC:\ProgramData\writerdebug\LabFusion.exe
LabFusion.exe
User:
admin
Company:
AnyMP4
Integrity Level:
MEDIUM
Description:
AnyMP4 Blu-ray Player
Exit code:
0
Version:
6.5.68.144795
Modules
Images
c:\programdata\writerdebug\labfusion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5304"C:\Users\admin\Desktop\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe
explorer.exe
User:
admin
Company:
Reclaim
Integrity Level:
MEDIUM
Description:
Flagship
Exit code:
0
Version:
3.6.1.0
Modules
Images
c:\users\admin\desktop\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6112"C:\Users\admin\AppData\Local\Temp\{CF19BBD2-CFA6-4D15-A08F-EBAC6032B147}\.cr\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe" -burn.clean.room="C:\Users\admin\Desktop\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe" -burn.filehandle.attached=692 -burn.filehandle.self=676C:\Users\admin\AppData\Local\Temp\{CF19BBD2-CFA6-4D15-A08F-EBAC6032B147}\.cr\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe
2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Reclaim
Integrity Level:
MEDIUM
Description:
Flagship
Exit code:
0
Version:
3.6.1.0
Modules
Images
c:\users\admin\appdata\local\temp\{cf19bbd2-cfa6-4d15-a08f-ebac6032b147}\.cr\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6244C:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\LabFusion.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\LabFusion.exe
2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exe
User:
admin
Company:
AnyMP4
Integrity Level:
MEDIUM
Description:
AnyMP4 Blu-ray Player
Exit code:
0
Version:
6.5.68.144795
Modules
Images
c:\users\admin\appdata\local\temp\{87198c4f-da81-4637-a4c7-7f76a79aa25c}\.ba\labfusion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6964C:\Users\admin\VectorMix32.exeC:\Users\admin\VectorMix32.exe
LabFusion.exe
User:
admin
Company:
Flexera Software LLC
Integrity Level:
MEDIUM
Description:
ISAppxStub
Version:
23.0.195.0
Modules
Images
c:\users\admin\appdata\local\temp\ed1e419.tmp
c:\users\admin\vectormix32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
4 167
Read events
4 167
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
8
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
53042025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{CF19BBD2-CFA6-4D15-A08F-EBAC6032B147}\.cr\2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeexecutable
MD5:2F545CC6BB61542C1A25608A5B7E53A6
SHA256:BFF7030495139A59018E88811DE6EF81582A4D6475C0997F21F13BAFCBCC8A29
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\msvcp120.dllexecutable
MD5:EDEF53778EAAFE476EE523BE5C2AB67F
SHA256:92FAEDD18A29E1BD2DD27A1D805EA5AA3E73B954A625AF45A74F49D49506D20F
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\LabFusion.exeexecutable
MD5:EF65CFADFC4B4914A11ACDD61714C6EB
SHA256:8470C56B9B9417E722AD3F0A587CB0317CE79A03180DF6FCED8207C2F69D9201
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\msvcr120.dllexecutable
MD5:AEB29CCC27E16C4FD223A00189B44524
SHA256:D28C7AB34842B6149609BD4E6B566DDAB8B891F0D5062480A253EF20A6A2CAAA
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\Qt5Gui.dllexecutable
MD5:72AC63E9E9F015D6471DDE58297A4FC6
SHA256:6B8A49B6B37D69213762C8F2C8A9970014364F4055F08A850D27C0343FBE00DE
5216LabFusion.exeC:\Users\admin\AppData\Local\Temp\ED1E419.tmp
MD5:
SHA256:
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\Qt5Core.dllexecutable
MD5:B03D12CDE3CECC10FA32D74E5B487F5C
SHA256:58222718A1B04AF9F3578713C190EBA513DA81C37FFF9615E2C43228427206E2
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\Vaertcleaflien.ulpnbinary
MD5:5B909CD9919FDD617E906D1315D5544D
SHA256:3645204FD5BEECDD3D82E29075BF7CC1C5E3A72BB9899421266A8828A6E3583B
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\Qt5Widgets.dllexecutable
MD5:2BD07ACEF2FFD5AD8388B714D4F81995
SHA256:250C3717663E4AB3CE50E4A53BC532BF0C0850D2917773DD7E482E733081A1A1
61122025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\{87198C4F-DA81-4637-A4C7-7F76A79AA25C}\.ba\BootstrapperApplicationData.xmlxml
MD5:311BCFCF57783A6300AA958D678FA505
SHA256:F2B2BEA866DAB4430E55C2884217DD2EA1926575B454F79EDB7DA228B3D8D381
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
48
DNS requests
7
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
6964
VectorMix32.exe
176.65.141.141:8849
lindo1.dynuddns.com
DE
malicious
1616
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2908
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.110
whitelisted
lindo1.dynuddns.com
  • 176.65.141.141
malicious
delamanodedios7.dynuddns.com
  • 176.65.141.141
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.dynuddns .com Domain
6964
VectorMix32.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.dynuddns .com Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_dcc9a4b03e126f3205e8596d4f93b4f3_amadey_black-basta_elex_luca-stealer