File name:	2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer
Full analysis:	https://app.any.run/tasks/e3f8d3fa-bd47-4410-8da6-0e4ac307842d
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. Malware Trends Tracker >>>
Analysis date:	May 19, 2025, 04:21:14
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sality sainbox rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	ABB429DC92ED40998EB339FEAE2199D7
SHA1:	842A71862629A5073C4A9E2D800AED0F6B976BDE
SHA256:	48934B392BB60B689BD3E998D3CB10E5ED39C5EF564CE038E8AF75F56E0C398E
SSDEEP:	98304:kX+7SjHU5frt1G46/YRtHUTiBd1kg1L/bNQvVi3LIFVNB6DU8Bak4tGDKhq4EzjM:hUkqX

.exe	\|	Win32 Executable (generic) (3.6)
.exe	\|	Generic Win/DOS Executable (1.6)
.exe	\|	DOS Executable Generic (1.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:02:17 09:46:57+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	1867776
InitializedDataSize:	1985024
UninitializedDataSize:	-
EntryPoint:	0x17fc12
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.2223.1.522
ProductVersionNumber:	1.2223.1.522
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
CompanyName:	TODO: <公司名>
FileDescription:	凡商云购 -- 收银端
FileVersion:	1.2223.1.522
InternalName:	fs_shop_.exe
LegalCopyright:	Copyright (C) 2022
OriginalFileName:	fs_shop_.exe
ProductName:	TODO: <产品名>
ProductVersion:	1.2223.1.522


(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	GlobalUserOffline
Value: 0
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a1_0
Value:
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a2_0
Value: 5517
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a3_0
Value: 17001001
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a4_0
Value: 0
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a1_1
Value: 659249672
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a2_1
Value:
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a3_1
Value:
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a4_1
Value:
(PID) Process:	(5124) 2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl\-227342143
Operation:	write	Name:	1768776801
Value: 10

PID	Process	Filename		Type
5124	2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	C:\Users\admin\Desktop\fslog\shop_bar_20250519_0.log		text
		MD5:293554C1A0F2D941FEA224398B57C116	SHA256:BEA08F730A4FD595E40A6C64FE035C9FA58E4844A2EFC9C04A0E2D9A1B70F9EB
5124	2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\winwpdw.exe		executable
		MD5:B360FA63134A63F9ACFE046D2DFE10D9	SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
5124	2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	C:\Users\admin\Desktop\db\cache.db-journal		binary
		MD5:957C376751CBFFB38419977CF2838E6A	SHA256:38D824C0677EE53CBDCD9AF52C8E47416114A56E99CDE64029A24BEF5586AFD1
5124	2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	C:\Users\admin\Desktop\db\cache.db		binary
		MD5:7A29D2F2D6B96711378FAE3C7D8770B3	SHA256:01D43C93E8F2FEBB2985A5ABA5581252EFD180B771DF04B43B13B25A20EB1B2F

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6476	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5164	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.174	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

2025-05-19_abb429dc92ed40998eb339feae2199d7_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer

ABB429DC92ED40998EB339FEAE2199D7

842A71862629A5073C4A9E2D800AED0F6B976BDE

48934B392BB60B689BD3E998D3CB10E5ED39C5EF564CE038E8AF75F56E0C398E

98304:kX+7SjHU5frt1G46/YRtHUTiBd1kg1L/bNQvVi3LIFVNB6DU8Bak4tGDKhq4EzjM:hUkqX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALITY mutex has been found

SAINBOX has been detected

SALITY has been detected

SUSPICIOUS

Executable content was dropped or overwritten

INFO

The sample compiled with chinese language support

Checks supported languages

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings