File name:

2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer

Full analysis: https://app.any.run/tasks/d625eb0f-6f88-47f9-b42e-58dc8e9f2186
Verdict: Malicious activity
Analysis date: April 29, 2025, 02:05:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

EA016C182DCE82916925D9A0D0D74D50

SHA1:

431B783F79772692F6050A468E99B9B5D2E93709

SHA256:

4BB71FF3FF0DF1298EB5037BF323BA9BB9D530B7ACA0A709C954A32F16E45911

SSDEEP:

12288:+c9yUyEc5YK+dqHOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOn:qv5YKKq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 2108)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)

    • Executable content was dropped or overwritten

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)

    • Executes application which crashes

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)
      • tyidxjgi.exe (PID: 5056)
      • tyidxjgi.exe (PID: 2616)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 5512)
      • svchost.exe (PID: 2108)

    • Connects to SMTP port

      • svchost.exe (PID: 5512)
      • svchost.exe (PID: 2108)

  • INFO

    • Checks supported languages

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)
      • tyidxjgi.exe (PID: 5056)
      • tyidxjgi.exe (PID: 2616)

    • Process checks computer location settings

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)

    • Auto-launch of the file from Registry key

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)

    • Create files in a temporary directory

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)

    • Reads the computer name

      • 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe (PID: 2088)
      • tyidxjgi.exe (PID: 5056)
      • tyidxjgi.exe (PID: 2616)

    • Reads the software policy settings

      • slui.exe (PID: 1600)

    • Checks proxy server information

      • slui.exe (PID: 1600)

    • Manual execution by a user

      • tyidxjgi.exe (PID: 2616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:08 17:26:54+00:00
ImageFileCharacteristics: Executable, Aggressive working-set trim, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 68096
InitializedDataSize: 249856
UninitializedDataSize: -
EntryPoint: 0x130b
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe wusa.exe no specs wusa.exe tyidxjgi.exe svchost.exe werfault.exe no specs werfault.exe no specs tyidxjgi.exe #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1600C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1764C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2088 -s 880C:\Windows\SysWOW64\WerFault.exe2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2088"C:\Users\admin\Desktop\2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2108svchost.exeC:\Windows\SysWOW64\svchost.exe
tyidxjgi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
2616"C:\Users\admin\tyidxjgi.exe"C:\Users\admin\tyidxjgi.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\tyidxjgi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3900C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5056 -s 556C:\Windows\SysWOW64\WerFault.exetyidxjgi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4164C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2616 -s 556C:\Windows\SysWOW64\WerFault.exetyidxjgi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4628"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4724"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5056"C:\Users\admin\tyidxjgi.exe" /d"C:\Users\admin\Desktop\2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe" /e550302100000007FC:\Users\admin\tyidxjgi.exe
2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\tyidxjgi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 319
Read events
5 316
Write events
2
Delete events
1

Modification events

(PID) Process:(2088) 2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:yzihxjbs
Value:
"C:\Users\admin\tyidxjgi.exe"
(PID) Process:(5512) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D083F74D91E3D24EDB47D450DD49D084297DCE82E72BAA4C2638A38D0DD1DD2AB64B64ECD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4824B7534E7AB644490BDBC7C22EC915905CCF18D3C74BBC4103D37FAA46F1CDB8145710DB8F2054991CFDB2470DD976D
(PID) Process:(5512) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
20882025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\twcwlwhn.exeexecutable
MD5:CAAA2C3EC0D10837561E247D1883344D
SHA256:F350B8796FA557F36FA5B1BDD355A992FF26ED6C0E4279E154607236755E6313
20882025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer.exeC:\Users\admin\tyidxjgi.exeexecutable
MD5:CC37DC186B537D4817CE4E3DB6E90A4D
SHA256:C61F75FED5D9925339688684586542F8F429C8719040EC9767B5FAB8422A2B0B
5512svchost.exeC:\Users\admin:.reposbinary
MD5:71628D114BC4852A3A7328E4E952B4AF
SHA256:B501361BAFB2E7112404ED305ABFF192356483AFDA9F1F5EB740AE7F21DE1667
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
59
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
1280
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5512
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5512
svchost.exe
52.101.42.13:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2108
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2108
svchost.exe
52.101.42.13:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2108
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown
1280
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.42.13
  • 52.101.41.24
  • 52.101.10.16
  • 52.101.40.4
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_ea016c182dce82916925d9a0d0d74d50_black-basta_elex_luca-stealer