File name:

2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer

Full analysis: https://app.any.run/tasks/da4d41de-dd01-4017-b8eb-9b661183f099
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 10:45:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
aurotun
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

FAAA2F1FE8A1BB860FB6C72F33EF0EE3

SHA1:

85DECB3F6F93A631982940C6265548AFEC691F3A

SHA256:

5B2D96735DAA80D946519CD5532A4968BADE1DD69DB7632FDBFE0D67BB36CE28

SSDEEP:

98304:ke21AZuuVMY1RdyE79xiO0E+Mm9cFv1LmaJv+v7nGnBzXCPbaOJFrnEH/z/sMLKE:CsuSboY0K6WbhY1fBK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AUROTUN has been detected (YARA)

      • 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe (PID: 3956)

    • Executing a file with an untrusted certificate

      • 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe (PID: 3956)

  • SUSPICIOUS

    • Connects to unusual port

      • 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe (PID: 3956)

  • INFO

    • Process checks computer location settings

      • 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe (PID: 3956)

    • The sample compiled with english language support

      • 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe (PID: 3956)

    • Reads the computer name

      • 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe (PID: 3956)

    • Checks supported languages

      • 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe (PID: 3956)

    • Checks proxy server information

      • slui.exe (PID: 3676)

    • Reads the software policy settings

      • slui.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:08 18:37:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 8903680
InitializedDataSize: 3498496
UninitializedDataSize: -
EntryPoint: 0x7ec74c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.4.1.10
ProductVersionNumber: 5.4.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Dell Inc.
FileDescription: Dell Update Package: Intel Integrated Sensor Solution Driver, 3.11.100.7735, A03
FileVersion: 005.004.001.000
InternalName: DUPFramework.exe
LegalCopyright: Copyright (C) 2009 - 2025 Dell Inc.or its subsidiaries. All rights reserved.
OriginalFileName: DUPFramework.exe
ProductName: Intel Integrated Sensor Solution Driver, 3.11.100.7735, A03
ProductVersion: 3.11.100.7735
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #AUROTUN 2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3956"C:\Users\admin\Desktop\2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe" C:\Users\admin\Desktop\2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe
explorer.exe
User:
admin
Company:
Dell Inc.
Integrity Level:
MEDIUM
Description:
Dell Update Package: Intel Integrated Sensor Solution Driver, 3.11.100.7735, A03
Version:
005.004.001.000
Modules
Images
c:\users\admin\desktop\2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
Total events
3 533
Read events
3 533
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
44
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3784
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3784
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
3784
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3784
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3784
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3784
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3784
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3956
2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer.exe
62.60.226.177:40102
Iranian Research Organization for Science & Technology
HK
unknown
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1452
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3784
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
login.live.com
  • 40.126.31.0
  • 40.126.31.129
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.2
  • 20.190.159.64
  • 40.126.31.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_faaa2f1fe8a1bb860fb6c72f33ef0ee3_akira_black-basta_coinminer