File name:

2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos

Full analysis: https://app.any.run/tasks/81a812bc-8f4e-4f79-adec-c452e3cfc64c
Verdict: Malicious activity
Analysis date: May 18, 2025, 19:09:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

5226E62C464609AC4DBF627D591AA146

SHA1:

606807303B1ED31DA8F929009937FF6671AF773C

SHA256:

6308BBAB40CAFDDFB834535143A3921BC952677E633A205267907731F6F7125E

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyy:5MGWZr4vEZGsuO/UffnApGk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CANBIS mutex has been found

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)

    • Executable content was dropped or overwritten

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)

    • Starts a Microsoft application from unusual location

      • 3150903691.exe (PID: 7636)

    • Reads security settings of Internet Explorer

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)

  • INFO

    • Failed to create an executable file in Windows directory

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)

    • Reads the computer name

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)
      • 3150903691.exe (PID: 7636)

    • Process checks computer location settings

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)

    • Checks supported languages

      • 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe (PID: 7588)
      • 3150903691.exe (PID: 7636)

    • Reads the machine GUID from the registry

      • 3150903691.exe (PID: 7636)

    • Checks proxy server information

      • slui.exe (PID: 8168)

    • Reads the software policy settings

      • slui.exe (PID: 8168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe 3150903691.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7588"C:\Users\admin\Desktop\2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe" C:\Users\admin\Desktop\2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7636"C:\Users\admin\Desktop\3150903691.exe" C:\Users\admin\Desktop\3150903691.exe2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
InspectorOfficeGadget
Exit code:
4294967292
Version:
16.0.12130.20258
Modules
Images
c:\users\admin\desktop\3150903691.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe3150903691.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8168C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 044
Read events
4 044
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75882025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exeC:\Users\admin\Desktop\3150903691.exeexecutable
MD5:F68FD3A74ACBDB7CC588ED35F7C431ED
SHA256:887E650E3126B5517E64ACAD5F98DA4BEC2E68E4A6726083974A9BB819F0153A
75882025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos.exeC:\Users\admin\Desktop\3759204289.exeexecutable
MD5:5226E62C464609AC4DBF627D591AA146
SHA256:6308BBAB40CAFDDFB834535143A3921BC952677E633A205267907731F6F7125E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
42
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7980
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7980
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
uk.undernet.org
unknown
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_5226e62c464609ac4dbf627d591aa146_black-basta_elex_gcleaner_hijackloader_remcos