File name:	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader
Full analysis:	https://app.any.run/tasks/8a897310-42ae-41ec-87cf-c4d497f01c5e
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 17, 2025, 15:31:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	270CF9D6335FEB775A414485BA961044
SHA1:	4A199A745B94D389AA8A4B313CDBB4EC838ECB01
SHA256:	6A155007335E2C1DCE2CCF700DDE8863C176F326B67EC0D8F94ADD95FB59B06A
SSDEEP:	98304:EHqSvFOKo1WBvhfoXnGbrBZRE2w62CRUAi7+4zxZcPQE1G77TY0+sd31JaAZSQnJ:Eeygt

.exe	\|	Win64 Executable (generic) (17.3)
.dll	\|	Win32 Dynamic Link Library (generic) (4.1)
.exe	\|	Win32 Executable (generic) (2.8)
.exe	\|	Generic Win/DOS Executable (1.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:04:03 05:08:53+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.37
CodeSize:	102912
InitializedDataSize:	12450816
UninitializedDataSize:	-
EntryPoint:	0x37b9
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.2024.403.1408
ProductVersionNumber:	1.2024.403.1408
FileFlagsMask:	0x0037
FileFlags:	Special build
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Nexon
FileDescription:	Nexon Game Manager
FileVersion:	1, 2024, 0403, 1408
InternalName:	NGMSetup
LegalCopyright:	(C) NEXON All Rights Reserved.
OriginalFileName:	NGMSetup.exe
ProductName:	Nexon Game Manager
ProductVersion:	1, 2024, 0403, 1408
SpecialBuild:	[[__THIS_IS_A_POSITION_MARKER_FOR_BUILD_STRING__#gU&4TnBcS]]


(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	AntiVirusOverride
Value: 1
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	AntiVirusDisableNotify
Value: 1
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	FirewallDisableNotify
Value: 1
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	FirewallOverride
Value: 1
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	UpdatesDisableNotify
Value: 1
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	UacDisableNotify
Value: 1
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	GlobalUserOffline
Value: 0
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	EnableLUA
Value: 0
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(7776) 2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:	write	Name:	DoNotAllowExceptions
Value: 0

PID	Process	Filename		Type
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\NGMResource.dll		executable
		MD5:2794E8741ECB0615ADDB4AE8ACF5B2E9	SHA256:3D2F6FCA0A89A13A94F01102C011A7B61D9575AA5D679E6DBEE2835E61643198
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\NGMResourceInfo[1].json		binary
		MD5:9220CBA35700A624733EBAAE4594813A	SHA256:B12C6F8D8355B52B284FAE528ACDC5ED0B83F004EA5EB98B53495ED7699EAB3D
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\65538.dat		sps
		MD5:F34E62FC767BA48912BA9B1C20109BFB	SHA256:B09D0FCC280DEBEC19D7B1F56A0CE3361CC9A783FA5A70AE0260E38260E6E138
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\ProgramData\Nexon\NGM\Config.cfg		sps
		MD5:C555EDBD3B59A8691B99A0DE9C6BA805	SHA256:4196E05CB982BC48DF761E0075253A28E331C8A083EA116C62C02C87674AD463
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\nl2g.tmp		ttf
		MD5:CD489671BC9867021268111589B65501	SHA256:389AD546769C0CB958B1C5C5C1D4B473867B433E0A6697B01907C7D7E1565C60
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\NGMResource.dll.gz		compressed
		MD5:0E23848FA6C006E4D806D5D81CF5204A	SHA256:C1F9C056676D584E89CB9AEABC80B55F243DCC9D7A4092E7F410A9CAC2BB14D7
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\ProgramData\Nexon\NGM\65538.dat		sps
		MD5:F34E62FC767BA48912BA9B1C20109BFB	SHA256:B09D0FCC280DEBEC19D7B1F56A0CE3361CC9A783FA5A70AE0260E38260E6E138
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\NexonPlug[1].nfo		text
		MD5:B8A94F5C885804977DA95125AFE88911	SHA256:C8D543018223E672DB6169151FC7DB7D7727DAAF6C1D0DD51B90052552E3EB9E
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Windows\system.ini		binary
		MD5:154D0270A96F43AF4A2D12B02359293A	SHA256:895D0ED5DC33B563ADA06F60CEA498D3A9FA4EB1009F5D0B2DD06A94E092C688
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\NGMResource_en-US.dll[1].gz		compressed
		MD5:0E23848FA6C006E4D806D5D81CF5204A	SHA256:C1F9C056676D584E89CB9AEABC80B55F243DCC9D7A4092E7F410A9CAC2BB14D7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.53.42.43:443	https://platform.nexon.com/NGM/Json/NGMResourceInfo.json	unknown	—	—	—
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	GET	200	23.53.42.43:80	http://platform.nexon.com/NGM/Bin/NGMResource_en-US.dll.gz	unknown	—	—	whitelisted
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	GET	200	23.53.42.43:80	http://platform.nexon.com/NexonPlug/Install/InstallData/NexonPlug.nfo	unknown	—	—	whitelisted
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	GET	200	183.110.0.32:80	http://pfrpt.nexon.com/ifc/ngm.aspx?gc=65538&tp=1040	unknown	—	—	whitelisted
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	GET	200	183.110.0.32:80	http://pfrpt.nexon.com/ifc/ngmcore.aspx?type=countrycodesuccess&code=GB	unknown	—	—	whitelisted
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	GET	200	23.53.42.43:80	http://platform.nexon.com/NexonPlug/Install/InstallData/NexonPlug.nfo	unknown	—	—	whitelisted
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	GET	200	183.110.0.32:80	http://pfrpt.nexon.com/ifc/ngm.aspx?gc=65538&tp=1041	unknown	—	—	whitelisted
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	GET	200	183.110.0.32:80	http://pfrpt.nexon.com/ifc/ngm.aspx?gc=65538&tp=1042	unknown	—	—	whitelisted
—	—	GET	304	20.109.210.53:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
1052	SIHClient.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	unknown
—	—	40.126.31.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6544	svchost.exe	40.126.31.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	unknown
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	23.53.42.43:443	platform.nexon.com	Akamai International B.V.	DE	unknown
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	23.53.42.43:80	platform.nexon.com	Akamai International B.V.	DE	unknown
7776	2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader.exe	13.248.160.194:443	ngmapi.nexon.com	AMAZON-02	US	unknown
2112	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.185.142	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.31.130 20.190.159.129 20.190.159.73 20.190.159.64 40.126.31.69 40.126.31.71 20.190.159.0 20.190.159.23	whitelisted
platform.nexon.com	23.53.42.43 23.53.42.32	whitelisted
ngmapi.nexon.com	13.248.160.194 76.223.33.156	whitelisted
pfrpt.nexon.com	183.110.0.32 183.110.0.160	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	95.101.149.131	whitelisted

General Info

2025-04-17_270cf9d6335feb775a414485ba961044_amadey_black-basta_elex_hijackloader_luca-stealer_magniber_remcos_smoke-loader

270CF9D6335FEB775A414485BA961044

4A199A745B94D389AA8A4B313CDBB4EC838ECB01

6A155007335E2C1DCE2CCF700DDE8863C176F326B67EC0D8F94ADD95FB59B06A

98304:EHqSvFOKo1WBvhfoXnGbrBZRE2w62CRUAi7+4zxZcPQE1G77TY0+sd31JaAZSQnJ:Eeygt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes Security Center notification settings

UAC/LUA settings modification

Changes firewall settings

Disables Windows firewall

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Process requests binary or script from the Internet

Creates a software uninstall entry

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Create files in a temporary directory

Creates files in the program directory

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings