File name:

2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/e6741df5-7dd0-42ec-ae06-4f337ff6e0b9
Verdict: Malicious activity
Analysis date: May 16, 2025, 17:37:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

876141D31B9F5415E8CC2FDE6B01A9D2

SHA1:

CE89B125C8FF3BB21B2A18CA7DFA7829C50738F0

SHA256:

741DE8CB46BE51324D08C62398262183BF251287E5FEFF8A0855C51BBF78620D

SSDEEP:

98304:xv3qMR10EwjGIvZ36joQeUFWXKduF488DkRHNXxFJGF7LdVKitrEh4oJzxLFQoZu:H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • FileCoAuth.exe (PID: 6184)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 2152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • FileCoAuth.exe (PID: 6184)

    • Reads security settings of Internet Explorer

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • FileCoAuth.exe (PID: 6184)

    • Mutex name with non-standard characters

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • FileCoAuth.exe (PID: 6184)

    • Executes application which crashes

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 1228)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 6184)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 2152)

  • INFO

    • Reads the computer name

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • FileCoAuth.exe (PID: 2152)

    • Create files in a temporary directory

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • FileCoAuth.exe (PID: 2152)

    • Checks supported languages

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 1228)
      • FileCoAuth.exe (PID: 2152)

    • Process checks computer location settings

      • 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe (PID: 2692)
      • FileCoAuth.exe (PID: 6184)

    • The sample compiled with english language support

      • FileCoAuth.exe (PID: 6184)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 2152)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (85.5)
.exe | Win32 Executable Delphi generic (4.6)
.scr | Windows screen saver (4.2)
.dll | Win32 Dynamic Link Library (generic) (2.1)
.exe | Win32 Executable (generic) (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe 2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe werfault.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe
2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3228369022
Version:
23.1.20174.0
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2152"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2320C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2692"C:\Users\admin\Desktop\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4868C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1228 -s 488C:\Windows\SysWOW64\WerFault.exe2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6184C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
5 626
Read events
5 626
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4868WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-05-16_87614_3567b757cc7adabd3c88b82f1c1c22e54ddd3dcb_2e32aecf_c34653ce-cf5f-460e-9748-91da9f704bac\Report.wer
MD5:
SHA256:
26922025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
26922025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:13C2D5BF03C4A2B28E930F990CCC32DB
SHA256:12D24D0BC0E7CDC902E3540A3C6F7B755094F011A8EAD49A47A00563710B8F80
6184FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
4868WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCA39.tmp.xmlxml
MD5:A827FB3E11C193006A28B2DDF496E399
SHA256:A3A09FDCB99C27FAA725E126A82A31D95811F346E278042FE9554F51E8929429
4868WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC9FA.tmp.WERInternalMetadata.xmlbinary
MD5:B7F6CA07156E393083218060C8521D10
SHA256:867BABDD35464FACEFA965779CA607F3F111A6DA0F2ABEDBFB0C20A67ACCC176
4868WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exe.1228.dmpbinary
MD5:1E4CDFC7EDCAE8C52CC65D8A01A3C665
SHA256:3AA39898CCD8029A0D57AAE2667645FFD8AF2BC0090B6ADEEADE031CACF516A3
26922025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exeexecutable
MD5:4903CCD88FDC5C54FF60F7EBF6FA7157
SHA256:E477EAE3C12BC9707FB779A816502C033AB69253E52D0EA2CC8C444D7AB72913
26922025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
26922025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:A747FA4161FE3C00C3FBB4BF391D4D4E
SHA256:B7BA59428AF7AE08C5BF927B57E326D5259E6ED31BD4237AA6A44378177364C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
39
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1912
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1912
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1912
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1912
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1912
SIHClient.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1912
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1912
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6036
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.145
  • 23.48.23.158
  • 23.48.23.176
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.129
  • 20.190.159.0
  • 40.126.31.131
  • 40.126.31.130
  • 20.190.159.129
  • 40.126.31.0
  • 40.126.31.128
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_876141d31b9f5415e8cc2fde6b01a9d2_amadey_black-basta_darkgate_elex_gcleaner_hijackloader_luca-stealer_neshta