File name:

2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber

Full analysis: https://app.any.run/tasks/1f94a8a3-649e-4d61-a995-c22612a7b18d
Verdict: Malicious activity
Analysis date: May 17, 2025, 22:49:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

6DD47F30E6C7B80AF677E4FC274E650D

SHA1:

5852776EFE5022A7878EF6D24E8855DDE566BF2E

SHA256:

8435B1657AF900956A9B301B4C8CC18A5FA48FFCA70934B400C6F07F96810DC0

SSDEEP:

98304:vRL0EjM7jMehTJJVolr44LrzNF8Hjqzl8MnmWedzpOejlfJPY+CCQS/175UFlp0h:rQlL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO mutex has been found

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • YERO has been detected

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • Attempting to scan the network

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • SMBSCAN has been detected (SURICATA)

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
      • System (PID: 4)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • Uses pipe srvsvc via SMB (transferring data)

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • The process creates files with name similar to system file names

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • Reads security settings of Internet Explorer

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • Potential Corporate Privacy Violation

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
      • System (PID: 4)

  • INFO

    • Checks supported languages

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • Checks proxy server information

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
      • slui.exe (PID: 1276)

    • Creates files or folders in the user directory

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • Reads the computer name

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • UPX packer has been detected

      • 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)

    • Reads the software policy settings

      • slui.exe (PID: 1276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 5 (76.3)
.exe | Win32 EXE PECompact compressed (generic) (7)
.exe | UPX compressed Win32 Executable (4.5)
.exe | Win32 EXE Yoda's Crypter (4.4)
.exe | Win32 Executable Delphi generic (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 32768
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x8c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SMBSCAN 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
1276C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7348"C:\Users\admin\Desktop\2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe" C:\Users\admin\Desktop\2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 673
Read events
4 673
Write events
0
Delete events
0

Modification events

No data
Executable files
225
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe-executable
MD5:15756D466240C995A52BD1B23CA42A14
SHA256:F8D3A1339B95990C843CABAB40743D29E4EF03996E416E947C7E12C9E3AA5F21
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.tmpexecutable
MD5:6DD47F30E6C7B80AF677E4FC274E650D
SHA256:8435B1657AF900956A9B301B4C8CC18A5FA48FFCA70934B400C6F07F96810DC0
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe-executable
MD5:D628474C4D923C98B0C2A24EE08A3639
SHA256:76EC0BF53BE9E552B8FCCC6AF116B2565BA029303982D99F9F5643867BF267A2
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe-executable
MD5:78B322B48E8384C9630A739CF9391595
SHA256:4C68AF4E0739F9942B9B4016C104072F630A0C0DA832C44816FEFF79AFCC30D4
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe-executable
MD5:23947DAEF0726D834E5C7FDAF53F86E2
SHA256:7B8AB95419D25DDEFFC144AC32D18CE27A90D0A4229696FC64182DAA6A9D5D22
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.exe-
MD5:
SHA256:
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner64.exe-
MD5:
SHA256:
73482025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:BC52C7ED65C61608683001CCD9C7D101
SHA256:C3AACC09F7C33F738B84AE60398B2DB97B03A88215F70B3634EB29667C91E2B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
1 234
DNS requests
19
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1116
SIHClient.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1116
SIHClient.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
89.16.64.252:139
Ripple Communications Ltd
IE
unknown
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
113.148.209.225:139
KDDI CORPORATION
JP
unknown
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
192.169.55.1:139
UNIFIEDLAYER-AS-1
US
unknown
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
86.64.175.117:139
Societe Francaise Du Radiotelephone - SFR SA
FR
unknown
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
156.18.238.73:139
Renater
FR
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
  • 104.124.11.17
  • 104.124.11.58
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.71
  • 40.126.31.1
  • 40.126.31.3
  • 40.126.31.73
  • 20.190.159.131
  • 20.190.159.129
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 53
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 39
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7348
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber