| File name: | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber |
| Full analysis: | https://app.any.run/tasks/1f94a8a3-649e-4d61-a995-c22612a7b18d |
| Verdict: | Malicious activity |
| Analysis date: | May 17, 2025, 22:49:11 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections |
| MD5: | 6DD47F30E6C7B80AF677E4FC274E650D |
| SHA1: | 5852776EFE5022A7878EF6D24E8855DDE566BF2E |
| SHA256: | 8435B1657AF900956A9B301B4C8CC18A5FA48FFCA70934B400C6F07F96810DC0 |
| SSDEEP: | 98304:vRL0EjM7jMehTJJVolr44LrzNF8Hjqzl8MnmWedzpOejlfJPY+CCQS/175UFlp0h:rQlL |
MALICIOUS
YERO mutex has been found
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
YERO has been detected
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
Attempting to scan the network
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
SMBSCAN has been detected (SURICATA)
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
- System (PID: 4)
SUSPICIOUS
Reads security settings of Internet Explorer
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
Executable content was dropped or overwritten
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
The process creates files with name similar to system file names
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
Uses pipe srvsvc via SMB (transferring data)
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
Potential Corporate Privacy Violation
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
- System (PID: 4)
INFO
Checks supported languages
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
Creates files or folders in the user directory
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
Checks proxy server information
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
- slui.exe (PID: 1276)
Reads the computer name
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
UPX packer has been detected
- 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe (PID: 7348)
Reads the software policy settings
- slui.exe (PID: 1276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Borland Delphi 5 (76.3) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (7) |
| .exe | | | UPX compressed Win32 Executable (4.5) |
| .exe | | | Win32 EXE Yoda's Crypter (4.4) |
| .exe | | | Win32 Executable Delphi generic (2.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 32768 |
| InitializedDataSize: | 16896 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x8c40 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
127
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4 | System | [System Process] | |||||||||||||
User: SYSTEM Integrity Level: SYSTEM | |||||||||||||||
| 1276 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7348 | "C:\Users\admin\Desktop\2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe" | C:\Users\admin\Desktop\2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
Total events
4 673
Read events
4 673
Write events
0
Delete events
0
Modification events
Executable files
225
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe- | — | |
MD5:— | SHA256:— | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe- | — | |
MD5:— | SHA256:— | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.stb | executable | |
MD5:280B12E4717C3A7CF2C39561B30BC9E6 | SHA256:F6AB4BA25B6075AA5A76D006C434E64CAD37FDB2FF242C848C98FAD5167A1BFC | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe- | executable | |
MD5:2F6B52B6CFBD5E351ED9AF1040D7BAB5 | SHA256:D3FD23773BFCC70EDC713F685348C564AB5248DAA74F643382D7F031EF65B9F7 | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe- | executable | |
MD5:A9B927315FC38B06340EA0A6D446F3FB | SHA256:B395F5FF481F110A2F97BB34A7DDC4DB4A6C3B1FAC4089CEAE8F4A63E03CC2DC | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe- | executable | |
MD5:5FA4BFFA30C97583562CE9A6B6D0447E | SHA256:5CD7377C2E7A8C81CD892C316939483380533E95A52E863277383982488E6B54 | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe- | executable | |
MD5:F8DAD59505018F6EB880DB6D9FE055DF | SHA256:8917DABF3C2190783D3D3539D3E937C6AE9583D5F0EC4784725D70122F46EF9C | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.exe- | — | |
MD5:— | SHA256:— | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner64.exe- | — | |
MD5:— | SHA256:— | |||
| 7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe- | executable | |
MD5:B784ABA78041B2C26E56D729CF800036 | SHA256:81AB04FE0D5E3650C32934B0023B0E0DAA97ABA17A4F6240915CFB3CD37E3C41 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
1 234
DNS requests
19
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1116 | SIHClient.exe | GET | 200 | 104.124.11.17:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
1116 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
1116 | SIHClient.exe | GET | 200 | 104.124.11.17:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
1116 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
1116 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
1116 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
1116 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | 89.16.64.252:139 | — | Ripple Communications Ltd | IE | unknown |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | 113.148.209.225:139 | — | KDDI CORPORATION | JP | unknown |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | 192.169.55.1:139 | — | UNIFIEDLAYER-AS-1 | US | unknown |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | 86.64.175.117:139 | — | Societe Francaise Du Radiotelephone - SFR SA | FR | unknown |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | 156.18.238.73:139 | — | Renater | FR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
uk.undernet.org |
| unknown |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 53 |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 39 |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |
7348 | 2025-05-17_6dd47f30e6c7b80af677e4fc274e650d_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer_magniber.exe | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network |