File name:

2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader

Full analysis: https://app.any.run/tasks/5de5b149-2d8a-4f09-9992-fcb876d4e22b
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 23, 2025, 10:21:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
remote
delphi
inno
installer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

5799940535C42BF5C6683D1CDF56B987

SHA1:

4F9937389C476F5BB3B1A82D3D003BE247AF485C

SHA256:

8CFF04F47B22B1080899ABE5A4AEDBB1157F291B5902DDC5390806507818FA8B

SSDEEP:

98304:o7GevXOjNW+QqZ8fAhSejQ4xrxcqtTqxxTv95ds5TP/0U6+4/Eqoe/QCVGtD+sDB:qxUlhROWRWxouwaS+EYG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • REMCOS has been detected (YARA)

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • REMCOS has been detected (SURICATA)

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

  • SUSPICIOUS

    • Connects to unusual port

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • Contacting a server suspected of hosting an CnC

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

  • INFO

    • Reads the computer name

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • The sample compiled with english language support

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • Reads the machine GUID from the registry

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • Checks supported languages

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • Detects InnoSetup installer (YARA)

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • Compiled with Borland Delphi (YARA)

      • 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe (PID: 7472)

    • Checks proxy server information

      • slui.exe (PID: 2236)

    • Reads the software policy settings

      • slui.exe (PID: 2236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (53.4)
.exe | Win64 Executable (generic) (35.5)
.exe | Win32 Executable (generic) (5.8)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:28 06:19:29+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 310784
InitializedDataSize: 6685184
UninitializedDataSize: -
EntryPoint: 0x2c9fa
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ASUSTeK COMPUTER INC.
FileDescription: -
FileVersion: 2024.10.143.0
InternalName: WirelessLan_DCH_Realtek_Z_V2024.10.143.0_42585.exe
LegalCopyright: © ASUSTeK COMPUTER INC. All rights reserved.
OriginalFileName: WirelessLan_DCH_Realtek_Z_V2024.10.143.0_42585.exe
ProductName: Realtek WLAN Driver
ProductVersion: 2024.10.143.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7472"C:\Users\admin\Desktop\2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe" C:\Users\admin\Desktop\2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
explorer.exe
User:
admin
Company:
ASUSTeK COMPUTER INC.
Integrity Level:
MEDIUM
Version:
2024.10.143.0
Modules
Images
c:\users\admin\desktop\2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 314
Read events
7 311
Write events
3
Delete events
0

Modification events

(PID) Process:(7472) 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\ZoomUpdateService-8DUEEB
Operation:writeName:licence
Value:
101BCC94C42220B31CE32081FB8B1DEF
(PID) Process:(7472) 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\ZoomUpdateService-8DUEEB
Operation:writeName:time
Value:
(PID) Process:(7472) 2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\ZoomUpdateService-8DUEEB
Operation:writeName:UID
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
339
DNS requests
16
Threats
576

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7992
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7992
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7992
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7992
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
whitelisted
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
62.60.226.21:40106
Iranian Research Organization for Science & Technology
HK
malicious
2104
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
62.60.226.101:40106
Iranian Research Organization for Science & Technology
HK
malicious
2104
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.66
  • 40.126.32.136
  • 20.190.160.20
  • 20.190.160.65
  • 20.190.160.67
  • 20.190.160.17
  • 40.126.32.68
  • 40.126.32.74
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

PID
Process
Class
Message
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 6
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 6
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7472
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-23_5799940535c42bf5c6683d1cdf56b987_amadey_black-basta_elex_hijackloader_luca-stealer_remcos_smoke-loader