File name:

2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta

Full analysis: https://app.any.run/tasks/900bb25e-99cb-494d-ac0e-9b2b196bfd51
Verdict: Malicious activity
Threats:

Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.

Malware Trends Tracker     >>>
Analysis date: June 06, 2025, 15:52:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
danabot
danabot-unpacked
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

18DF45279DF547FB8A4372BA74F86AFA

SHA1:

4A0A4BCDE32A86520E74BBC65EA6FCA28D5A4D32

SHA256:

918AB360C4D56DF4B64F1DAF463A2566B96F5C9EECDED3F947B56CC244EBDFB7

SSDEEP:

98304:Jwrm/DSsqwhEJqkrmdgHf9qa0yBbFDOAfvo5c24:Mic

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • EHttpSrv.exe (PID: 4220)

    • DANABOT has been detected (SURICATA)

      • rundll32.exe (PID: 6112)

    • DANABOT has been detected (YARA)

      • rundll32.exe (PID: 6112)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)

    • Process drops legitimate windows executable

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)

    • The process drops C-runtime libraries

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)

    • Executable content was dropped or overwritten

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)
      • explorer.exe (PID: 5048)

    • Starts CMD.EXE for commands execution

      • EHttpSrv.exe (PID: 4220)

    • Contacting a server suspected of hosting an CnC

      • rundll32.exe (PID: 6112)

  • INFO

    • Checks supported languages

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)
      • EHttpSrv.exe (PID: 4220)

    • Checks proxy server information

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)
      • rundll32.exe (PID: 6112)
      • slui.exe (PID: 7788)

    • Reads the computer name

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)
      • EHttpSrv.exe (PID: 4220)

    • Creates files or folders in the user directory

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)

    • Reads the software policy settings

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)
      • slui.exe (PID: 7788)

    • Reads the machine GUID from the registry

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)

    • The sample compiled with english language support

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)
      • explorer.exe (PID: 5048)

    • Creates files in the program directory

      • 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe (PID: 7148)
      • explorer.exe (PID: 5048)

    • Manual execution by a user

      • EHttpSrv.exe (PID: 4220)

    • Create files in a temporary directory

      • EHttpSrv.exe (PID: 4220)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 6112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:09:29 02:48:05+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 2923008
InitializedDataSize: 3080704
UninitializedDataSize: -
EntryPoint: 0x263a3c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 8.0.7690.0
ProductVersionNumber: 8.0.7690.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (4090)
CharacterSet: Windows, Latin1
CompanyName: Paramount Software UK Ltd
FileDescription: Macrium Support
FileVersion: 8, 0, 7690, 0
InternalName: Macrium Support
LegalCopyright: (c) Paramount Software. All rights reserved.
OriginalFileName: MacriumSupport.exe
ProductName: Macrium Support
ProductVersion: 8, 0, 7690, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe ehttpsrv.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe #DANABOT rundll32.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3884C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exeEHttpSrv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4220C:\ProgramData\ManageService\EHttpSrv.exeC:\ProgramData\ManageService\EHttpSrv.exeexplorer.exe
User:
admin
Company:
ESET
Integrity Level:
MEDIUM
Description:
ESET HTTP Server Service
Exit code:
1
Version:
4.0.474.0
Modules
Images
c:\programdata\manageservice\ehttpsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5048C:\WINDOWS\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
6112
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\tsconluhnm
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6112"C:\WINDOWS\syswow64\rundll32.exe" "C:\WINDOWS\syswow64\shell32.dll",#61 C:\WINDOWS\SysWOW64\explorer.exeC:\Windows\SysWOW64\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7148"C:\Users\admin\Desktop\2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe" C:\Users\admin\Desktop\2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe
explorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
MEDIUM
Description:
Macrium Support
Exit code:
0
Version:
8, 0, 7690, 0
Modules
Images
c:\users\admin\desktop\2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
7788C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 775
Read events
8 772
Write events
3
Delete events
0

Modification events

(PID) Process:(7148) 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7148) 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7148) 2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
0
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\ProgramData\ManageService\rapporteur.pdf
MD5:
SHA256:
4220EHttpSrv.exeC:\Users\admin\AppData\Local\Temp\fdfd8778
MD5:
SHA256:
3884cmd.exeC:\Users\admin\AppData\Local\Temp\tsconluhnm
MD5:
SHA256:
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\ProgramData\ManageService\EHttpSrv.exeexecutable
MD5:9329BA45C8B97485926A171E34C2ABB8
SHA256:EFFA6FCB8759375B4089CCF61202A5C63243F4102872E64E3EB0A1BDC2727659
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\ProgramData\ManageService\msvcr80.dllexecutable
MD5:1169436EE42F860C7DB37A4692B38F0E
SHA256:9382AAED2DB19CD75A70E38964F06C63F19F63C9DFB5A33B0C2D445BB41B6E46
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\ProgramData\ManageService\http_dll.dllexecutable
MD5:761569992970233ED118E935F5F1457D
SHA256:4316FD0FD1013C40034A24AF0EB6327A79B6D29960B36B7AD4B341851779F5A5
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\dblp-2017-11-01.xml.gz[1].htmhtml
MD5:6E360F84D4A12EF52813E151C66170B5
SHA256:0A47BBA421024AD9DDD10F9C5821F055467EA41ECF9D1429E61503D01A2F41DE
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\ProgramData\ManageService\Microsoft.VC80.MFC.manifestxml
MD5:F1BB778577CFB1E45ADFBB2EAAAD7F58
SHA256:53B6CDAB4A829674082048606A65111A2D6AC3A1B2BCFB8BE34D8296590D42DE
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\dblp-2017-11-01.xml.gz[1].gztext
MD5:EA348CF5AC331393E17652F2F80E772A
SHA256:E6EFF0C92D0A74FB118E7B7F58E61BF03B91A2A4A2FC0E371CA3242977D4102F
71482025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exeC:\ProgramData\ManageService\mfc80u.dllexecutable
MD5:686B224B4987C22B153FBB545FEE9657
SHA256:A2AC851F35066C2F13A7452B7A9A3FEE05BFB42907AE77A6B85B212A2227FC36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
28
DNS requests
8
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1088
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1088
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
301
192.76.146.204:443
https://dblp.org/xml/release/dblp-2017-11-01.xml.gz.md5
unknown
html
367 b
whitelisted
GET
200
192.76.146.174:443
https://drops.dagstuhl.de/storage/artifacts/dblp/xml/2017/dblp-2017-11-01.xml.gz.md5
unknown
text
57 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7148
2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe
192.76.146.204:443
dblp.org
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
whitelisted
1088
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1088
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7148
2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe
192.76.146.174:443
drops.dagstuhl.de
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
unknown
7148
2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta.exe
199.232.192.193:443
i.imgur.com
FASTLY
US
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
dblp.org
  • 192.76.146.204
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
drops.dagstuhl.de
  • 192.76.146.174
unknown
i.imgur.com
  • 199.232.192.193
  • 199.232.196.193
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 104.208.16.92
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image Sharing Service (imgur.com)
6112
rundll32.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Danabot TCP Packet
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Danabot TCP Packet
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Danabot TCP Packet
6112
rundll32.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Danabot TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-06_18df45279df547fb8a4372ba74f86afa_black-basta