File name:

2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer

Full analysis: https://app.any.run/tasks/59f2f8d9-12de-4d97-9515-adf378a0966d
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 08, 2025, 13:36:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xred
backdoor
dyndns
delphi
snake
keylogger
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

0831620E5C2AB840F22A3330501ABEDF

SHA1:

7BB9717B9123EC5D1A143DE74F83E1D222A7898C

SHA256:

94756028A4F6BD6A9C77F3D5EC30F1734DD4911C7293F35069E755BEB97D41FB

SSDEEP:

49152:53HzLnqOaNMCFJ6kPvO1cg0i7EVuZ4qBEbRKE4EesjoVgKh6bpq5VEdMbKO1zsHy:Vr7ayGJ6kHOSqBBEesjoVr6bpq5VEdOn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XRED mutex has been found

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)
      • Synaptics.exe (PID: 7520)

    • XRED has been detected

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)

    • Changes the autorun value in the registry

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)

    • XRED has been detected (YARA)

      • Synaptics.exe (PID: 7520)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)

    • Reads security settings of Internet Explorer

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)
      • Synaptics.exe (PID: 7520)

    • There is functionality for taking screenshot (YARA)

      • Synaptics.exe (PID: 7520)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 7520)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 7520)

  • INFO

    • The sample compiled with turkish language support

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)

    • Reads the computer name

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)
      • Synaptics.exe (PID: 7520)

    • The sample compiled with english language support

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)

    • Creates files in the program directory

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)
      • Synaptics.exe (PID: 7520)

    • Checks supported languages

      • ._cache_2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7400)
      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)
      • Synaptics.exe (PID: 7520)

    • Process checks computer location settings

      • 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe (PID: 7352)

    • Checks proxy server information

      • Synaptics.exe (PID: 7520)
      • slui.exe (PID: 7828)

    • Compiled with Borland Delphi (YARA)

      • Synaptics.exe (PID: 7520)
      • slui.exe (PID: 7828)

    • Reads the machine GUID from the registry

      • Synaptics.exe (PID: 7520)

    • Reads the software policy settings

      • Synaptics.exe (PID: 7520)
      • slui.exe (PID: 7828)

    • Create files in a temporary directory

      • Synaptics.exe (PID: 7520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (96.4)
.exe | Win32 Executable Delphi generic (2)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.3)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 1190912
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
CompanyName: Synaptics
FileDescription: Synaptics Pointing Device Driver
FileVersion: 1.0.0.4
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: Synaptics Pointing Device Driver
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XRED 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe ._cache_2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe no specs #XRED synaptics.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7352"C:\Users\admin\Desktop\2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe" C:\Users\admin\Desktop\2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
MEDIUM
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\desktop\2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7400"C:\Users\admin\Desktop\._cache_2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe" C:\Users\admin\Desktop\._cache_2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.54
Modules
Images
c:\users\admin\desktop\._cache_2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\combase.dll
7520"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateC:\ProgramData\Synaptics\Synaptics.exe
2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Version:
1.0.0.4
Modules
Images
c:\programdata\synaptics\synaptics.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7828C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 813
Read events
7 807
Write events
6
Delete events
0

Modification events

(PID) Process:(7352) 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Synaptics Pointing Device Driver
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(7352) 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000
(PID) Process:(7352) 2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7520) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7520) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7520) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
73522025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:0831620E5C2AB840F22A3330501ABEDF
SHA256:94756028A4F6BD6A9C77F3D5EC30F1734DD4911C7293F35069E755BEB97D41FB
73522025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exeC:\ProgramData\Synaptics\RCXE63B.tmpexecutable
MD5:F47508F81F397D88FDB91E37BD0B2172
SHA256:780CCEF0A89544B6FDFBA75D2610CB46FFBB081CFA20AEDF4A2B8B1C7F52D6B1
73522025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exeC:\Users\admin\Desktop\._cache_2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer.exeexecutable
MD5:30E4BDE9A81A98D392AF362A5AAB4398
SHA256:E12A2AF48672BB802F8257400577AD6800761D5BF73E381BD0816F74A053D63F
7520Synaptics.exeC:\Users\admin\AppData\Local\Temp\WQBXUZx.inihtml
MD5:E46078A688C9EC6A8C4E2C2BAA959370
SHA256:C14CC32E316BE418896485381DB5CDA3ADD278E49B19B1B3C8E329F61E3464C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
27
DNS requests
9
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.15:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7520
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
GET
303
64.233.184.84:443
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
GET
303
64.233.184.84:443
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
GET
303
64.233.184.84:443
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
GET
404
142.250.186.97:443
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
html
1.61 Kb
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
404
142.250.186.97:443
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
html
1.61 Kb
whitelisted
GET
404
142.250.186.97:443
https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
unknown
html
1.61 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.15:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2196
svchost.exe
224.0.0.252:5355
whitelisted
2196
svchost.exe
224.0.0.251:5353
unknown
4
System
192.168.100.255:137
whitelisted
7520
Synaptics.exe
69.42.215.252:80
freedns.afraid.org
AWKNET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.15
  • 23.216.77.23
  • 23.216.77.18
  • 23.216.77.25
  • 23.216.77.33
whitelisted
xred.mooo.com
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
docs.google.com
  • 172.217.23.110
whitelisted
drive.usercontent.google.com
  • 142.250.186.97
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET MALWARE Snake Keylogger Payload Request (GET)
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-08_0831620e5c2ab840f22a3330501abedf_black-basta_darkgate_hijackloader_luca-stealer