File name:	2025-05-17_f1af156486d8c901855992c977b57392_amadey_black-basta_coinminer_darkgate_elex_gcleaner_luca-stealer_smoke-loader
Full analysis:	https://app.any.run/tasks/a0398d71-8a66-46e5-9d94-d6a71171e583
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 07:42:28
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	xred backdoor auto-reg arch-exec delphi dyndns upx snake keylogger
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	F1AF156486D8C901855992C977B57392
SHA1:	24E45293B92BE96D1C9ED8985F5FB43F93C5ECDE
SHA256:	A766C975E8C3E6991632D706A47DB39792C5493D5E5CCF64D85EC909713DE717
SSDEEP:	98304:Zr7ayGJ6kHOSORVpHlwzveTB1TjorRS8htT7u1fzhIubtZ0JdrvcIzleRXzwp5tk:5MnWex5Po

.exe	\|	Win32 Executable Borland Delphi 7 (83.1)
.exe	\|	Inno Setup installer (13.7)
.exe	\|	Win32 Executable Delphi generic (1.7)
.exe	\|	Win32 Executable (generic) (0.5)
.exe	\|	Win16/32 Executable Delphi generic (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	629760
InitializedDataSize:	9229824
UninitializedDataSize:	-
EntryPoint:	0x9ab80
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.4
ProductVersionNumber:	1.0.0.4
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Turkish
CharacterSet:	Windows, Turkish
CompanyName:	Synaptics
FileDescription:	Synaptics Pointing Device Driver
FileVersion:	1.0.0.4
InternalName:	-
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	-
ProductName:	Synaptics Pointing Device Driver
ProductVersion:	1.0.0.0
Comments:	-


(PID) Process:	(7380) 2025-05-17_f1af156486d8c901855992c977b57392_amadey_black-basta_coinminer_darkgate_elex_gcleaner_luca-stealer_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7380) 2025-05-17_f1af156486d8c901855992c977b57392_amadey_black-basta_coinminer_darkgate_elex_gcleaner_luca-stealer_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Synaptics Pointing Device Driver
Value: C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:	(7988) Ð¡°ïÊÖÖ±²¥³¡¿Ø.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(7988) Ð¡°ïÊÖÖ±²¥³¡¿Ø.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7988) Ð¡°ïÊÖÖ±²¥³¡¿Ø.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7988) Ð¡°ïÊÖÖ±²¥³¡¿Ø.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7652) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7652) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7652) Synaptics.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
7380	2025-05-17_f1af156486d8c901855992c977b57392_amadey_black-basta_coinminer_darkgate_elex_gcleaner_luca-stealer_smoke-loader.exe	C:\Users\admin\Desktop\._cache_2025-05-17_f1af156486d8c901855992c977b57392_amadey_black-basta_coinminer_darkgate_elex_gcleaner_luca-stealer_smoke-loader.exe		executable
		MD5:F99AABE5BF2AF22C696A9E6D9BFF3D2A	SHA256:EF77DCF8A33186C70FC090933ADEAE244C8704A1A9CBD84E0B58DFE8E96DBF11
7552	._cache_2025-05-17_f1af156486d8c901855992c977b57392_amadey_black-basta_coinminer_darkgate_elex_gcleaner_luca-stealer_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\exui.zip		compressed
		MD5:D520F292620C463E93FCC8EFF6E08F7E	SHA256:610AC2D18AD388EAD5F33B12C0C39921D0025A32B1B733D62AD062A010095379
7988	Ð¡°ïÊÖÖ±²¥³¡¿Ø.exe	C:\Users\admin\AppData\Local\Temp\xbswxchangkong.txt		text
		MD5:79C8A672024CCDBA86DE0477F950445E	SHA256:BAFF83CA42CE226C17A6DFE705795589D76811AC41098923684CA538BB413914
7652	Synaptics.exe	C:\Users\admin\AppData\Local\Temp\cOHzMpOi.exe		executable
		MD5:9DAF61D171765F3B2F37E8DEC384E93E	SHA256:BDC569B6EAD364D0D6A27D0179D27BEEC944454BB118A7DB6D3C74AEBC157591
7988	Ð¡°ïÊÖÖ±²¥³¡¿Ø.exe	C:\Users\admin\AppData\Local\Temp\xbsver°æ±¾ºÅ.txt		text
		MD5:70EFDF2EC9B086079795C442636B55FB	SHA256:4523540F1504CD17100C4835E85B7EEFD49911580F8EFFF0599A8F283BE6B9E3
7652	Synaptics.exe	C:\Users\admin\AppData\Local\Temp\RCX11FE.tmp		executable
		MD5:17ACD5FCA7846EF4731FF0A7B1FD0BAE	SHA256:1C032E8E42E9C54C0AAE083A4E90C03127FE671E711A76B2890182C7B517AD2D
7652	Synaptics.exe	C:\Users\admin\AppData\Local\Temp\cOHzMpOi.ico		image
		MD5:36AD082619044FB211D6C68431900981	SHA256:5805514BB112F3FA0859330010562C1FBEC128382FCC43C6BE5EBC18FACA58F9
7652	Synaptics.exe	C:\Users\admin\AppData\Local\Temp\RCX1328.tmp		executable
		MD5:196279BA318A67B728DDCDC6B22A8875	SHA256:36DC33C9303D307AE2CA952C54CCBB23D21C090E035C95FB3EC747B3138085F8
7988	Ð¡°ïÊÖÖ±²¥³¡¿Ø.exe	C:\Users\admin\Desktop\ÉèÖÃ.ini		text
		MD5:47F0563477955F4F819094050781B4FD	SHA256:06D7821C54857A443BC17D75B718ECE74FD9E1286D36F799982C594E98E63A15
7652	Synaptics.exe	C:\Users\admin\AppData\Local\Temp\qAlxevd.ini		html
		MD5:EE61D447471568A8F8FE1937AEBDC1B9	SHA256:724D38D2B6F0B9E30044A7FC8DE6BB0E0B9CB52955A36DA936F83BD5999E2174

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6724	RUXIMICS.exe	GET	200	23.216.77.11:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6724	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7652	Synaptics.exe	GET	200	69.42.215.252:80	http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6724	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6724	RUXIMICS.exe	23.216.77.11:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6724	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7652	Synaptics.exe	69.42.215.252:80	freedns.afraid.org	AWKNET	US	whitelisted
2196	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted
2196	svchost.exe	224.0.0.251:5353	—	—	—	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.216.77.11 23.216.77.18 23.216.77.43	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
xred.mooo.com	—	whitelisted
freedns.afraid.org	69.42.215.252	whitelisted
gcstcp.com	101.34.248.153	malicious
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
docs.google.com	142.250.185.78	whitelisted
drive.usercontent.google.com	142.250.186.161	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET MALWARE Snake Keylogger Payload Request (GET)
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe

General Info

2025-05-17_f1af156486d8c901855992c977b57392_amadey_black-basta_coinminer_darkgate_elex_gcleaner_luca-stealer_smoke-loader

F1AF156486D8C901855992C977B57392

24E45293B92BE96D1C9ED8985F5FB43F93C5ECDE

A766C975E8C3E6991632D706A47DB39792C5493D5E5CCF64D85EC909713DE717

98304:Zr7ayGJ6kHOSORVpHlwzveTB1TjorRS8htT7u1fzhIubtZ0JdrvcIzleRXzwp5tk:5MnWex5Po

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XRED mutex has been found

Changes the autorun value in the registry

XRED has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

There is functionality for communication over UDP network (YARA)

There is functionality for communication dyndns network (YARA)

Connects to unusual port

INFO

The sample compiled with turkish language support

Reads the computer name

Checks supported languages

The sample compiled with chinese language support

Creates files in the program directory

Create files in a temporary directory

Auto-launch of the file from Registry key

Process checks computer location settings

Checks proxy server information

Manual execution by a user

Compiled with Borland Delphi (YARA)

Reads the software policy settings

Reads the machine GUID from the registry

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings