File name:	2025-06-21_3dd3278da8246469b80dd475e985281d_amadey_black-basta_cova_darkgate_elex_hijackloader_luca-stealer_remcos_rhada
Full analysis:	https://app.any.run/tasks/32e14914-9ecd-47da-813f-96b57597a249
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 03:00:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	upx delphi snojan
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 3 sections
MD5:	3DD3278DA8246469B80DD475E985281D
SHA1:	24FDBA605948F36037C80381B69E00ECE075898E
SHA256:	AE93F8B7AAC40CB0B61E2AD8C488163D755839B17B5B07680ABE86C5BF83206B
SSDEEP:	98304:XoPmPIhwsUqEP9P6fQNJY/2ccdW7LRBq+A0tNFobSbDlhajV/fUZZirhsn49BgUS:BGVOVq

.exe	\|	Win32 Executable Microsoft Visual Basic 6 (49)
.exe	\|	InstallShield setup (25.7)
.exe	\|	UPX compressed Win32 Executable (16.1)
.dll	\|	Win32 Dynamic Link Library (generic) (3.9)
.exe	\|	Win32 Executable (generic) (2.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2014:07:01 18:02:13+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.56
CodeSize:	86016
InitializedDataSize:	4096
UninitializedDataSize:	77824
EntryPoint:	0x1130
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows command line

PID	Process	Filename		Type
1520	2025-06-21_3dd3278da8246469b80dd475e985281d_amadey_black-basta_cova_darkgate_elex_hijackloader_luca-stealer_remcos_rhada.exe	C:\Users\admin\Desktop\rifaien2-Rt0TFdnDGq4QearC.exe		executable
		MD5:CC6886E71F36CC276888B23049388950	SHA256:4AA2FE8351E06F1991BC076B631DB43EAF82F277CB90D0A97D42735792A95778

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3588	RUXIMICS.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3588	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1520	2025-06-21_3dd3278da8246469b80dd475e985281d_amadey_black-basta_cova_darkgate_elex_hijackloader_luca-stealer_remcos_rhada.exe	POST	301	172.67.183.40:80	http://wecan.hasthe.technology/upload	unknown	—	—	malicious
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3588	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3588	RUXIMICS.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3588	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
wecan.hasthe.technology	172.67.183.40 104.21.59.199	malicious
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	104.208.16.90	whitelisted

PID	Process	Class	Message
1520	2025-06-21_3dd3278da8246469b80dd475e985281d_amadey_black-basta_cova_darkgate_elex_hijackloader_luca-stealer_remcos_rhada.exe	Misc activity	ET INFO Generic HTTP EXE Upload Outbound
1520	2025-06-21_3dd3278da8246469b80dd475e985281d_amadey_black-basta_cova_darkgate_elex_hijackloader_luca-stealer_remcos_rhada.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Snojan malware uploading .exe

General Info

2025-06-21_3dd3278da8246469b80dd475e985281d_amadey_black-basta_cova_darkgate_elex_hijackloader_luca-stealer_remcos_rhada

3DD3278DA8246469B80DD475E985281D

24FDBA605948F36037C80381B69E00ECE075898E

AE93F8B7AAC40CB0B61E2AD8C488163D755839B17B5B07680ABE86C5BF83206B

98304:XoPmPIhwsUqEP9P6fQNJY/2ccdW7LRBq+A0tNFobSbDlhajV/fUZZirhsn49BgUS:BGVOVq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SNOJAN has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Checks supported languages

Compiled with Borland Delphi (YARA)

UPX packer has been detected

Reads the computer name

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings