File name:

2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos

Full analysis: https://app.any.run/tasks/c6c85334-35a4-4207-8600-4bdad9c02caa
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 04:01:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sality
sainbox
rat
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

7979657D7945B1BE81A509479412144B

SHA1:

BA9CCB5E6BEF0BEFE8A9D70B90B4286EE3AC2391

SHA256:

B8BECED6C4FA577BE54E5803552075B359645545C895F2B91E5168AD806BDBB2

SSDEEP:

98304:YRc2azU46Ef94kGBbTjMwbHJyEHH6I7W61PfLTdOyyxglJJ1b/5AXOfJhnfYubYg:Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Disables Windows firewall

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Changes firewall settings

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • SALITY mutex has been found

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • SALITY has been detected

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Changes Security Center notification settings

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • SAINBOX has been detected

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 7504)

  • INFO

    • Reads the computer name

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)
      • ShellExperienceHost.exe (PID: 7504)

    • The sample compiled with english language support

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Checks supported languages

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)
      • ShellExperienceHost.exe (PID: 7504)

    • Reads the machine GUID from the registry

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Reads the software policy settings

      • slui.exe (PID: 4008)

    • Create files in a temporary directory

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • The sample compiled with chinese language support

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Creates files in the program directory

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Creates files or folders in the user directory

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • UPX packer has been detected

      • 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe (PID: 7340)

    • Checks proxy server information

      • slui.exe (PID: 4008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:11:25 08:04:07+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 2929664
InitializedDataSize: 1573888
UninitializedDataSize: -
EntryPoint: 0x217082
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.10.2316.80
ProductVersionNumber: 3.10.2316.80
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Tencent
FileDescription: 腾讯手游助手 - 升级程序
FileVersion: 3.10.2316.80
InternalName: Update
LegalCopyright: Copyright © 2020 Tencent. All Rights Reserved.
OriginalFileName: Update.exe
ProductName: 腾讯手游助手
ProductVersion: 3,10,2316,80
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe shellexperiencehost.exe no specs slui.exe 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4008C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7280"C:\Users\admin\Desktop\2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe" C:\Users\admin\Desktop\2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
腾讯手游助手 - 升级程序
Exit code:
3221226540
Version:
3.10.2316.80
Modules
Images
c:\users\admin\desktop\2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7340"C:\Users\admin\Desktop\2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe" C:\Users\admin\Desktop\2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
腾讯手游助手 - 升级程序
Exit code:
0
Version:
3.10.2316.80
Modules
Images
c:\users\admin\desktop\2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7504"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
Total events
4 946
Read events
4 912
Write events
34
Delete events
0

Modification events

(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UacDisableNotify
Value:
1
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:GlobalUserOffline
Value:
0
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:writeName:EnableFirewall
Value:
0
(PID) Process:(7340) 2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:writeName:DoNotAllowExceptions
Value:
0
Executable files
2
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
73402025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Windows\system.inibinary
MD5:DC5A4A35E9C9070C4472556159663DA3
SHA256:0FB0360ABC771FC3E4514970244A3D758A9445FE2441730EB2CC9E0E2B7A4D62
73402025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.dbtext
MD5:3A1E37285EC95E84C1A39D06CA44E560
SHA256:9618F77C10F739DC8CA65D549D671715BFD1E69D892EC496409F6245777FDBF6
73402025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Temp\TUpdateLog\20250519_040153_353.logtext
MD5:6D8AFEB9F35384CBCE40A34C5A438D3D
SHA256:7DAA1B0F510CFE3AB450A8AABC361A7492C37FE65295E2A154806368DC00A6B6
73402025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\Roaming\Tencent\beacon\GlobalMgr.dbtext
MD5:3A1E37285EC95E84C1A39D06CA44E560
SHA256:9618F77C10F739DC8CA65D549D671715BFD1E69D892EC496409F6245777FDBF6
73402025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\AppData\Local\Temp\winwqqova.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
73402025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos.exeC:\Users\admin\Desktop\dr.dllexecutable
MD5:E58C7D21A08F8038F2D69CBBAE4E7484
SHA256:7083BBA256B59C5E9BA62F700B858E0968169653CEC8284E5E0C6E0098E9E191
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
31
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4024
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4024
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4024
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4024
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4024
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
oth.eve.mdt.qq.com
  • 101.33.47.206
  • 101.33.47.68
whitelisted
yybadaccess.3g.qq.com
  • 129.226.102.75
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-19_7979657d7945b1be81a509479412144b_black-basta_darkgate_elex_gcleaner_luca-stealer_remcos