File name:

2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee

Full analysis: https://app.any.run/tasks/21892426-a09b-48d5-a859-0a85b0571c26
Verdict: Malicious activity
Analysis date: May 15, 2025, 20:57:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

132E0AD8D0C89F423892BF6842F7B12E

SHA1:

AA64CBF3FE227B1AFFAD29AEB10D783C3220DF95

SHA256:

BA0AF1EE91A580ADC328AB1E8464EAD9C9AA5AC67D88D4F0B1FC218B5EC1D6AC

SSDEEP:

6144:ekDvCqKOG2ZnmG/MiiGzWIApnPxyOb/AhtMoiKjifSQzGMfTkcDVVVVUpbTS:ekDjnmG/MRPxyTrFQdFDVVVVAT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 5552)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)

    • Executable content was dropped or overwritten

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)

    • Executes application which crashes

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)
      • xowuezgu.exe (PID: 4228)
      • xowuezgu.exe (PID: 4920)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 5428)
      • svchost.exe (PID: 5552)

    • Connects to SMTP port

      • svchost.exe (PID: 5428)
      • svchost.exe (PID: 5552)

  • INFO

    • Reads the computer name

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)
      • xowuezgu.exe (PID: 4228)
      • xowuezgu.exe (PID: 4920)

    • Create files in a temporary directory

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)

    • Checks supported languages

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)
      • xowuezgu.exe (PID: 4228)
      • xowuezgu.exe (PID: 4920)

    • Process checks computer location settings

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)

    • Auto-launch of the file from Registry key

      • 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe (PID: 2108)

    • Manual execution by a user

      • xowuezgu.exe (PID: 4920)

    • Reads the software policy settings

      • slui.exe (PID: 5384)

    • Checks proxy server information

      • slui.exe (PID: 5384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:14 23:15:11+00:00
ImageFileCharacteristics: Executable, Aggressive working-set trim, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 175104
InitializedDataSize: 304640
UninitializedDataSize: -
EntryPoint: 0x1840
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe wusa.exe no specs wusa.exe xowuezgu.exe svchost.exe werfault.exe no specs werfault.exe no specs xowuezgu.exe #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2108"C:\Users\admin\Desktop\2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe" C:\Users\admin\Desktop\2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
4228"C:\Users\admin\xowuezgu.exe" /d"C:\Users\admin\Desktop\2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe" /e550302100000007FC:\Users\admin\xowuezgu.exe
2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\xowuezgu.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
4696"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4920"C:\Users\admin\xowuezgu.exe"C:\Users\admin\xowuezgu.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\xowuezgu.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
5204C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4920 -s 556C:\Windows\SysWOW64\WerFault.exexowuezgu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5244C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4228 -s 596C:\Windows\SysWOW64\WerFault.exexowuezgu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5428svchost.exeC:\Windows\SysWOW64\svchost.exe
xowuezgu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5552svchost.exeC:\Windows\SysWOW64\svchost.exe
xowuezgu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
5 319
Read events
5 316
Write events
2
Delete events
1

Modification events

(PID) Process:(2108) 2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:bclkamev
Value:
"C:\Users\admin\xowuezgu.exe"
(PID) Process:(5428) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D0D3DB2F8343D24EDB47D450DD49D084297DCE82E72BAA49240FDE422031D0938B8994FCD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B16DC854C763FE0AB644490BDB5792CE49D5B0CC4F3BC54758DF21D5904E0A66812D8814B773CD4F10B4C90D8F6127DB9A45E34
(PID) Process:(5428) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
21082025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exeC:\Users\admin\xowuezgu.exeexecutable
MD5:FB5C1EBF11E1F335629F42A458FBCA84
SHA256:FC9F53949AA56948756B8146765D4010F42FFC443EBD176E924F620F91F898E1
5428svchost.exeC:\Users\admin:.reposbinary
MD5:48B6867E8963DB0AA585C0F691A5E326
SHA256:D103C47BE90F7F4CBA1CB4ECA45194FA2DBFEFBF9D36BB47C77CFE8A59FA9DE5
21082025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee.exeC:\Users\admin\AppData\Local\Temp\dbkluqfb.exeexecutable
MD5:5D310AFC50FBEA9C201712D0229D7313
SHA256:9CD7764B99467A60CD9766E9F0A32A36B87DF6868E8F0E906B9F2CF649811BAC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
30
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5428
svchost.exe
13.107.253.44:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5428
svchost.exe
52.101.10.10:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5428
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
microsoft.com
  • 13.107.253.44
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.10.10
  • 52.101.10.1
  • 52.101.40.4
  • 52.101.40.6
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_132e0ad8d0c89f423892bf6842f7b12e_black-basta_elex_luca-stealer_tofsee