| File name: | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn |
| Full analysis: | https://app.any.run/tasks/5a8eccb4-be99-4d9e-8e29-7bea631b80be |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 14, 2025, 13:56:02 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections |
| MD5: | 8508B27A9C186FF0C311DDF24FF610FE |
| SHA1: | DE145DC402B558694A6EC2569A6651BCA3348F05 |
| SHA256: | BCF86C952BF9A64EDE6E92FD9B83B4E6493109DBED34200A0BF65350B295A4EE |
| SSDEEP: | 98304:HcBs0dqFRzbbCJ2nEvjwQk3FznfVPp2+MQzzB5w/OY+/vgCbUfEuDPdp7ZXusY7g:5lIgwFdx |
MALICIOUS
JEEFO has been detected
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5712)
- icsys.icn.exe (PID: 7052)
- explorer.exe (PID: 1480)
- svchost.exe (PID: 5456)
Changes the autorun value in the registry
- explorer.exe (PID: 1480)
- svchost.exe (PID: 5456)
Actions looks like stealing of personal data
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
SUSPICIOUS
Executable content was dropped or overwritten
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5712)
- icsys.icn.exe (PID: 7052)
- explorer.exe (PID: 1480)
- spoolsv.exe (PID: 3936)
Starts application with an unusual extension
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5712)
Starts itself from another location
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5712)
- icsys.icn.exe (PID: 7052)
- explorer.exe (PID: 1480)
- spoolsv.exe (PID: 3936)
- svchost.exe (PID: 5456)
The process creates files with name similar to system file names
- icsys.icn.exe (PID: 7052)
- spoolsv.exe (PID: 3936)
Reads Microsoft Outlook installation path
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
Reads security settings of Internet Explorer
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
Creates or modifies Windows services
- svchost.exe (PID: 5456)
Reads Internet Explorer settings
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
INFO
Checks supported languages
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5712)
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
- icsys.icn.exe (PID: 7052)
- explorer.exe (PID: 1480)
- spoolsv.exe (PID: 3936)
- spoolsv.exe (PID: 6268)
- svchost.exe (PID: 5456)
The sample compiled with english language support
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5712)
- icsys.icn.exe (PID: 7052)
- explorer.exe (PID: 1480)
- spoolsv.exe (PID: 3936)
Create files in a temporary directory
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5712)
- icsys.icn.exe (PID: 7052)
- explorer.exe (PID: 1480)
- svchost.exe (PID: 5456)
- spoolsv.exe (PID: 3936)
- spoolsv.exe (PID: 6268)
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
Reads the computer name
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
- svchost.exe (PID: 5456)
Checks proxy server information
- 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe (PID: 5808)
- slui.exe (PID: 4892)
Launching a file from a Registry key
- svchost.exe (PID: 5456)
- explorer.exe (PID: 1480)
Manual execution by a user
- explorer.exe (PID: 1052)
- svchost.exe (PID: 1100)
Reads the software policy settings
- slui.exe (PID: 4892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2013:04:01 07:08:22+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 106496 |
| InitializedDataSize: | 12288 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x290c |
| OSVersion: | 4 |
| ImageVersion: | 1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| ProductName: | Project1 |
| FileVersion: | 1 |
| ProductVersion: | 1 |
| InternalName: | TJprojMain |
| OriginalFileName: | TJprojMain.exe |
Total processes
142
Monitored processes
11
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1052 | c:\windows\resources\themes\explorer.exe RO | C:\Windows\Resources\Themes\explorer.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.00 Modules
| |||||||||||||||
| 1100 | c:\windows\resources\svchost.exe RO | C:\Windows\Resources\svchost.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.00 Modules
| |||||||||||||||
| 1480 | c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\explorer.exe | icsys.icn.exe | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.00 Modules
| |||||||||||||||
| 3936 | c:\windows\resources\spoolsv.exe SE | C:\Windows\Resources\spoolsv.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 4892 | "C:\Users\admin\Desktop\2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe" | C:\Users\admin\Desktop\2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.00 Modules
| |||||||||||||||
| 4892 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5456 | c:\windows\resources\svchost.exe | C:\Windows\Resources\svchost.exe | spoolsv.exe | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.00 Modules
| |||||||||||||||
| 5712 | "C:\Users\admin\Desktop\2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe" | C:\Users\admin\Desktop\2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 5808 | c:\users\admin\desktop\2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | C:\Users\admin\Desktop\2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0 Modules
| |||||||||||||||
| 6268 | c:\windows\resources\spoolsv.exe PR | C:\Windows\Resources\spoolsv.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
Total events
4 556
Read events
4 531
Write events
21
Delete events
4
Modification events
| (PID) Process: | (7052) icsys.icn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process |
| Operation: | write | Name: | LO |
Value: 1 | |||
| (PID) Process: | (5808) 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | DisableFirstRunCustomize |
Value: 1 | |||
| (PID) Process: | (5712) 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process |
| Operation: | write | Name: | LO |
Value: 1 | |||
| (PID) Process: | (5808) 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Media Get LLC\MediaGet2-systemScope\mediaget_info |
| Operation: | write | Name: | hasDownloadedUpdate |
Value: false | |||
| (PID) Process: | (5808) 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (5808) 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (5808) 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (5808) 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch |
| Operation: | write | Name: | Version |
Value: WS not running | |||
| (PID) Process: | (5456) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Explorer |
Value: c:\windows\resources\themes\explorer.exe RO | |||
| (PID) Process: | (5456) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Svchost |
Value: c:\windows\resources\svchost.exe RO | |||
Executable files
5
Suspicious files
6
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5712 | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | C:\Windows\Resources\Themes\icsys.icn.exe | executable | |
MD5:BD2CD3CC358BE5832C1BC29D5E1732F3 | SHA256:574802A0C9A1DD3D8CF8EA0BDDA9E13656A12B0F108B5B4578D5043B57C45FB5 | |||
| 3936 | spoolsv.exe | C:\Windows\Resources\svchost.exe | executable | |
MD5:43AA7682203AA33F06BD0B8D0A4B4B37 | SHA256:255D442A2AB0413E3D3101E2BE024645BB2FCDD6E6579AEE966FA1582F7EE235 | |||
| 5808 | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | C:\Users\admin\AppData\Local\Temp\mediaget-installer-tmp\page-wait.png | image | |
MD5:A8210694C45753A7A027296EF745E316 | SHA256:14DE6662062ADC45202E2021AA4D60E98637DC892A22ACB2C7CC16DA3344C14D | |||
| 7052 | icsys.icn.exe | C:\Windows\Resources\Themes\explorer.exe | executable | |
MD5:C237CEE172F32B5D014FD1BBBB5C6305 | SHA256:EF4541C633826F0B14443386FA0D0660BDC28A9F00646CE74953E892E6FA7082 | |||
| 5808 | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | C:\Users\admin\AppData\Local\Temp\mediaget-installer-tmp\Montserrat-Regular.eot | binary | |
MD5:2DD0A1DE870AF34D48D43B7CAD82B8D9 | SHA256:057BC6C47C47AACCDF31ADC48A6B401F6090A02C28E354099EFF80907DC2AF32 | |||
| 5808 | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | C:\Users\admin\AppData\Local\Temp\mediaget-installer-tmp\preloader.html | html | |
MD5:A03BFDC6FBC9F051E37F8050E0E6B305 | SHA256:93295EF076AD43849ED5A4389990C86002B7ECD78C675EEB62932809A8B9248F | |||
| 5712 | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | C:\Users\admin\Desktop\2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | executable | |
MD5:A9D291B7640244FA347ACDDE042B0141 | SHA256:C729612B7B9CA8B1EFA0A014DCC55BCB15228398907CA9746BFE6BE9AA0F1ACC | |||
| 3936 | spoolsv.exe | C:\Users\admin\AppData\Local\Temp\~DFA7120312EAB6AF9B.TMP | binary | |
MD5:1C560AEA24B9B04D6BBAB8767117EE71 | SHA256:420DD72C0E50D3AED23AB24EFAB8724E9B3FBC5C28C7B5F37A855FA428CC6DC7 | |||
| 1480 | explorer.exe | C:\Windows\Resources\spoolsv.exe | executable | |
MD5:82417D8F738D595A2108B35BC50B3527 | SHA256:5A4B90A38F1E5123DC47EF3D90FA37F0840B5BE33DDBE3C7A44BBBD3C13CA00F | |||
| 5808 | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | C:\Users\admin\AppData\Local\Temp\mediaget-installer-tmp\translations.json | binary | |
MD5:28AA84D5ACDFF22EA8F5834721E78FF7 | SHA256:DB24A9E9715861D73106D3B36D93EB2C38E04934BBDA559F747F1C253241691F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
26
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6012 | RUXIMICS.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
6012 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5944 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6012 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5808 | 2025-06-14_8508b27a9c186ff0c311ddf24ff610fe_amadey_black-basta_coinminer_elex_hijackloader_luca-stealer_smoke-loader_swisyn.exe | 51.158.227.48:443 | mediaget.com | Online S.a.s. | FR | suspicious |
1268 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6012 | RUXIMICS.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
mediaget.com |
| unknown |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |