File name:

2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos

Full analysis: https://app.any.run/tasks/84bc5b94-acdb-49a1-a81b-44e12f6a0ecd
Verdict: Malicious activity
Analysis date: May 16, 2025, 02:18:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

C471A6A85D6882BA1C6425380D7A4508

SHA1:

B80C212B8B5FD1A432DD353748CDEA7C1D109D3E

SHA256:

C80191DC4852744473B8B02CDA0E3CC86F060B4494E54C40347BA31F23056893

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyc:5MGWZrhhR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CANBIS mutex has been found

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

    • Executable content was dropped or overwritten

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

  • INFO

    • The sample compiled with english language support

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

    • Process checks computer location settings

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

    • Failed to create an executable file in Windows directory

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

    • Checks supported languages

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

    • Reads the computer name

      • 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe (PID: 7428)

    • Checks proxy server information

      • slui.exe (PID: 7824)

    • Reads the software policy settings

      • slui.exe (PID: 7824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (57.2)
.exe | Win32 Executable Borland Delphi 5 (38.8)
.exe | Win32 Executable Delphi generic (1.2)
.scr | Windows screen saver (1.1)
.dll | Win32 Dynamic Link Library (generic) (0.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe 0622970978.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7428"C:\Users\admin\Desktop\2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe" C:\Users\admin\Desktop\2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7476"C:\Users\admin\Desktop\0622970978.exe" C:\Users\admin\Desktop\0622970978.exe2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe PDF Broker Process for Internet Explorer
Version:
24.5.20320.0
Modules
Images
c:\users\admin\desktop\0622970978.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
7824C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 985
Read events
3 985
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74282025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exeC:\Users\admin\Desktop\4020240643.exeexecutable
MD5:C471A6A85D6882BA1C6425380D7A4508
SHA256:C80191DC4852744473B8B02CDA0E3CC86F060B4494E54C40347BA31F23056893
74282025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos.exeC:\Users\admin\Desktop\0622970978.exeexecutable
MD5:F812D61F153801492B4864678B75A36F
SHA256:3D6FF7C57415C6CF95733E1AF934F3E8FE057B8150A9B71BF79D7FBF1502BAB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
7276
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7824
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
uk.undernet.org
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_c471a6a85d6882ba1c6425380d7a4508_black-basta_coinminer_elex_gcleaner_hijackloader_remcos