File name:	2025-05-16_15d4b81bdf256d913591cd4987a52503_amadey_black-basta_elex_gcleaner_hijackloader_remcos_smoke-loader
Full analysis:	https://app.any.run/tasks/5b636706-d72e-4b62-88b2-0c8c5b786836
Verdict:	Malicious activity
Analysis date:	May 16, 2025, 09:33:05
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	canbis worm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	15D4B81BDF256D913591CD4987A52503
SHA1:	9803AAF02C70502FCBEF739345018F053B98434C
SHA256:	C80F382193C6643CB7725AA29B5D01D8CB44F818D1B8910CE03634E68424C77C
SSDEEP:	98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyg:5MGWGkVZv2bxSfKlUcLdK

.exe	\|	Win32 Executable Borland Delphi 7 (57.2)
.exe	\|	Win32 Executable Borland Delphi 5 (38.8)
.exe	\|	Win32 Executable Delphi generic (1.2)
.scr	\|	Windows screen saver (1.1)
.dll	\|	Win32 Dynamic Link Library (generic) (0.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	46080
InitializedDataSize:	7680
UninitializedDataSize:	-
EntryPoint:	0xc254
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
7704	2025-05-16_15d4b81bdf256d913591cd4987a52503_amadey_black-basta_elex_gcleaner_hijackloader_remcos_smoke-loader.exe	C:\Users\admin\Desktop\9732887500.exe		executable
		MD5:96B61B8E069832E6B809F24EA74567BA	SHA256:E554425243E3E8CA1CD5FE550DB41E6FA58A007C74FAD400274B128452F38FB8
7768	9732887500.exe	C:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dll		executable
		MD5:A52E5220EFB60813B31A82D101A97DCB	SHA256:E7C8E7EDD9112137895820E789BAAAECA41626B01FB99FEDE82968DDB66D02CF
7768	9732887500.exe	C:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\thm.xml		xml
		MD5:0056F10A42638EA8B4BEFC614741DDD6	SHA256:6B1BA0DEA830E556A58C883290FAA5D49C064E546CBFCD0451596A10CC693F87
7768	9732887500.exe	C:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\logo.png		image
		MD5:D6BD210F227442B3362493D046CEA233	SHA256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
7768	9732887500.exe	C:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\BootstrapperApplicationData.xml		xml
		MD5:0BD4FA44198EB101D1F070BB99A12C0B	SHA256:54BF9F4BC4ADCBBA99AEF3C048522C23822D3DDAB51891DCBA3B6F59192A2B28
7768	9732887500.exe	C:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\license.rtf		text
		MD5:1E47EE7B71B22488068343DF4CE30534	SHA256:8518F0420972C1DBE8A323FFC6F57863AF0B80C6A3B27FD0C6FC9BDABB7E2D13
7768	9732887500.exe	C:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\thm.wxl		xml
		MD5:FBFCBC4DACC566A3C426F43CE10907B6	SHA256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
7704	2025-05-16_15d4b81bdf256d913591cd4987a52503_amadey_black-basta_elex_gcleaner_hijackloader_remcos_smoke-loader.exe	C:\Users\admin\Desktop\3271425776.exe		executable
		MD5:15D4B81BDF256D913591CD4987A52503	SHA256:C80F382193C6643CB7725AA29B5D01D8CB44F818D1B8910CE03634E68424C77C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8100	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	23.216.77.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
8100	SIHClient.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
8100	SIHClient.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
8100	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
8100	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8100	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
8100	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	23.216.77.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	20.190.160.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	20.190.160.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.174	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
crl.microsoft.com	23.216.77.12 23.216.77.34 23.216.77.10 23.216.77.30 23.216.77.23 23.216.77.22 23.216.77.33 23.216.77.25 2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
login.live.com	20.190.160.128 40.126.32.74 40.126.32.76 40.126.32.136 20.190.160.130 40.126.32.138 20.190.160.20 20.190.160.14	whitelisted
uk.undernet.org	—	unknown
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

2025-05-16_15d4b81bdf256d913591cd4987a52503_amadey_black-basta_elex_gcleaner_hijackloader_remcos_smoke-loader

15D4B81BDF256D913591CD4987A52503

9803AAF02C70502FCBEF739345018F053B98434C

C80F382193C6643CB7725AA29B5D01D8CB44F818D1B8910CE03634E68424C77C

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKMvXj07kkFGZur7yv5FkGSthza1U7SZRYyg:5MGWGkVZv2bxSfKlUcLdK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

CANBIS mutex has been found

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Searches for installed software

There is functionality for communication over UDP network (YARA)

INFO

Checks supported languages

Reads the computer name

The sample compiled with english language support

Process checks computer location settings

Failed to create an executable file in Windows directory

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings