File name:

2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer

Full analysis: https://app.any.run/tasks/d66d6504-14d7-416d-bee4-ea84d7a75e4b
Verdict: Malicious activity
Analysis date: April 29, 2025, 16:33:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
tofsee
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

87AF8E607CF582585BDDCEB71A26ADAA

SHA1:

6214A6A645437EDD1674EE0A3D41CB797E8BACEC

SHA256:

D270C2CB8B904FCF9E64BC6F279F2A8FB83FD6E55D1E12C5A593F1806DC84E4A

SSDEEP:

49152:n9uv4cOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO+:n0Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TOFSEE has been detected (YARA)

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)
      • svchost.exe (PID: 6644)

    • Changes the autorun value in the registry

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)

    • Executes application which crashes

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)
      • tvozgocs.exe (PID: 4488)
      • tvozgocs.exe (PID: 516)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 736)
      • svchost.exe (PID: 6644)

    • Connects to SMTP port

      • svchost.exe (PID: 6644)
      • svchost.exe (PID: 736)

    • Reads security settings of Internet Explorer

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)

  • INFO

    • Reads the computer name

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)
      • tvozgocs.exe (PID: 4488)
      • tvozgocs.exe (PID: 516)

    • Checks supported languages

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)
      • tvozgocs.exe (PID: 4488)
      • tvozgocs.exe (PID: 516)

    • Create files in a temporary directory

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)

    • Process checks computer location settings

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)

    • Auto-launch of the file from Registry key

      • 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe (PID: 660)

    • Reads the software policy settings

      • slui.exe (PID: 6540)

    • Manual execution by a user

      • tvozgocs.exe (PID: 516)

    • Checks proxy server information

      • slui.exe (PID: 6540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:12 22:38:48+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 87552
InitializedDataSize: 33904640
UninitializedDataSize: -
EntryPoint: 0x1fe3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #TOFSEE 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe wusa.exe no specs wusa.exe tvozgocs.exe werfault.exe no specs tvozgocs.exe svchost.exe werfault.exe no specs #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\tvozgocs.exe"C:\Users\admin\tvozgocs.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\tvozgocs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
660"C:\Users\admin\Desktop\2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
736svchost.exeC:\Windows\SysWOW64\svchost.exe
tvozgocs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
2236C:\WINDOWS\SysWOW64\WerFault.exe -u -p 660 -s 916C:\Windows\SysWOW64\WerFault.exe2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4488"C:\Users\admin\tvozgocs.exe" /d"C:\Users\admin\Desktop\2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe" /e550302100000007FC:\Users\admin\tvozgocs.exe
2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\tvozgocs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4996"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5116C:\WINDOWS\SysWOW64\WerFault.exe -u -p 516 -s 556C:\Windows\SysWOW64\WerFault.exetvozgocs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5176C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4488 -s 560C:\Windows\SysWOW64\WerFault.exetvozgocs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6244"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6540C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 307
Read events
5 304
Write events
2
Delete events
1

Modification events

(PID) Process:(660) 2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wxgfvhzq
Value:
"C:\Users\admin\tvozgocs.exe"
(PID) Process:(736) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D3D3FFF121E3D24EDB47D450DD49D084297DCE82E72BAA4C2638ACA88CD1D8B9BB2764ECD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4834C703DE0AE644490BDBC7B23E4905C0DCDF08D3C74BBC4103D37F8A76C15D58545720DB8F2054991CFDB2470DD976D
(PID) Process:(736) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6602025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\bgqlfroq.exeexecutable
MD5:FE06CE427B67873AACA79D8DB7F37C08
SHA256:FE680956D7BB6146272592812EC6916E9B58637B16D3FFA77C298D39F7B8BE07
736svchost.exeC:\Users\admin:.reposbinary
MD5:F7651F680CFBB12DDBBDDE57CA6CC2B6
SHA256:DFA90191E98208E1D3E09F1932A018C1FDA29454242BE198D514EAC293CA4D12
6602025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer.exeC:\Users\admin\tvozgocs.exeexecutable
MD5:B5C94EDF59D881E25B49724C238CBB5E
SHA256:1F08BF9D2EED48889B4C8C4E28B51EA2653E419E7E50016811DA9667416D288A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
57
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6456
RUXIMICS.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1020
SIHClient.exe
GET
200
23.216.77.34:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1020
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1020
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1020
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
1020
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6456
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6456
RUXIMICS.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6456
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.15
  • 23.216.77.20
  • 23.216.77.30
  • 23.216.77.29
  • 23.216.77.13
  • 23.216.77.18
  • 23.216.77.19
  • 23.216.77.26
  • 23.216.77.34
  • 23.216.77.31
  • 23.216.77.6
  • 23.216.77.36
  • 23.216.77.38
  • 23.216.77.43
  • 23.216.77.37
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.4
  • 40.126.32.140
  • 20.190.160.2
  • 20.190.160.131
  • 40.126.32.76
  • 40.126.32.133
  • 40.126.32.68
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.8.32
  • 52.101.41.54
  • 52.101.8.44
  • 52.101.40.24
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_87af8e607cf582585bddceb71a26adaa_black-basta_elex_luca-stealer