File name:

2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader

Full analysis: https://app.any.run/tasks/8f6198f7-d34f-42b6-969c-bfb4b538e5fc
Verdict: Malicious activity
Analysis date: May 16, 2025, 06:10:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

B1EA0DA65D77EAF98981E25BE488E3B8

SHA1:

D951847B793A1331446635409CAB3219C7DF4D41

SHA256:

D8B380724E5B79709D25B3A6F111BC2756184B176404426288744214BF16CF69

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKFfpRBVnf9D0ks+Zo8Y1F2qaVhKffn7YAxV:taABbSuMv2caz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 8599134700.exe (PID: 7460)
      • 8599134700.exe (PID: 7536)
      • Setup.exe (PID: 7608)

    • CANBIS mutex has been found

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)
      • 8599134700.exe (PID: 7536)

    • Reads security settings of Internet Explorer

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)

    • Starts a Microsoft application from unusual location

      • 8599134700.exe (PID: 7460)
      • 8599134700.exe (PID: 7536)

    • Process drops legitimate windows executable

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)
      • 8599134700.exe (PID: 7536)

    • Creates file in the systems drive root

      • 8599134700.exe (PID: 7536)

    • There is functionality for communication over UDP network (YARA)

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)

  • INFO

    • The sample compiled with english language support

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)
      • 8599134700.exe (PID: 7536)

    • Checks supported languages

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)
      • 8599134700.exe (PID: 7536)
      • Setup.exe (PID: 7608)

    • Reads the computer name

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)
      • 8599134700.exe (PID: 7536)
      • Setup.exe (PID: 7608)

    • Process checks computer location settings

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)

    • Failed to create an executable file in Windows directory

      • 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe (PID: 7332)

    • Reads the machine GUID from the registry

      • 8599134700.exe (PID: 7536)

    • The sample compiled with korean language support

      • 8599134700.exe (PID: 7536)

    • The sample compiled with japanese language support

      • 8599134700.exe (PID: 7536)

    • The sample compiled with Italian language support

      • 8599134700.exe (PID: 7536)

    • The sample compiled with chinese language support

      • 8599134700.exe (PID: 7536)

    • The sample compiled with german language support

      • 8599134700.exe (PID: 7536)

    • The sample compiled with french language support

      • 8599134700.exe (PID: 7536)

    • The sample compiled with russian language support

      • 8599134700.exe (PID: 7536)

    • The sample compiled with spanish language support

      • 8599134700.exe (PID: 7536)

    • Reads CPU info

      • Setup.exe (PID: 7608)

    • Create files in a temporary directory

      • Setup.exe (PID: 7608)

    • Reads the software policy settings

      • slui.exe (PID: 8084)

    • Checks proxy server information

      • slui.exe (PID: 8084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (55.2)
.exe | Win32 Executable Borland Delphi 5 (37.5)
.exe | InstallShield setup (3.5)
.exe | Win32 Executable Delphi generic (1.1)
.scr | Windows screen saver (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe 8599134700.exe no specs 8599134700.exe setup.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7332"C:\Users\admin\Desktop\2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe" C:\Users\admin\Desktop\2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7460"C:\Users\admin\Desktop\8599134700.exe" C:\Users\admin\Desktop\8599134700.exe2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2010 x64 Redistributable Setup
Exit code:
3221226540
Version:
10.0.30319.01
Modules
Images
c:\users\admin\desktop\8599134700.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7536"C:\Users\admin\Desktop\8599134700.exe" C:\Users\admin\Desktop\8599134700.exe
2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2010 x64 Redistributable Setup
Version:
10.0.30319.01
Modules
Images
c:\users\admin\desktop\8599134700.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7608c:\2958294c21b2e2e74411\Setup.exe C:\2958294c21b2e2e74411\Setup.exe8599134700.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Version:
10.0.30319.1 built by: RTMRel
Modules
Images
c:\2958294c21b2e2e74411\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
8084C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 216
Read events
4 216
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
1
Text files
47
Unknown types
0

Dropped files

PID
Process
Filename
Type
73322025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\Desktop\8599134700.exeexecutable
MD5:630D75210B325A280C3352F879297ED5
SHA256:B06546DDC8CA1E3D532F3F2593E88A6F49E81B66A9C2051D58508CC97B6A2023
75368599134700.exeC:\2958294c21b2e2e74411\SetupUi.dllexecutable
MD5:EB881E3DDDC84B20BD92ABCEC444455F
SHA256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
75368599134700.exeC:\2958294c21b2e2e74411\DHtmlHeader.htmlhtml
MD5:CD131D41791A543CC6F6ED1EA5BD257C
SHA256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
75368599134700.exeC:\2958294c21b2e2e74411\sqmapi.dllexecutable
MD5:3F0363B40376047EFF6A9B97D633B750
SHA256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
75368599134700.exeC:\2958294c21b2e2e74411\watermark.bmpimage
MD5:1A5CAAFACFC8C7766E404D019249CF67
SHA256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
73322025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\Desktop\5406189482.exeexecutable
MD5:B1EA0DA65D77EAF98981E25BE488E3B8
SHA256:D8B380724E5B79709D25B3A6F111BC2756184B176404426288744214BF16CF69
75368599134700.exeC:\2958294c21b2e2e74411\SetupEngine.dllexecutable
MD5:84C1DAF5F30FF99895ECAB3A55354BCF
SHA256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
75368599134700.exeC:\2958294c21b2e2e74411\1033\LocalizedData.xmlxml
MD5:5486FF60B072102EE3231FD743B290A1
SHA256:5CA3ECAA12CA56F955D403CA93C4CB36A7D3DCDEA779FC9BDAA0CDD429DAB706
75368599134700.exeC:\2958294c21b2e2e74411\ParameterInfo.xmlxml
MD5:03E01A43300D94A371458E14D5E41781
SHA256:19DE712560E5A25C5D67348996E7D4F95E8E3DB6843086F52CB7209F2098200A
75368599134700.exeC:\2958294c21b2e2e74411\1041\SetupResources.dllexecutable
MD5:278FD7595B580A016705D00BE363612F
SHA256:B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
49
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1196
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1196
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1196
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1196
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1196
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.219.150.101
whitelisted
uk.undernet.org
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.131
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.140
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_b1ea0da65d77eaf98981e25be488e3b8_black-basta_elex_gcleaner_hijackloader