File name:

2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer

Full analysis: https://app.any.run/tasks/25962770-5c4b-46e3-86f3-8f01c1d6d064
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 14:37:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
xred
backdoor
dyndns
snake
keylogger
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

01183040AF26624F6A355FCE38C479F9

SHA1:

F2FAD845352992D3E590C22E24A8733753DA2AFD

SHA256:

E50EA6C3AB343048BD2825CC8142113944B2352E7832703AD5FD16838FD16FF9

SSDEEP:

49152:s3HzLnqOaNMCFJ6kPvO1cg0i7MmRPKkrVLvs6:qr7ayGJ6kHOSdmRPK2o6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XRED has been detected (YARA)

      • Synaptics.exe (PID: 7620)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe (PID: 7392)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 7620)

    • Reads security settings of Internet Explorer

      • 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe (PID: 7392)
      • Synaptics.exe (PID: 7620)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 7620)

    • There is functionality for taking screenshot (YARA)

      • Synaptics.exe (PID: 7620)

  • INFO

    • Checks supported languages

      • 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe (PID: 7392)

    • The sample compiled with turkish language support

      • 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe (PID: 7392)

    • Reads the computer name

      • 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe (PID: 7392)

    • Compiled with Borland Delphi (YARA)

      • ._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe (PID: 7556)
      • Synaptics.exe (PID: 7620)
      • slui.exe (PID: 8008)

    • Process checks computer location settings

      • 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe (PID: 7392)

    • Reads the software policy settings

      • Synaptics.exe (PID: 7620)
      • slui.exe (PID: 8008)

    • Create files in a temporary directory

      • Synaptics.exe (PID: 7620)

    • Reads the machine GUID from the registry

      • Synaptics.exe (PID: 7620)

    • Checks proxy server information

      • slui.exe (PID: 8008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (96.4)
.exe | Win32 Executable Delphi generic (2)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.3)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 481792
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
CompanyName: Synaptics
FileDescription: Synaptics Pointing Device Driver
FileVersion: 1.0.0.4
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: Synaptics Pointing Device Driver
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe ._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe no specs ._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe #XRED synaptics.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7392"C:\Users\admin\Desktop\2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
MEDIUM
Description:
Synaptics Pointing Device Driver
Version:
1.0.0.4
Modules
Images
c:\users\admin\desktop\2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7448"C:\Users\admin\Desktop\._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe" C:\Users\admin\Desktop\._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Autologon configuration
Exit code:
3221226540
Version:
3.10
Modules
Images
c:\users\admin\desktop\._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7556"C:\Users\admin\Desktop\._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe" C:\Users\admin\Desktop\._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe
2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Autologon configuration
Version:
3.10
7620"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateC:\ProgramData\Synaptics\Synaptics.exe
2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Version:
1.0.0.4
Modules
Images
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\schannel.dll
c:\windows\syswow64\mskeyprotect.dll
c:\windows\syswow64\ntasn1.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\dpapi.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
8008C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 662
Read events
6 658
Write events
4
Delete events
0

Modification events

(PID) Process:(7392) 2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7620) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7620) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7620) Synaptics.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
73922025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:01183040AF26624F6A355FCE38C479F9
SHA256:E50EA6C3AB343048BD2825CC8142113944B2352E7832703AD5FD16838FD16FF9
73922025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exeC:\ProgramData\Synaptics\RCXCB12.tmpexecutable
MD5:8D73A2390EA9092D00FC0942BE4DC086
SHA256:EAB7712DA588075EBC3CA7C2717E1A7B146575C3D21A254A8191A6AB99D4CDC7
7620Synaptics.exeC:\Users\admin\AppData\Local\Temp\oJ2bcKL.inihtml
MD5:3E053CE690BE6635FB69985D0520A9FA
SHA256:E2FB866C66EB6014AC50FC8B3AA69CC616501A9B03DC2EA0AEFE134EBF97876C
73922025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exeC:\Users\admin\Desktop\._cache_2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer.exeexecutable
MD5:C6377C648AC8775FCC8302C1DB14A8AA
SHA256:DF6589654ABFACB1490A9F19E9C0E32623E73F2A1B852E8A8379B7873D03A33A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
49
DNS requests
21
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7620
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7816
SIHClient.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7816
SIHClient.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7816
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7816
SIHClient.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7816
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7816
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7620
Synaptics.exe
69.42.215.252:80
freedns.afraid.org
AWKNET
US
whitelisted
2196
svchost.exe
224.0.0.252:5355
whitelisted
2196
svchost.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.131
  • 20.190.160.132
  • 40.126.32.74
  • 20.190.160.3
  • 20.190.160.67
  • 20.190.160.22
  • 40.126.32.133
  • 20.190.160.65
whitelisted
xred.mooo.com
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET MALWARE Snake Keylogger Payload Request (GET)
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
A Network Trojan was detected
ET HUNTING Suspicious User-Agent Containing .exe
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_01183040af26624f6a355fce38c479f9_black-basta_darkgate_elex_luca-stealer