File name:

2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer

Full analysis: https://app.any.run/tasks/253d0244-49fb-40f1-9a2c-a0f80154a5d3
Verdict: Malicious activity
Analysis date: April 29, 2025, 17:21:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0E16748C28665481D2E2FA8781B41ABF

SHA1:

D850F8B6849D7D880541CC58E57BE46C13267376

SHA256:

EB50C1C99B2D12114E30548203DA4026154253E0E43F60EC342C10B7DD72793C

SSDEEP:

12288:+c9yUyEc5YK+dqHOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOD:qv5YKKqj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 7344)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)

    • Executable content was dropped or overwritten

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)

    • Executes application which crashes

      • amlzkucw.exe (PID: 7920)
      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)
      • amlzkucw.exe (PID: 7284)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 7960)
      • svchost.exe (PID: 7344)

    • Connects to SMTP port

      • svchost.exe (PID: 7960)
      • svchost.exe (PID: 7344)

  • INFO

    • Create files in a temporary directory

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)

    • Reads the computer name

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)
      • amlzkucw.exe (PID: 7920)
      • amlzkucw.exe (PID: 7284)

    • Process checks computer location settings

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)

    • Checks supported languages

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)
      • amlzkucw.exe (PID: 7920)
      • amlzkucw.exe (PID: 7284)

    • Auto-launch of the file from Registry key

      • 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe (PID: 7716)

    • Manual execution by a user

      • amlzkucw.exe (PID: 7284)

    • Checks proxy server information

      • slui.exe (PID: 672)

    • Reads the software policy settings

      • slui.exe (PID: 672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:08 17:26:54+00:00
ImageFileCharacteristics: Executable, Aggressive working-set trim, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 68096
InitializedDataSize: 249856
UninitializedDataSize: -
EntryPoint: 0x130b
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe wusa.exe no specs wusa.exe amlzkucw.exe svchost.exe werfault.exe no specs werfault.exe no specs amlzkucw.exe #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7284"C:\Users\admin\amlzkucw.exe"C:\Users\admin\amlzkucw.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\amlzkucw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7344svchost.exeC:\Windows\SysWOW64\svchost.exe
amlzkucw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
7360C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7284 -s 532C:\Windows\SysWOW64\WerFault.exeamlzkucw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7716"C:\Users\admin\Desktop\2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7788"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7896"C:\WINDOWS\SysWOW64\wusa.exe" C:\Windows\SysWOW64\wusa.exe
2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7920"C:\Users\admin\amlzkucw.exe" /d"C:\Users\admin\Desktop\2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe" /e550302100000007FC:\Users\admin\amlzkucw.exe
2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\amlzkucw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7960svchost.exeC:\Windows\SysWOW64\svchost.exe
amlzkucw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
8060C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7716 -s 1284C:\Windows\SysWOW64\WerFault.exe2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 321
Read events
5 318
Write events
2
Delete events
1

Modification events

(PID) Process:(7716) 2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ijsrhtlc
Value:
"C:\Users\admin\amlzkucw.exe"
(PID) Process:(7960) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D5B3E44261E3D24EDB47D450DD49D084297DCE82E72BAA4C2638AF73B621D0EBA53954DCD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4834C7234E6A5644490BDB27D23E9945804CCF48D3C74BBC4103D30FFA56411D98D4B4461BBFC004886E2ED2914EEA4
(PID) Process:(7960) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
77162025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\louodozf.exeexecutable
MD5:B5214C9704F4CB72B358298BEA5E5751
SHA256:B752C5952753B6A934D9C9E9655FAE92155D79BEE20901C918A0829B851305A7
7960svchost.exeC:\Users\admin:.reposbinary
MD5:91DE0AA290C47954AC8E97FD613E79E3
SHA256:49821C6D4B4FC097611D435027378D106E242DEB629D4C0F3FD7BAB659D4DE6F
77162025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer.exeC:\Users\admin\amlzkucw.exeexecutable
MD5:BEC2D2A5AFCE401C79458D42EDDD61DE
SHA256:35801F5E7504637A0CD3E759307D4EA228279E5CF87C9D704715E08338B07EC8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
60
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5556
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5556
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5556
SIHClient.exe
GET
200
23.216.77.41:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5556
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.216.77.18
  • 23.216.77.29
  • 23.216.77.19
  • 23.216.77.12
  • 23.216.77.16
  • 23.216.77.20
  • 23.216.77.22
  • 23.216.77.25
  • 23.216.77.21
  • 23.216.77.41
  • 23.216.77.27
  • 23.216.77.30
  • 23.216.77.36
  • 23.216.77.35
  • 23.216.77.31
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.160.2
  • 40.126.32.76
  • 20.190.160.65
  • 40.126.32.72
  • 20.190.160.131
  • 20.190.160.20
  • 40.126.32.134
  • 20.190.160.5
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.11.13
  • 52.101.8.34
  • 52.101.41.21
  • 52.101.10.18
  • 52.101.10.2
  • 52.101.40.6
  • 52.101.42.16
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_0e16748c28665481d2e2fa8781b41abf_black-basta_elex_luca-stealer