File name:

2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/37a926d0-af6e-4c8f-a220-d9e1828de4f4
Verdict: Malicious activity
Analysis date: May 19, 2025, 04:26:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

D2D5969987D6DD3BB3EBF8AFA6ED71C7

SHA1:

447689C137BCA8119F737FAB3CA6714BB1296940

SHA256:

F94A9A927A03744027ECA3CBBD6F2C4D894AA356088148648322F7FBCD06DFA1

SSDEEP:

49152:wBXXUfcEtly0CrLU3FhlG1+QQ5G1+3jjAdJu81+nQ5yPJWo2+mQ5Rnig:0XXUkEby0igB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • FileCoAuth.exe (PID: 6048)

    • NESHTA mutex has been found

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • Executable content was dropped or overwritten

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • Mutex name with non-standard characters

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • Starts a Microsoft application from unusual location

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • FileCoAuth.exe (PID: 6048)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 2852)

  • INFO

    • Checks supported languages

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • FileCoAuth.exe (PID: 6048)

    • Create files in a temporary directory

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 5256)
      • FileCoAuth.exe (PID: 6048)

    • Reads the computer name

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 6048)

    • Process checks computer location settings

      • 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe (PID: 2516)
      • FileCoAuth.exe (PID: 2852)

    • The sample compiled with english language support

      • FileCoAuth.exe (PID: 2852)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 6048)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 6048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (75)
.exe | InstallShield setup (12.2)
.exe | Win32 Executable Delphi generic (4)
.scr | Windows screen saver (3.7)
.dll | Win32 Dynamic Link Library (generic) (1.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x8178
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #NESHTA 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe 2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2516"C:\Users\admin\Desktop\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2852C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5256"C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
1
Version:
16.0.4266.1001
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5256C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6048"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
3 991
Read events
3 991
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeexecutable
MD5:385BD5A50D6BC90D7447063C4C03537D
SHA256:B38AD8B5179E7C8FE851EB690B50B5CF0B33CB74A2F00B9B44DFF6A92333DF47
6048FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-19.0427.6048.1.odlbinary
MD5:D314262260496F3DD954034BBC965570
SHA256:B76430111990910E374B07920516F20B1E99CE2E3766834E539BB9B6154D5334
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:CF77ED970673C28AD85D5DF631DF05B0
SHA256:A83AEB23EC4E2BD55CEEF15485FA843A34D2B4B7722E241A5ACFC79EC751E581
6048FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-05-19.0427.6048.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
2852FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:12C5B6FD5E11C67654E0F4CD9648B058
SHA256:4643A311B264809A0C4EF74A4F336CC2D872CE3619979CC5801668116410EC8D
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmptext
MD5:24EA40392BF4EDF741B2300021582B78
SHA256:A7F9FF077F35E22A6F12FDAA38E07D11F691FB68175B74294D2667FB7B3D15B1
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:D107892A4685AC898DA78786BCA591D7
SHA256:5790B04F9033AF3C4B7C8FB948B7DE0CBF4308915C11AAD6A37C924D73FA5FF8
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:83ADBC92F28E10801DC961F86654A25A
SHA256:DA724B8FCEE57E386E48C626953CCC95047A9F74C59B18C5D75CBCE5283A0F4D
25162025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:A44F073E9F2D2AC6EE35CBAB8F9CF778
SHA256:FEDF696861864F350C47C017D4DAEA900A0507953EE2AE95A6A144486E354B37
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4220
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4220
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4220
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4220
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4220
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5352
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5256
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-19_d2d5969987d6dd3bb3ebf8afa6ed71c7_black-basta_darkgate_elex_gcleaner_hawkeye_luca-stealer_neshta