File name:

2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer

Full analysis: https://app.any.run/tasks/ba89c3af-997f-40cd-9e13-dc5a16ee6e82
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 04:38:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

23BEC5B9322EC3995570A583617A53DF

SHA1:

E227C3B28B493E8DF88881661912F62B2150304C

SHA256:

FA6DBA7DC585A51C74353E3BD830F4A0E823CD8CA7A1B0E75B1EDE5CC2A895A2

SSDEEP:

98304:vLeQ112BJ5K1AdquctsvUmP6mIM4kjzzjI9i7HQUfPh6lAhXxeops+Icciq+X8E7:Gm4dGwcCX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 8140)

    • REMCOS has been detected (YARA)

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 8140)

    • REMCOS mutex has been found

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 8140)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 8140)
      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 7580)

    • Executes application which crashes

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 7580)

    • Application launched itself

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 7580)

  • INFO

    • The sample compiled with english language support

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 7580)

    • Reads the software policy settings

      • slui.exe (PID: 8100)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6872)

    • Reads the computer name

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 8140)

    • Checks proxy server information

      • slui.exe (PID: 8100)

    • Checks supported languages

      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 7580)
      • 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe (PID: 8140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(8140) 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
C2 (1)127.0.0.1:2404
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run0
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-52SPIJ
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:09:10 14:20:03+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 9424384
InitializedDataSize: 3630080
UninitializedDataSize: -
EntryPoint: 0x51839b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.13.2.0
ProductVersionNumber: 1.13.2.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: PPSSPP PSP emulator
CompanyName: Henrik Rydgård
FileDescription: PPSSPP
FileVersion: v1.13.2
InternalName: PPSSPPEmu
LegalCopyright: Copyright (C) 2006-2021 by Henrik Rydgård
LegalTrademarks: All product names are trademarks of their respective owners.
OriginalFileName: PPSSPP.exe
ProductName: PPSSPP
ProductVersion: v1.13.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe slui.exe #REMCOS 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe no specs conhost.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6872C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7580 -s 592C:\Windows\SysWOW64\WerFault.exe2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7580"C:\Users\admin\Desktop\2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe" C:\Users\admin\Desktop\2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
explorer.exe
User:
admin
Company:
Henrik Rydgård
Integrity Level:
MEDIUM
Description:
PPSSPP
Exit code:
3221225477
Version:
v1.13.2
Modules
Images
c:\users\admin\desktop\2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
8100C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8140"C:\Users\admin\Desktop\2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe"C:\Users\admin\Desktop\2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Henrik Rydgård
Integrity Level:
MEDIUM
Description:
PPSSPP
Version:
v1.13.2
Modules
Images
c:\users\admin\desktop\2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
Remcos
(PID) Process(8140) 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
C2 (1)127.0.0.1:2404
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run0
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-52SPIJ
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
8152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 233
Read events
5 231
Write events
2
Delete events
0

Modification events

(PID) Process:(8140) 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-52SPIJ
Operation:writeName:licence
Value:
(PID) Process:(8140) 2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-52SPIJ
Operation:writeName:time
Value:
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-05-18_23bec_89c22b712130493534ace82bb78a4f8cf5ab267_39e9df84_b93a0205-722b-4e17-abbf-9a9c5efbf5bc\Report.wer
MD5:
SHA256:
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE47E.tmp.xmlxml
MD5:A02938B226CB3E2EBDCAF63CDFE5EEFF
SHA256:CC79C00CB32C020C6ACF19E2C8A25ADF8947092AB63A7A4F42036928CC205541
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE3A1.tmp.dmpbinary
MD5:A2714F04C7519F7494951D60E177AE27
SHA256:F385FB45055616F0ABB731DEF4F16A60A366B1277A3E78A842BF053F203F4795
6872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE43F.tmp.WERInternalMetadata.xmlbinary
MD5:263E7DB80307563302D08826483A9E57
SHA256:470D6E5FAFB00E3E75DF21D47C67B6EC62D207476279F9BB73D86EAA4FCEC49A
6872WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer.exe.7580.dmpbinary
MD5:758A2B958A062F9EFA827514D0A7315D
SHA256:788C66CC921209FC592CBBC15B889AC44A67C31561E14FAC6167D5122036A6D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
51
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7900
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.219.150.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.129
  • 40.126.31.73
  • 40.126.31.3
  • 20.190.159.75
  • 20.190.159.130
  • 20.190.159.73
  • 40.126.31.1
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_23bec5b9322ec3995570a583617a53df_amadey_black-basta_elex_luca-stealer