File name:	2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer
Full analysis:	https://app.any.run/tasks/9671372e-1260-4116-b4ff-96efd05466da
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications. Malware Trends Tracker >>>
Analysis date:	May 18, 2025, 18:47:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg xred backdoor xor-url generic delphi arch-doc snake keylogger dyndns
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	45BDD40F6244013FB8E4CD32D04F3B3A
SHA1:	A938A192E9DB5ED48A6956B3091AF0010E6005E3
SHA256:	FD2EFE9E4FD89CDA1490AB007B40AE58DB5D77E6782D68E719B9770E75DCCEE9
SSDEEP:	98304:wr7ayGJ6kHOSAyu3a7BC7fGnWqboMC68WsaI33Bjxug50/FK2PtIxVIuRLNV+QOY:uU+aNBFZMlJkE/

.exe	\|	Win32 Executable Borland Delphi 7 (96.4)
.exe	\|	Win32 Executable Delphi generic (2)
.exe	\|	Win32 Executable (generic) (0.6)
.exe	\|	Win16/32 Executable Delphi generic (0.3)
.exe	\|	Generic Win/DOS Executable (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	629760
InitializedDataSize:	7762432
UninitializedDataSize:	-
EntryPoint:	0x9ab80
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.4
ProductVersionNumber:	1.0.0.4
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Turkish
CharacterSet:	Windows, Turkish
CompanyName:	Synaptics
FileDescription:	Synaptics Pointing Device Driver
FileVersion:	1.0.0.4
InternalName:	-
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	-
ProductName:	Synaptics Pointing Device Driver
ProductVersion:	1.0.0.0
Comments:	-


(PID) Process:	(7392) 2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E232827701000044F8271D1F3A104485AC14651078412D8B0300006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000
(PID) Process:	(7392) 2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7392) 2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Synaptics Pointing Device Driver
Value: C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:	(7392) 2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000
(PID) Process:	(7568) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000CB891C6E25C8DB01901D0000341F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7568) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000CB891C6E25C8DB01901D0000341F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7568) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000A21A646E25C8DB01901D0000341F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7568) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 48000000000000008D466B6E25C8DB01901D0000341F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7568) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000EEB6616E25C8DB01901D0000341F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7568) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000EEB6616E25C8DB01901D0000341F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
7496	._cache_2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	C:\ProgramData\OpenShellSetup64_4_4_195.msi		—
		MD5:—	SHA256:—
7568	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
7568	msiexec.exe	C:\Windows\Installer\1142b3.msi		—
		MD5:—	SHA256:—
7392	2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	C:\ProgramData\Synaptics\Synaptics.exe		executable
		MD5:45BDD40F6244013FB8E4CD32D04F3B3A	SHA256:FD2EFE9E4FD89CDA1490AB007B40AE58DB5D77E6782D68E719B9770E75DCCEE9
7392	2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe	C:\Users\admin\Desktop\._cache_2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer.exe		executable
		MD5:FEB30D464607626F3EB3FAF91CAD2D82	SHA256:DC79E3ABEBD128D7F44FA8F03A4E660B5F60B011F7BCF374B35C18A741F5818A
7568	msiexec.exe	C:\Windows\Temp\~DF51044ECBB442B719.TMP		binary
		MD5:9D7D8204FE9A664B63C78510C0071C47	SHA256:A613339AF9FBE4BE59BE8311EB5B67761A4A6BD1901DD9C00DFD3EEE942D9D89
7568	msiexec.exe	C:\Windows\Temp\~DF48F59297EA219350.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
7568	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{47ae73f1-01da-4ad4-b215-911563c15979}_OnDiskSnapshotProp		binary
		MD5:5AA8D30B9B375089F823E2E60D66C391	SHA256:789E78B7AE587D703ADCAEEE47DE72DA5EE7F30788E0F819044026284D77FC27
7568	msiexec.exe	C:\Windows\Installer\MSI463D.tmp		binary
		MD5:BEFCE9AD49655E36671EDDC3A7EC210B	SHA256:F2EA01ACC56F8E0548FA323C57AEC5F0C2F061424F3B32064CD1277C27D926DE
7568	msiexec.exe	C:\Program Files\Open-Shell\Skins\Classic Skin.skin7		executable
		MD5:FAA7CA24C9006EF763C6F457B1DC0DFA	SHA256:7BF49E5A5D9E6E47F89BCFE6381C2E7FF3BAFB004866B8BB9F0DF1A436250742

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.48.23.159:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7724	Synaptics.exe	GET	200	69.42.215.252:80	http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	unknown	—	—	whitelisted
7460	WINWORD.EXE	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	—	—	whitelisted
7460	WINWORD.EXE	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted
7460	WINWORD.EXE	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7460	WINWORD.EXE	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted
7460	WINWORD.EXE	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
7460	WINWORD.EXE	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7460	WINWORD.EXE	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6572	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.48.23.159:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7724	Synaptics.exe	69.42.215.252:80	freedns.afraid.org	AWKNET	US	whitelisted
2196	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	23.48.23.159 23.48.23.169 23.48.23.166 23.48.23.147 23.48.23.164 23.48.23.150 23.48.23.177 23.48.23.161 23.48.23.162 2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
xred.mooo.com	—	whitelisted
freedns.afraid.org	69.42.215.252	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
omex.cdn.office.net	2.19.126.151 2.19.126.160	whitelisted
ecs.office.com	52.123.129.14 52.123.128.14	whitelisted
messaging.lifecycle.office.com	52.111.236.4	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to Abused Domain *.mooo.com
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET MALWARE Snake Keylogger Payload Request (GET)
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe
—	—	A Network Trojan was detected	ET HUNTING Suspicious User-Agent Containing .exe

General Info

2025-05-18_45bdd40f6244013fb8e4cd32d04f3b3a_amadey_black-basta_darkgate_elex_gcleaner_luca-stealer

45BDD40F6244013FB8E4CD32D04F3B3A

A938A192E9DB5ED48A6956B3091AF0010E6005E3

FD2EFE9E4FD89CDA1490AB007B40AE58DB5D77E6782D68E719B9770E75DCCEE9

98304:wr7ayGJ6kHOSAyu3a7BC7fGnWqboMC68WsaI33Bjxug50/FK2PtIxVIuRLNV+QOY:uU+aNBFZMlJkE/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XRED mutex has been found

XRED has been detected

Changes the autorun value in the registry

XRED has been detected (YARA)

XORed URL has been found (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

There is functionality for communication dyndns network (YARA)

Executes as Windows Service

Application launched itself

INFO

Reads the computer name

Creates files in the program directory

The sample compiled with turkish language support

Checks supported languages

Process checks computer location settings

The sample compiled with english language support

Auto-launch of the file from Registry key

Manual execution by a user

Manages system restore points

Checks proxy server information

Compiled with Borland Delphi (YARA)

Executable content was dropped or overwritten

Malware configuration

xor-url

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings