Analysis Overview
SHA256
bca462cb28356dd4319a25e4680159433f6c3ba373bbd783b6f84163139f9dce
Threat Level: Shows suspicious behavior
The file 2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_rhadamanthys_smoke-loader_stop was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 07:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 07:07
Reported
2025-07-01 07:09
Platform
win10v2004-20250610-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/3204-0-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3204-3-0x0000000000400000-0x0000000000448000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-2866795425-63786011-2927312124-1000\_desktop.ini
| MD5 | 24c49e895be062b0bc063b7f1d713545 |
| SHA1 | 096a87b1f8369fb3a4c4fc8323606dad58b8e790 |
| SHA256 | c18ba10163eca907f0f0957d320e3f831cdfaf81758c3a3a7aef62236d4d3f2f |
| SHA512 | ae5d7fd55ea8caaea714d7baf66fe7c074e5d12d81bb10a774965ed23fd4d1dae5d2820c811bcbc5c84eab6aa7a2d6b8e81aef19875d87f62910c7387ec24f36 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | a12ba6f7507a071274cb9fc364361560 |
| SHA1 | be5b08de6ec26bc03f7debdb4127b699554fb4e7 |
| SHA256 | 3291ea85fa82fcfb1184c9cd34fa266b1a7b607c1878d895aec61f3905beae86 |
| SHA512 | a7498997f1291521fa2880e53ddf44636d9ca1840a7c00694b2c2697d5fdcbc11d3e540e581a05fe27610424f2e171247fb69b9baf649a2491b74fbf3567b0c1 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe
| MD5 | 16840829526086e6aabae7ef10a58d00 |
| SHA1 | 0b66cc86125f1c04e019ccb45e557c823c6e6adc |
| SHA256 | 4a60415653f0814b4b0fff9206d5929d56679bbddf4e6b02299243c771d6e39a |
| SHA512 | 51cc6f6f2afa6c287769fb469770ff06833ae10483dbf9868d63da040613c433d23ee76856d96c3f2d7bef09f5b5cd4a56bf10a8a7933ee032d153f4b4635547 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 1cc19e4fda96278b8a120bdb3fa9e5ec |
| SHA1 | 97f2d293b63e2f22012f7c037c2be7a6e68f9b3a |
| SHA256 | b6ff4f2c3d33ad69e9bb1ebb28568522cc1035418dc7dde10a476e69aeda24aa |
| SHA512 | 3a41da10f1780572945bf32f25a4482a019ebe0372c70c0755df7797be9ebfe53e1f7270595746525e293ce97919027456f020be7089ece0a2fed463c1dfdfe6 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-01 07:07
Reported
2025-07-01 07:09
Platform
win11-20250619-en
Max time kernel
150s
Max time network
105s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/2492-0-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2492-3-0x0000000000400000-0x0000000000448000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-3625340254-1625357543-1797847221-1000\_desktop.ini
| MD5 | 24c49e895be062b0bc063b7f1d713545 |
| SHA1 | 096a87b1f8369fb3a4c4fc8323606dad58b8e790 |
| SHA256 | c18ba10163eca907f0f0957d320e3f831cdfaf81758c3a3a7aef62236d4d3f2f |
| SHA512 | ae5d7fd55ea8caaea714d7baf66fe7c074e5d12d81bb10a774965ed23fd4d1dae5d2820c811bcbc5c84eab6aa7a2d6b8e81aef19875d87f62910c7387ec24f36 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | a12ba6f7507a071274cb9fc364361560 |
| SHA1 | be5b08de6ec26bc03f7debdb4127b699554fb4e7 |
| SHA256 | 3291ea85fa82fcfb1184c9cd34fa266b1a7b607c1878d895aec61f3905beae86 |
| SHA512 | a7498997f1291521fa2880e53ddf44636d9ca1840a7c00694b2c2697d5fdcbc11d3e540e581a05fe27610424f2e171247fb69b9baf649a2491b74fbf3567b0c1 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe
| MD5 | dd4280eb9a13273acecbf9bae0c53585 |
| SHA1 | c9554baa90be855b13a0ff3b08096dc83df62b48 |
| SHA256 | e999d6e8049b275419c8db69370fb8d11a8db46237eb05df7dac8300c342f1cc |
| SHA512 | e5c4a9f21c4cad40f94688d9435c5f24a200d7b7315f1614d9cc62a582d0fee7291af0c5286939c8c991149dbe93911ceee746b3cc6caa3533a6c2ca61932779 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 1cc19e4fda96278b8a120bdb3fa9e5ec |
| SHA1 | 97f2d293b63e2f22012f7c037c2be7a6e68f9b3a |
| SHA256 | b6ff4f2c3d33ad69e9bb1ebb28568522cc1035418dc7dde10a476e69aeda24aa |
| SHA512 | 3a41da10f1780572945bf32f25a4482a019ebe0372c70c0755df7797be9ebfe53e1f7270595746525e293ce97919027456f020be7089ece0a2fed463c1dfdfe6 |