Malware Analysis Report

2025-08-10 19:53

Sample ID 250703-gl741sfl81
Target 2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer
SHA256 143f4628abbfbf5f79a51d7a9a3e368c20a88204217111d297d96de0a8c7d48a
Tags
pyinstaller pysilon discovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

143f4628abbfbf5f79a51d7a9a3e368c20a88204217111d297d96de0a8c7d48a

Threat Level: Known bad

The file 2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

pyinstaller pysilon discovery upx

Detect Pysilon

Pysilon family

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Detects Pyinstaller

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:54

Signatures

Detect Pysilon

Description Indicator Process Target
N/A N/A N/A N/A

Pysilon family

pysilon

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer.exe"

C:\Users\Admin\AppData\Local\Temp\2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9637b08a5424280dc9f31f3adba797c5_amadey_black-basta_elex_luca-stealer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49802\python311.dll

MD5 ffd865296de4033ba7338ebc600e422c
SHA1 74d60e650c87541b4987122d19c6cf03f51a862f
SHA256 0ed8ff6bc1f89f8baccc9d3f215b7c7911587b6afd2dcae757ac5d10448963a4
SHA512 3c9b6103e44e9790fca2f6e862bcaf05ac3747679e4a9e03b43a6e1081b1f5b7598a04149344729dc10a9b4b76c6b4ddd93b563e111f448212a89a7ccea70b0a

C:\Users\Admin\AppData\Local\Temp\_MEI49802\VCRUNTIME140.dll

MD5 81b11024a8ed0c9adfd5fbf6916b133c
SHA1 c87f446d9655ba2f6fddd33014c75dc783941c33
SHA256 eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829
SHA512 e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

memory/3388-48-0x0000000075010000-0x0000000075518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49802\base_library.zip

MD5 50ae0f1dc5a31014424cefd110c81ad6
SHA1 12b7453d08ed8a66de80d4e26decc49897261f97
SHA256 e2a76c2d317b670595e2abeca503581dac9490eda1abfd1aa32694306af067c2
SHA512 d20f1821ecc57d2155b10a36e1d224d8e0e26bbd4f557689e7a98e6094de74fc9cd14d7518e48b414bbef9557d153e4b863ba55b3feeb19f1a215060d4eeb4f3

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_ctypes.pyd

MD5 25b77cb263e80195f2991e006c13bada
SHA1 4ca5ac30cc3bf0176deecf39ead5e6f1a1bfbdad
SHA256 d856841807442b8862a9452f3e3578f27eaf9264fe90ad44a4cd05f70911fbc3
SHA512 d0f0d26fc88ffb28c451686163b46274397f9183f6066609ea3c431904e3631c43d46fc7e97747118cf0a20560c07f3860f15849d87871e000c425e18338bb8c

C:\Users\Admin\AppData\Local\Temp\_MEI49802\libffi-8.dll

MD5 cafe0a27f8f2cc6f5e4a4c6233bb954f
SHA1 6f8b66056d058a02b05e61b9090762ed7acced6f
SHA256 97ccb8542e8bbaf8c949683e8aba21b85e496a237c5543f8b2f6d90d9855b389
SHA512 dc2221584fc54f6c9e423f212294614a447f6a8274a61138910f2364ca7eae041c15c8d224c6b7f3f79581626a3151a27bfcedee95e65784d6e16e94ccfe6330

memory/3388-55-0x0000000074FB0000-0x0000000074FBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_sqlite3.pyd

MD5 73033ffa4811c1943071529bb3073db4
SHA1 bf430535280e0628fd3a6d6306db921e0c906cd5
SHA256 a4a955b11ddd519fcf1c5884cfbf25cc9424cd45ee3a37d88b43cb9c179352fb
SHA512 7a0c53f132d9c428e50ab828bc33b44651f5ffc35999c1bd3f9c12042d9d231190a435805efb599815dcac60d062b96e6db24a4806a5cb28e079756739faf5fa

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_ssl.pyd

MD5 8175be986e879a5c0a6487a66cfe9691
SHA1 485948d22a114c9b2a8c4b108576f06978505626
SHA256 5d2556d07bff789ad160c9917361fee613f8a67ef241fc2613aab92c8a30cf90
SHA512 374a20c9379126eb616e6655d34f16016e1624974d10b967b1be76a148d5ec00023d01684df9231988fa841a9b703046be82c1a8dd8f3439bf024c8f33e0a117

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_socket.pyd

MD5 64f5ec7cfee45326c0d92c7ce1a5fd39
SHA1 dafb0c8339a02d04f232055515ac45b3ee3b27a2
SHA256 816ce00c9e8cd196450686519263e9529e74f224fd1633908adc1a6bff603311
SHA512 d50ac7e1355d0ebb14cc397abcc06c4485a5691bd4fd2c4a74755cca55f391628f2d113da12e7cd6aa94bc27d0eddb19c99fe6c123f3da17ac772700a0899542

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_queue.pyd

MD5 05662a140852b5430e1bb7af0e700146
SHA1 ab0343f46cc284a9a3e8a3c7eaa950474b321deb
SHA256 9a9514c9ae139a91f963a88b3e967291335fdee22849d6e9cad422dbec14a868
SHA512 7b23300cf739b97e52fcc9b4556aba3001786fb57a4e1d3667c933639d2f3db2a2dfa84eea5efb54b9390c86cbe479df0e7a3668f9083611d015d848e75aaea0

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_overlapped.pyd

MD5 5718246ebcd8c118c464c8a60db1ef82
SHA1 1ec06c47eeaba7da2ec38003997c3e071bb14412
SHA256 8680d9f587b54bbd87a979276652198bad0bc1a7b88ed273efbe154cd5fbca1e
SHA512 d6aade067cba3eb5fa1040c2284c932518d3d50586907e8dfb29dd061c615200c46fac189c99596595349bfc64c3d6860f8cf13bf0694eb938ff3eec64461681

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_multiprocessing.pyd

MD5 4169241748995d228cb153fc03814583
SHA1 40aed515e55438d84ce2a7f0fc9931c2a9c4bc70
SHA256 7c67cbf2084f79e2ce70aa3bb7583352aa8957e7a8819277f0f91d5d2287e04c
SHA512 431e7a3b1c6c1798032335947c6f910f635738e288b3107da73907ebedb01c69ccd094f1e80397450892fff8f0e4fad173fb92775985cbed05bc97162b379594

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_lzma.pyd

MD5 e8af1753cc55621ed45f8874fd52b0da
SHA1 859de5347ac4015cd1d1c795655abe7032a5926f
SHA256 0ed431d15938476a0f0bbdf41862111c2763f029eb2d8cebe179e05060cd8a56
SHA512 66ab11b8f8ed52794a27b55bc61298ffd3fa0d1384e3ce83d0d63e20076e002963d5355f36808f59e73789dde7bde6abe4184a0104f57b2ff7fb39bbb39f3041

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_hashlib.pyd

MD5 abfe44322550dd1081ea807f96f2e569
SHA1 c85f665ec2de2b13e964bce53a015a241526db79
SHA256 656405f876611e82d632d1d56914abb029e245ad7fc5aadd7f55c7bfd8f20ebf
SHA512 ac96ad1989033dd47a44451921c8e4275d846251ab308abd89c4073dc80b5571e49c2b9cdfa7d87838d85f79d0a58b185cfd7ff4d6f47d51e8ae7efbd21df2d2

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_elementtree.pyd

MD5 ac8ef2b1db356d4d238ec4911179fbfb
SHA1 8c19ced7f1d8964bedbcf424a9f3f998cddbd19e
SHA256 110fbee671a0fc3523d7344cd9ba93670755109166ed73be99fe1ec65d38d03f
SHA512 9c097c2ea15b0456adce2f9d865239f46dc4767b583e3585c66e06cae283135def7d049e57a5bda130d005801bc201677b8e6847ad5395ccc74fc4abf26164a7

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_decimal.pyd

MD5 d0d7e9d008812c35f64a64e6c0be2c6f
SHA1 9fa9e7fb84d1f574f727cdbf4c69b6515f763071
SHA256 f8faa09865173e3afb9649182904acb3fb4c505ba218bdd19859a55992a8f96d
SHA512 98f5acb988fae2dbf4af85c61fc45f48935f7ecdb3889c70737298cd2dcfcb18d1170ffdd3fc5fd8644cbac9fb184395fccdf96b5ddd34bed930effe2cd41d9b

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_bz2.pyd

MD5 682d2cdf7d684609be265a3c3429730c
SHA1 ff31a10f2873da4a09e3c700537670120ef38f31
SHA256 d7308202479b4f273b20641ac80957d008514437e9707023136ea7dc0739be1b
SHA512 5f2adbad6c983de02475b9b1c31b71504c3cea96ee5ecf66d4ec9f5b5a327bc77b68e39bee536076bed99287732be5330a4e407b59f3fc815cf64297905a0aa5

C:\Users\Admin\AppData\Local\Temp\_MEI49802\_asyncio.pyd

MD5 efb7430ea7dd5861a481d6661fa4eda8
SHA1 23efa0d393dc609a1a1ab24ad2eae7b669f2eb17
SHA256 b98cfafced2a4eb0504cf17bef3607a038620890e18991a3e57f6e50b2c5628c
SHA512 ee989e797d2003fc1de86f1b2433a2441a96a0c021f7d3ecb4a8c190bdb79b7dcf33df2ba15ec6ef5dd241ad0476c70b0a79cd6c0648543a0936fd0df5c729f5

C:\Users\Admin\AppData\Local\Temp\_MEI49802\unicodedata.pyd

MD5 e3e2769cfbcbb077763d9df718ef9704
SHA1 39c48ab05c4fe6c5ec98022396340c1e01a37abc
SHA256 dee5b0f3c2f808f4b22bbdd6034225b5857ad2c94c46ae0d9763acb70bec8d6c
SHA512 a2d3fe8dc843e4de9498e463d985227f6c65bdcd807f3297252e56ec0b9bc1602d1d52a6ccb1caa90337b5926b60536cb4017dcaf1d0095eaaeda564c9d23dec

C:\Users\Admin\AppData\Local\Temp\_MEI49802\sqlite3.dll

MD5 51b4d2c9d307d3aa890ce557ab78fa1a
SHA1 7a80c70bc1ac49362e04d45c3202679cfd0fb6b6
SHA256 fd6c8a14d7d4f7159b140d859c6321fbc7ca21acc47b891934b6d51c35d8c30c
SHA512 cc73ffeb002170f207e5c7bf64c6b1aaa635d0ba7cd8c09f563e540cdf07c06681dd8896bf53beeb526c9955e73d6b48ec6c2e07c6ac9eba1699dd84b518c02e

C:\Users\Admin\AppData\Local\Temp\_MEI49802\select.pyd

MD5 f3f45cbcb47ce0914e4298ed2b9ca04b
SHA1 efb9e008b78ab2700dca0a9cad2a9a665bf5978c
SHA256 0540caf9562eb8510a641702fd99ed0f66f3f429092dbc5c63579a5f11b6d4c0
SHA512 8dca8b3121adedd382f111373b6169cc2069bb66e7660825668619d6f92b87a9e96d7a4cfe3fb4aed1c4e249b2d7756952dfa2e5e024e621de3a2e01719baaff

C:\Users\Admin\AppData\Local\Temp\_MEI49802\pyexpat.pyd

MD5 19bdc9b9c49daf83a537fd0e505e6cb8
SHA1 0cb073f8181b32b58d134cdbabc8a87f5cb939dc
SHA256 991b6b88169e1ee39d5054ddf162b5b9bbd4826d9c65a642317c91caf93ec381
SHA512 667afad835e20c5221c690c73dcea5ca990e13c01f0737c12a67fead3331a7bb44fff71cf3c77b7439c1ca49843856f7549d2ac63cf22fa211873f1365024edb

C:\Users\Admin\AppData\Local\Temp\_MEI49802\libssl-1_1.dll

MD5 2627931b595a97f273b2c9d3e3c21101
SHA1 1cc9af55266deda10e680e29615cb614c30f6c9e
SHA256 f33bd62889ac7b119d70da904f75581669548151aac3ab5cf55d9e2ec40f56c9
SHA512 c70703a5166026eeb6e6f6b6b2a3a493aded047e34a20513a50dbc6cd219939976fddc259df4309dcaa809efb861253ffad86cd12294e8425704f4bdceca83a0

C:\Users\Admin\AppData\Local\Temp\_MEI49802\libopus-0.x64.dll

MD5 e56f1b8c782d39fd19b5c9ade735b51b
SHA1 3d1dc7e70a655ba9058958a17efabe76953a00b4
SHA256 fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732
SHA512 b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46

C:\Users\Admin\AppData\Local\Temp\_MEI49802\libcrypto-1_1.dll

MD5 ccb689d2e91a123e5aa392bab6a7371a
SHA1 dce18572ee4baa5e356135648f076a5deaf028e5
SHA256 dbe8e53702a432f5d243f38f373d93a336e940622d328a086ab4717c4c8a8bc5
SHA512 88c0f83d886b10d3290a8b00ed87e44916545a6fa1ba1a0cb54b35ab97fc5aa321c8406df077cc5c674b5a67be0985236d85fe978e6c5b2cc48fb9739908261b

memory/3388-54-0x0000000074FC0000-0x0000000074FDF000-memory.dmp

memory/3388-76-0x0000000074FA0000-0x0000000074FB0000-memory.dmp

memory/3388-78-0x0000000074D40000-0x0000000074F9C000-memory.dmp

memory/3388-79-0x0000000075010000-0x0000000075518000-memory.dmp

memory/3388-80-0x0000000074FC0000-0x0000000074FDF000-memory.dmp

memory/3388-86-0x0000000074FB0000-0x0000000074FBD000-memory.dmp

memory/3388-87-0x0000000074FC0000-0x0000000074FDF000-memory.dmp

memory/3388-85-0x0000000074D40000-0x0000000074F9C000-memory.dmp

memory/3388-84-0x0000000074FA0000-0x0000000074FB0000-memory.dmp

memory/3388-81-0x0000000075010000-0x0000000075518000-memory.dmp