Analysis
-
max time kernel
100s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe
-
Size
5.0MB
-
MD5
e8323ea933f62dd0971e402a58e3dcca
-
SHA1
969d5bb37cd1c524c7bbe49ab49b4a84380699a8
-
SHA256
5113cd133e827cf9380e2f06ffed2d499a93461c2bccdf3961f238fd783ccf3e
-
SHA512
730bdf5d57839d8e89a3ea27f943dce62f87b9777139a0d5760dd39c30ce566134970bfb793da0f661bc66af5a1d03555e937332be4548a61a68f745a9c4b53b
-
SSDEEP
98304:+O4mO42O4mO4I1TiYOXwnS4rVJMz2fP5GAAaukyqm:AIYISHI4fs2m
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5944 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5944
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD5f2b7e56c6c15c9c2e94ffcf53d46c8df
SHA18ee63b1f4e1832f59b654dc17b711e034d2f9741
SHA2565c920ef6d973e8b59b00f9a15bf21d2db054b0a081934c0c8a634c87dafbb37f
SHA512f9e5b9fe056f1b5836d6862a89bbbd27864c8e53b4132b011d9a54d09932253637c65de72b7e12308216c1276e81a0be265ddc4f74974309ad48f0372e5bc1ed