Analysis

  • max time kernel
    100s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:12

General

  • Target

    2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe

  • Size

    5.0MB

  • MD5

    e8323ea933f62dd0971e402a58e3dcca

  • SHA1

    969d5bb37cd1c524c7bbe49ab49b4a84380699a8

  • SHA256

    5113cd133e827cf9380e2f06ffed2d499a93461c2bccdf3961f238fd783ccf3e

  • SHA512

    730bdf5d57839d8e89a3ea27f943dce62f87b9777139a0d5760dd39c30ce566134970bfb793da0f661bc66af5a1d03555e937332be4548a61a68f745a9c4b53b

  • SSDEEP

    98304:+O4mO42O4mO4I1TiYOXwnS4rVJMz2fP5GAAaukyqm:AIYISHI4fs2m

Malware Config

Signatures

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:5944

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

          Filesize

          7.1MB

          MD5

          f2b7e56c6c15c9c2e94ffcf53d46c8df

          SHA1

          8ee63b1f4e1832f59b654dc17b711e034d2f9741

          SHA256

          5c920ef6d973e8b59b00f9a15bf21d2db054b0a081934c0c8a634c87dafbb37f

          SHA512

          f9e5b9fe056f1b5836d6862a89bbbd27864c8e53b4132b011d9a54d09932253637c65de72b7e12308216c1276e81a0be265ddc4f74974309ad48f0372e5bc1ed