Analysis Overview
SHA256
5113cd133e827cf9380e2f06ffed2d499a93461c2bccdf3961f238fd783ccf3e
Threat Level: Shows suspicious behavior
The file 2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ramnit_rhadamanthys_smoke-loader was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:12
Reported
2025-07-04 12:14
Platform
win10v2004-20250610-en
Max time kernel
102s
Max time network
116s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | f2b7e56c6c15c9c2e94ffcf53d46c8df |
| SHA1 | 8ee63b1f4e1832f59b654dc17b711e034d2f9741 |
| SHA256 | 5c920ef6d973e8b59b00f9a15bf21d2db054b0a081934c0c8a634c87dafbb37f |
| SHA512 | f9e5b9fe056f1b5836d6862a89bbbd27864c8e53b4132b011d9a54d09932253637c65de72b7e12308216c1276e81a0be265ddc4f74974309ad48f0372e5bc1ed |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:12
Reported
2025-07-04 12:14
Platform
win11-20250619-en
Max time kernel
100s
Max time network
103s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e8323ea933f62dd0971e402a58e3dcca_amadey_black-basta_coinminer_elex_hijackloader_nymaim_ra.exe"
Network
Files
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | f2b7e56c6c15c9c2e94ffcf53d46c8df |
| SHA1 | 8ee63b1f4e1832f59b654dc17b711e034d2f9741 |
| SHA256 | 5c920ef6d973e8b59b00f9a15bf21d2db054b0a081934c0c8a634c87dafbb37f |
| SHA512 | f9e5b9fe056f1b5836d6862a89bbbd27864c8e53b4132b011d9a54d09932253637c65de72b7e12308216c1276e81a0be265ddc4f74974309ad48f0372e5bc1ed |