Analysis
-
max time kernel
104s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:18
Static task
static1
General
-
Target
2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe
-
Size
8.8MB
-
MD5
ec1442bdce32615359d3ea3f40e68f08
-
SHA1
dcce8a49877788ee0c1e5aa7a60dbc56f6df9399
-
SHA256
e9920abdd6c85d8b633bab9d300c266d22a4a3b5808d9b347a3ebcc36dd866c5
-
SHA512
1c97537049ad44d13f6b1b3592bdc0dedb56709b11bcb9637c0dbec391c956fb8ce5800bab07373c21ee899c8f13ae30d488ebc99f36216d803b0563d7b62d03
-
SSDEEP
98304:+O4mO4VOO77GBfWJs+CgaqVsKIDQsIDQDo1FbBH26Z5xF7x5Qe67S49:AIYcGBfWSjWsKuQsuQk1lT5K779
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5896 2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ec1442bdce32615359d3ea3f40e68f08_amadey_black-basta_elex_hijackloader_nymaim_ramnit_rhada.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5896
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.9MB
MD5bbe75266f42de9d095b2c2cec6cca459
SHA15e363670551b66e446c5d0dd2c6f2275b5f6dc5e
SHA256608096e9a2ee07c2afb6eaffae904ea4c5044753ab1cee9d8dc7bc98e6c38947
SHA512d3b9fa6970732329f2528fed50ac882d13e45b668ef18b9a05a0acc94d81fbe423033e6ffd2766b66cee61df99973f9bec0e51a928ace403b5072840a4ee5ed9