File name:

2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver

Full analysis: https://app.any.run/tasks/a99765b3-dc7a-47de-b5ff-9f3f4af1d6e3
Verdict: Malicious activity
Threats:

Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.

Malware Trends Tracker     >>>
Analysis date: April 23, 2025, 22:47:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
golang
crypto-regex
redline
telegram
arkei
vidar
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 6 sections
MD5:

08A6720A129A244BE6F1991BFB18DC3D

SHA1:

6248F4CB029BEC977CE40AE7952B8E9613675FB6

SHA256:

00752390AC63A3280A92EC37B340BCB5D91392A41BB1069FAB54F578AB3252CF

SSDEEP:

98304:/Q9/CwpsgZTzGBLluKVa4MET9uUM8ftWqv4Qhn9nhKwfXnws0RKWIj/M5esY56o5:bP6FJnpY9B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)

    • REDLINE has been detected (YARA)

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)
      • MSBuild.exe (PID: 7480)

    • ARKEI has been detected (YARA)

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)
      • MSBuild.exe (PID: 7608)

    • VIDAR has been detected (YARA)

      • MSBuild.exe (PID: 7608)

    • VIDAR has been detected (SURICATA)

      • MSBuild.exe (PID: 7608)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)

    • Found regular expressions for crypto-addresses (YARA)

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)
      • MSBuild.exe (PID: 7524)

    • Reads security settings of Internet Explorer

      • MSBuild.exe (PID: 7608)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 7608)

    • Connects to the server without a host name

      • MSBuild.exe (PID: 7608)

    • Multiple wallet extension IDs have been found

      • MSBuild.exe (PID: 7608)

  • INFO

    • Reads the computer name

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)
      • MSBuild.exe (PID: 7480)
      • MSBuild.exe (PID: 7524)
      • MSBuild.exe (PID: 7608)

    • Checks supported languages

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)
      • MSBuild.exe (PID: 7480)
      • MSBuild.exe (PID: 7524)
      • MSBuild.exe (PID: 7608)

    • Reads the software policy settings

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)
      • MSBuild.exe (PID: 7608)
      • slui.exe (PID: 7820)

    • Reads the machine GUID from the registry

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)
      • MSBuild.exe (PID: 7480)
      • MSBuild.exe (PID: 7524)
      • MSBuild.exe (PID: 7608)

    • Application based on Golang

      • 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe (PID: 7416)

    • Checks proxy server information

      • MSBuild.exe (PID: 7608)
      • slui.exe (PID: 7820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(7416) 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
C2 (1)176.113.115.220:80
Botnet1
Options
ErrorMessage
Keys
XorVairs
(PID) Process(7480) MSBuild.exe
C2 (1)176.113.115.220:80
Botnet1
Options
ErrorMessage
Keys
XorVairs

Arkei

(PID) Process(7416) 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
C2 (2)https://t.me/nemesisgrow
https://steamcommunity.com/profiles/76561199471222742
Strings (24)VT"%3
G7;O94$
9K]0 R!I?+
x|dgita
PC}so9
G;MD&
q-h|%
xizkhh
)s|e?
D7#RBF/,A?5D8NJ;)
0M=_?@*ZCHOW!B;W/
BC3@AM;4K$Y#YNU)Y
F?GU[;Y4# 0I9G]
VYWxv HP
2-|uI
AQAA3O
2EB>7Z
R(^JO<VE23BJ%
/)%8G[B=:
WYWFE;=_H/<
4OS&^/T>
r439M_KP38f7f81a39-5f63-5b42-9efd-1f13b5431005quot;5
.JKOB$FFSZ
4^ZKH][O?=
(PID) Process(7608) MSBuild.exe
C2 (2)https://t.me/nemesisgrow
https://steamcommunity.com/profiles/76561199471222742
Strings (24)VT"%3
G7;O94$
9K]0 R!I?+
x|dgita
PC}so9
G;MD&
q-h|%
xizkhh
)s|e?
D7#RBF/,A?5D8NJ;)
0M=_?@*ZCHOW!B;W/
BC3@AM;4K$Y#YNU)Y
F?GU[;Y4# 0I9G]
VYWxv HP
2-|uI
AQAA3O
2EB>7Z
R(^JO<VE23BJ%
/)%8G[B=:
WYWFE;=_H/<
4OS&^/T>
r439M_KP38f7f81a39-5f63-5b42-9efd-1f13b5431005quot;5
.JKOB$FFSZ
4^ZKH][O?=
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 459264
InitializedDataSize: 73728
UninitializedDataSize: -
EntryPoint: 0x593b0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REDLINE 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe svchost.exe #REDLINE msbuild.exe msbuild.exe no specs #ARKEI msbuild.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7416"C:\Users\admin\Desktop\2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe" C:\Users\admin\Desktop\2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
RedLine
(PID) Process(7416) 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
C2 (1)176.113.115.220:80
Botnet1
Options
ErrorMessage
Keys
XorVairs
Arkei
(PID) Process(7416) 2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
C2 (2)https://t.me/nemesisgrow
https://steamcommunity.com/profiles/76561199471222742
Strings (24)VT"%3
G7;O94$
9K]0 R!I?+
x|dgita
PC}so9
G;MD&
q-h|%
xizkhh
)s|e?
D7#RBF/,A?5D8NJ;)
0M=_?@*ZCHOW!B;W/
BC3@AM;4K$Y#YNU)Y
F?GU[;Y4# 0I9G]
VYWxv HP
2-|uI
AQAA3O
2EB>7Z
R(^JO<VE23BJ%
/)%8G[B=:
WYWFE;=_H/<
4OS&^/T>
r439M_KP38f7f81a39-5f63-5b42-9efd-1f13b5431005quot;5
.JKOB$FFSZ
4^ZKH][O?=
7480"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\assembly\gac_32\msbuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(7480) MSBuild.exe
C2 (1)176.113.115.220:80
Botnet1
Options
ErrorMessage
Keys
XorVairs
7524"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\assembly\gac_32\msbuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7608"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\assembly\gac_32\msbuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Arkei
(PID) Process(7608) MSBuild.exe
C2 (2)https://t.me/nemesisgrow
https://steamcommunity.com/profiles/76561199471222742
Strings (24)VT"%3
G7;O94$
9K]0 R!I?+
x|dgita
PC}so9
G;MD&
q-h|%
xizkhh
)s|e?
D7#RBF/,A?5D8NJ;)
0M=_?@*ZCHOW!B;W/
BC3@AM;4K$Y#YNU)Y
F?GU[;Y4# 0I9G]
VYWxv HP
2-|uI
AQAA3O
2EB>7Z
R(^JO<VE23BJ%
/)%8G[B=:
WYWFE;=_H/<
4OS&^/T>
r439M_KP38f7f81a39-5f63-5b42-9efd-1f13b5431005quot;5
.JKOB$FFSZ
4^ZKH][O?=
7820C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
11 576
Read events
11 573
Write events
3
Delete events
0

Modification events

(PID) Process:(7608) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7608) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7608) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
37
DNS requests
6
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7608
MSBuild.exe
GET
65.109.12.165:80
http://65.109.12.165/
unknown
unknown
7608
MSBuild.exe
GET
88.198.116.74:80
http://88.198.116.74/
unknown
unknown
GET
200
149.154.167.99:443
https://t.me/nemesisgrow
unknown
7608
MSBuild.exe
GET
88.198.116.74:80
http://88.198.116.74/
unknown
unknown
7608
MSBuild.exe
GET
65.109.12.165:80
http://65.109.12.165/
unknown
unknown
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
23.197.130.99:443
https://steamcommunity.com/profiles/76561199471222742
unknown
html
36.7 Kb
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
149.154.167.99:443
https://t.me/nemesisgrow
unknown
html
9.38 Kb
whitelisted
GET
200
23.197.130.99:443
https://steamcommunity.com/profiles/76561199471222742
unknown
html
37.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7416
2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
104.21.76.57:443
iplogger.com
CLOUDFLARENET
shared
7480
MSBuild.exe
176.113.115.220:80
Red Bytes LLC
RU
malicious
4
System
192.168.100.255:137
whitelisted
7608
MSBuild.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
7608
MSBuild.exe
23.197.130.99:443
steamcommunity.com
Akamai International B.V.
US
whitelisted
7608
MSBuild.exe
88.198.116.74:80
Hetzner Online GmbH
DE
unknown
7608
MSBuild.exe
65.109.12.165:80
Hetzner Online GmbH
FI
unknown
7268
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
iplogger.com
  • 104.21.76.57
  • 172.67.188.178
shared
t.me
  • 149.154.167.99
whitelisted
steamcommunity.com
  • 23.197.130.99
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7416
2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
7480
MSBuild.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
7480
MSBuild.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
7608
MSBuild.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
7480
MSBuild.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
7608
MSBuild.exe
A Network Trojan was detected
STEALER [ANY.RUN] Arkei/Vidar HTTP Request
7480
MSBuild.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
7608
MSBuild.exe
A Network Trojan was detected
STEALER [ANY.RUN] Arkei/Vidar HTTP Request
7480
MSBuild.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-23_08a6720a129a244be6f1991bfb18dc3d_cobalt-strike_elex_sliver