File name:

2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/f6b9feed-749f-49bc-b2e4-2ba3b0d33387
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 14:13:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trox
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

C7EC42F025CEA2268EFDB9518954E5C3

SHA1:

68E5A700BEF7CD41C3643A1B97CC63D25CDBB924

SHA256:

00867195BBDC81FE138678E006DA8F0F7AEC76DF5BA6585425D740A8C689240A

SSDEEP:

98304:t/d864yDCmLRo2K11F6FVUYKqMtu92mVl/16RlS3p59JMEOAyi9dKao2pHAhHmeC:GB4ydOnB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

  • SUSPICIOUS

    • Process drops python dynamic module

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • Process drops legitimate windows executable

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • Executable content was dropped or overwritten

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • The process drops C-runtime libraries

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • Application launched itself

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4232)

    • Executing commands from a ".bat" file

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4232)

    • Reads security settings of Internet Explorer

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

  • INFO

    • Checks supported languages

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)
      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4232)

    • Create files in a temporary directory

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • The sample compiled with english language support

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • Reads the machine GUID from the registry

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4232)

    • Reads the computer name

      • 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4160)

    • Checks proxy server information

      • slui.exe (PID: 6520)

    • Reads the software policy settings

      • slui.exe (PID: 6520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:20 08:45:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 145920
InitializedDataSize: 3073536
UninitializedDataSize: -
EntryPoint: 0xd4dc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe conhost.exe no specs 2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe no specs cmd.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4160"C:\Users\admin\Desktop\2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
4232C:\Users\admin\Desktop\2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\Desktop\2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
4968\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6460C:\WINDOWS\system32\cmd.exe /c package.batC:\Windows\System32\cmd.exe2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6520C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 933
Read events
3 933
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
41602025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\onefile_4160_133949888035368281\一键package_v1.02.dllexecutable
MD5:E0C7078A2029A9DCCD6D23FC0E43123B
SHA256:6183459CDC7E80EC0478D91C20012959B0F712D628FB774266018852B1F19907
41602025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\onefile_4160_133949888035368281\python39.dllexecutable
MD5:FDCF9805BA28D8F27F28D32939B1687C
SHA256:6AAB6083429A833245D677796661878F6AA7601AF46531EDB0320A8CA749A113
41602025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\onefile_4160_133949888035368281\select.pydexecutable
MD5:81ED0D2663D6FC6715184CF40B989785
SHA256:2B26DE4BB36BC52D386DD68379CC6F20BEADAA1291B0181CA2A6348B6913403A
41602025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\onefile_4160_133949888035368281\unicodedata.pydexecutable
MD5:D77CBBACEC965E1B1AB9E972FB024A32
SHA256:D1DC04C9F0BED7AFA77D60CBB4E6C6B520088D08F932B7401E138C3D3E41762C
41602025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\onefile_4160_133949888035368281\vcruntime140.dllexecutable
MD5:8697C106593E93C11ADC34FAA483C4A0
SHA256:FF43E813785EE948A937B642B03050BB4B1C6A5E23049646B891A66F65D4C833
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
44
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4512
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
400
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4512
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4512
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.130
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.130
  • 40.126.31.67
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_c7ec42f025cea2268efdb9518954e5c3_black-basta_cobalt-strike_luca-stealer_satacom_vidar