File name:

2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/4dd988e7-2cce-4add-bdb6-4eab78e4eef6
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 01:46:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealc
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

B4649BF82DFCF0E7EC1AD7F4D1649D4A

SHA1:

0003E78143958886A4E222B590B899ABD8A8756D

SHA256:

269B9480561B8D57ED2A5791603A5EBEF15B3CC841DFCC393AC9545AB8374414

SSDEEP:

98304:Q9YEmbIFrx86GjVUMxV2SPXqAaIgrdi5oK13VuV3Pn4iyVBSvSSFx8OpcDVHvtKA:Q9lLp3Up5p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected

      • 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe (PID: 7372)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe (PID: 7372)

  • INFO

    • Checks supported languages

      • 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe (PID: 7372)

    • Checks proxy server information

      • slui.exe (PID: 8004)
      • 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe (PID: 7372)

    • Reads the software policy settings

      • slui.exe (PID: 8004)

    • Reads the computer name

      • 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe (PID: 7372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:20 13:31:57+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 453632
InitializedDataSize: 366592
UninitializedDataSize: -
EntryPoint: 0x40754
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7372"C:\Users\admin\Desktop\2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
8004C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 711
Read events
3 708
Write events
3
Delete events
0

Modification events

(PID) Process:(7372) 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7372) 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7372) 2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
51
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6876
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7372
2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe
POST
200
88.214.48.93:80
http://88.214.48.93/ea2cb15d61cc476f.php
unknown
malicious
2104
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6876
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7724
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7724
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7724
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7724
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6876
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7372
2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe
88.214.48.93:80
SIA Singularity Telecom
US
malicious
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
6876
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
2104
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.130
  • 20.190.159.0
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.4
  • 40.126.31.129
  • 20.190.159.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted

Threats

PID
Process
Class
Message
7372
2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 10
7372
2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom.exe
Misc Attack
ET DROP Dshield Block Listed Source group 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_b4649bf82dfcf0e7ec1ad7f4d1649d4a_black-basta_cobalt-strike_satacom