File name:

2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/57967774-6e07-46b3-b67a-83ca4fb124dd
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 00:37:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
blankgrabber
screenshot
discord
evasion
pyinstaller
susp-powershell
growtopia
ims-api
generic
discordgrabber
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

03D8FCAF02CAD9CFD4F82C73271EBDE2

SHA1:

A1DD0F893A808FAF924236E588FCBD3165F79D54

SHA256:

390725681562B325BE7C5BB55C1E115D52D8BAA4FCAD39CF6AFC46DF11C30A27

SSDEEP:

98304:T/0CW5cRu8MtASRFDh8w6H9sKV8a5Hc3yQPassYr4ZD8NywvqHi1VAJ8ZySSg3AR:uDXW/FhHWpOf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • BlankGrabber has been detected

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • Adds path to the Windows Defender exclusion list

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • Actions looks like stealing of personal data

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • DISCORDGRABBER has been detected (YARA)

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • GROWTOPIA has been detected (YARA)

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • BLANKGRABBER has been detected (SURICATA)

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • Starts a Microsoft application from unusual location

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7540)

    • The process drops C-runtime libraries

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • Process drops python dynamic module

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • Executable content was dropped or overwritten

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • Application launched itself

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)

    • Reads security settings of Internet Explorer

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)

    • Get information on the list of running processes

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • Found strings related to reading or modifying Windows Defender settings

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • Starts CMD.EXE for commands execution

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7984)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • Reads the date of Windows installation

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)

  • INFO

    • The sample compiled with Italian language support

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • Checks supported languages

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)
      • rar.exe (PID: 7984)

    • Reads the computer name

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)

    • Create files in a temporary directory

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)
      • rar.exe (PID: 7984)

    • The sample compiled with english language support

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7328)

    • Reads the machine GUID from the registry

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)
      • rar.exe (PID: 7984)

    • Process checks computer location settings

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7424)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • PyInstaller has been detected (YARA)

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7540)
      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • Checks proxy server information

      • slui.exe (PID: 6676)

    • UPX packer has been detected

      • 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe (PID: 7624)

    • Reads the software policy settings

      • slui.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(7624) 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
Discord-Webhook-Tokens (1)1372190831468875776/-FnMMkxmM0iq_T7tvZs63L9JcAxmqLf5KF79HMfeeoP0N0WfZhmcXFaIkKm6UlNcrtpw
Discord-Info-Links
1372190831468875776/-FnMMkxmM0iq_T7tvZs63L9JcAxmqLf5KF79HMfeeoP0N0WfZhmcXFaIkKm6UlNcrtpw
Get Webhook Infohttps://discord.com/api/webhooks/1372190831468875776/-FnMMkxmM0iq_T7tvZs63L9JcAxmqLf5KF79HMfeeoP0N0WfZhmcXFaIkKm6UlNcrtpw
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:14 13:27:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 178688
InitializedDataSize: 116736
UninitializedDataSize: -
EntryPoint: 0xc380
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 5.132.25020.1001
ProductVersionNumber: 5.132.25020.1001
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Italian
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Strumento di rimozione malware
InternalName: mrt.exe
LegalCopyright: © Microsoft Corporation. Tutti i diritti riservati.
OriginalFileName: mrt.exe
ProductName: Strumento di rimozione malware
FileVersion: 5.132.25020.1001 (a0f0279591bfcc6f092f2314f04eeca6582b6c41)
ProductVersion: 5.132.25020.1001
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
10
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLANKGRABBER 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe conhost.exe no specs 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe no specs 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe conhost.exe no specs #GROWTOPIA 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe tiworker.exe no specs rar.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1276C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7328"C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Strumento di rimozione malware
Version:
5.132.25020.1001 (a0f0279591bfcc6f092f2314f04eeca6582b6c41)
Modules
Images
c:\users\admin\desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7424"C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Strumento di rimozione malware
Version:
5.132.25020.1001 (a0f0279591bfcc6f092f2314f04eeca6582b6c41)
Modules
Images
c:\users\admin\desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7540"C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Strumento di rimozione malware
Exit code:
0
Version:
5.132.25020.1001 (a0f0279591bfcc6f092f2314f04eeca6582b6c41)
Modules
Images
c:\windows\system32\kernel.appcore.dll
7552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
7624"C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\Desktop\2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Strumento di rimozione malware
Exit code:
0
Version:
5.132.25020.1001 (a0f0279591bfcc6f092f2314f04eeca6582b6c41)
Modules
Images
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\winmmbase.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\shcore.dll
ims-api
(PID) Process(7624) 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
Discord-Webhook-Tokens (1)1372190831468875776/-FnMMkxmM0iq_T7tvZs63L9JcAxmqLf5KF79HMfeeoP0N0WfZhmcXFaIkKm6UlNcrtpw
Discord-Info-Links
1372190831468875776/-FnMMkxmM0iq_T7tvZs63L9JcAxmqLf5KF79HMfeeoP0N0WfZhmcXFaIkKm6UlNcrtpw
Get Webhook Infohttps://discord.com/api/webhooks/1372190831468875776/-FnMMkxmM0iq_T7tvZs63L9JcAxmqLf5KF79HMfeeoP0N0WfZhmcXFaIkKm6UlNcrtpw
7984C:\Users\admin\AppData\Local\Temp\_MEI75402\rar.exe a -r -hp"blank123" "C:\Users\admin\AppData\Local\Temp\JwHxF.zip" *C:\Users\admin\AppData\Local\Temp\_MEI75402\rar.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\_mei75402\rar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
17 976
Read events
17 973
Write events
3
Delete events
0

Modification events

(PID) Process:(7624) 2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(1276) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31180282
(PID) Process:(1276) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
18
Suspicious files
21
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_sqlite3.pydexecutable
MD5:E5111E0CB03C73C0252718A48C7C68E4
SHA256:C9D4F10E47E45A23DF9EB4EBB4C4F3C5153E7977DC2B92A1F142B8CCDB0BB26B
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_socket.pydexecutable
MD5:1F7E5E111207BC4439799EBF115E09ED
SHA256:179EBBE9FD241F89DF31D881D9F76358D82CEDEE1A8FB40215C630F94EB37C04
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_ctypes.pydexecutable
MD5:5C0BDA19C6BC2D6D8081B16B2834134E
SHA256:5E7192C18AD73DAA71EFADE0149FBCAF734C280A6EE346525EA5D9729036194E
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_decimal.pydexecutable
MD5:604154D16E9A3020B9AD3B6312F5479C
SHA256:3C7585E75FA1E8604D8C408F77995B30F90C54A0F2FF5021E14FA7F84E093FB6
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_queue.pydexecutable
MD5:7B9F914D6C0B80C891FF7D5C031598D9
SHA256:7F80508EDFF0896596993BF38589DA38D95BC35FB286F81DF361B5BF8C682CAE
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_hashlib.pydexecutable
MD5:8BA5202E2F3FB1274747AA2AE7C3F7BF
SHA256:0541A0028619AB827F961A994667F9A8F1A48C8B315F071242A69D1BD6AEAB8B
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_lzma.pydexecutable
MD5:215ACC93E63FB03742911F785F8DE71A
SHA256:FFDBE11C55010D33867317C0DC2D1BD69F8C07BDA0EA0D3841B54D4A04328F63
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\libcrypto-1_1.dllexecutable
MD5:3CC020BACEAC3B73366002445731705A
SHA256:D1AA265861D23A9B76F16906940D30F3A65C5D0597107ECB3D2E6D470B401BB8
73282025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI73282\_ssl.pydexecutable
MD5:A65B98BF0F0A1B3FFD65E30A83E40DA0
SHA256:44214A85D06628EB3209980C0F2B31740AB8C6EB402F804816D0DAE1EC379949
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
53
DNS requests
23
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7624
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
4464
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.217.23.99:443
gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.128
  • 20.190.160.130
  • 20.190.160.65
  • 40.126.32.133
  • 40.126.32.140
  • 20.190.160.66
  • 20.190.160.22
whitelisted
gstatic.com
  • 172.217.23.99
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
discord.com
  • 162.159.137.232
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.135.232
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7624
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7624
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
7624
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7624
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_03d8fcaf02cad9cfd4f82c73271ebde2_black-basta_cobalt-strike_satacom