File name:

2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/4005a048-559f-4391-87e5-daea48db914f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 18:45:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
stealer
evasion
discord
auto-startup
pyinstaller
discordgrabber
generic
ims-api
waspstealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

935C4EB41DE585A39B2EE4B04F4B0FC9

SHA1:

1EE40E1EC86DB4076FE2ED6CAEAF1694610EBB1F

SHA256:

41BA7D8D9B07701FA59687A58E1773094499FEF396871241A709979C957C3A74

SSDEEP:

98304:hUHiGWtMHss2kcaCJr/VzkvddwCXkFqdz3aC3bww/Al+Biyz6oqV2ky+KLTAHNMM:hPuL04X4lFg2vNnRhx+p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)

    • Steals credentials from Web Browsers

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Actions looks like stealing of personal data

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • DISCORDGRABBER has been detected (YARA)

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • WASPSTEALER has been detected (YARA)

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

  • SUSPICIOUS

    • Process drops python dynamic module

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • Executable content was dropped or overwritten

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • Process drops legitimate windows executable

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • Application launched itself

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • Loads Python modules

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • The process drops C-runtime libraries

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • Starts CMD.EXE for commands execution

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Get information on the list of running processes

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • cmd.exe (PID: 6516)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)
      • cmd.exe (PID: 728)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

  • INFO

    • Reads the computer name

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Checks supported languages

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Create files in a temporary directory

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • The sample compiled with english language support

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • Reads the machine GUID from the registry

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Checks operating system version

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Creates files or folders in the user directory

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Auto-launch of the file from Startup directory

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)

    • Checks proxy server information

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)
      • slui.exe (PID: 6620)

    • Attempting to use instant messaging service

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Manual execution by a user

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)

    • PyInstaller has been detected (YARA)

      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5064)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6148)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 6800)
      • 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe (PID: 5936)

    • Reads the software policy settings

      • slui.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6148) 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
Discord-Webhook-Tokens (1)1183955616906088448/KDtsfiVrj1Aw96DR0yYhgzRJoXtBkpNklcIvJkbn4XonFTInQxUsVj-bwdKgO0JWofeK
Discord-Info-Links
1183955616906088448/KDtsfiVrj1Aw96DR0yYhgzRJoXtBkpNklcIvJkbn4XonFTInQxUsVj-bwdKgO0JWofeK
Get Webhook Infohttps://discord.com/api/webhooks/1183955616906088448/KDtsfiVrj1Aw96DR0yYhgzRJoXtBkpNklcIvJkbn4XonFTInQxUsVj-bwdKgO0JWofeK
(PID) Process(5936) 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
Discord-Webhook-Tokens (1)1183955616906088448/KDtsfiVrj1Aw96DR0yYhgzRJoXtBkpNklcIvJkbn4XonFTInQxUsVj-bwdKgO0JWofeK
Discord-Info-Links
1183955616906088448/KDtsfiVrj1Aw96DR0yYhgzRJoXtBkpNklcIvJkbn4XonFTInQxUsVj-bwdKgO0JWofeK
Get Webhook Infohttps://discord.com/api/webhooks/1183955616906088448/KDtsfiVrj1Aw96DR0yYhgzRJoXtBkpNklcIvJkbn4XonFTInQxUsVj-bwdKgO0JWofeK
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:01:12 00:15:16+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 171520
InitializedDataSize: 148992
UninitializedDataSize: -
EntryPoint: 0xc1f0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe #DISCORDGRABBER 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs svchost.exe 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe #DISCORDGRABBER 2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
728C:\WINDOWS\system32\cmd.exe /c "tasklist"C:\Windows\System32\cmd.exe2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1532tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2384tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3240C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exe2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5064"C:\Users\admin\Desktop\2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5072C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exe2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 280
Read events
4 280
Write events
0
Delete events
0

Modification events

No data
Executable files
163
Suspicious files
6
Text files
48
Unknown types
4

Dropped files

PID
Process
Filename
Type
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:D9E7218460AEE693BEA07DA7C2B40177
SHA256:38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_Salsa20.pydexecutable
MD5:371776A7E26BAEB3F75C93A8364C9AE0
SHA256:15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_chacha20.pydexecutable
MD5:CB5238E2D4149636377F9A1E2AF6DC57
SHA256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_raw_aes.pydexecutable
MD5:F751792DF10CDEED391D361E82DAF596
SHA256:9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_raw_arc2.pydexecutable
MD5:D2175300E065347D13211F5BF7581602
SHA256:94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:BBEA5FFAE18BF0B5679D5C5BCD762D5A
SHA256:1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_raw_ctr.pydexecutable
MD5:C6B20332B4814799E643BADFFD8DF2CD
SHA256:61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_raw_cast.pydexecutable
MD5:CF3C2F35C37AA066FA06113839C8A857
SHA256:1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_raw_des.pydexecutable
MD5:0B538205388FDD99A043EE3AFAA074E4
SHA256:C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
50642025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI50642\Crypto\Cipher\_raw_cfb.pydexecutable
MD5:43BBE5D04460BD5847000804234321A6
SHA256:FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
106
DNS requests
10
Threats
321

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6436
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6436
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
6436
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6148
2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
shared

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
api.gofile.io
  • 45.112.123.126
  • 51.91.7.6
whitelisted
geolocation-db.com
  • 159.89.102.253
whitelisted
discord.com
  • 162.159.128.233
  • 162.159.137.232
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.135.232
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6148
2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6148
2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
6148
2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Attempted Information Leak
ET INFO Python-urllib/ Suspicious User Agent
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_935c4eb41de585a39b2ee4b04f4b0fc9_black-basta_cobalt-strike_satacom