File name:

2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/0fa813be-8153-470b-b45f-7a2e83072e82
Verdict: Malicious activity
Analysis date: June 21, 2025, 11:12:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

702078C409B7C144E9D3BE6D4ECA855A

SHA1:

DB0645A24F10BC2737C43C4D90416F3B9361F685

SHA256:

6345E253A64FD1721D9A38C2D80F7475AEB0382B6395F06E34BD86CD89482F5D

SSDEEP:

98304:lD/laV+u8MhH3VWjtKxge9XLDbenkuA83wpYp2twuOoqCD+uobUdWK675kAbYpBh:rbmYK3pIwfI49

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops python dynamic module

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Executable content was dropped or overwritten

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Process drops legitimate windows executable

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • The process drops C-runtime libraries

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Application launched itself

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Loads Python modules

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3092)

  • INFO

    • The sample compiled with english language support

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Reads the computer name

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Checks supported languages

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)
      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3092)

    • Create files in a temporary directory

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Reads the machine GUID from the registry

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3092)

    • Checks proxy server information

      • slui.exe (PID: 3740)

    • Reads the software policy settings

      • slui.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:17 02:42:56+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe conhost.exe no specs 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2076"C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3092"C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 557
Read events
3 557
Write events
0
Delete events
0

Modification events

No data
Executable files
53
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\_socket.pydexecutable
MD5:819166054FEC07EFCD1062F13C2147EE
SHA256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5
SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:8F8EB9CB9E78E3A611BC8ACAEC4399CB
SHA256:1BD81DFD19204B44662510D9054852FB77C9F25C1088D647881C9B976CC16818
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:9F746F4F7D845F063FEA3C37DCEBC27C
SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:226A5983AE2CBBF0C1BDA85D65948ABC
SHA256:591358EB4D1531E9563EE0813E4301C552CE364C912CE684D16576EABF195DC3
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-fibers-l1-1-0.dllexecutable
MD5:B5E2760C5A46DBEB8AE18C75F335707E
SHA256:91D249D7BC0E38EF6BCB17158B1FDC6DD8888DC086615C9B8B750B87E52A5FB3
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-fibers-l1-1-1.dllexecutable
MD5:050A30A687E7A2FA6F086A0DB89AA131
SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:9F45A47EBFD9D0629F4935764243DD5A
SHA256:1CA895ABA4E7435563A6B43E85EBA67A0F8C74AA6A6A94D0FC48FA35535E2585
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\_hashlib.pydexecutable
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
47
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2028
RUXIMICS.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
3836
SIHClient.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2028
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2028
RUXIMICS.exe
184.24.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 184.24.77.38
  • 184.24.77.40
  • 184.24.77.41
  • 184.24.77.36
  • 184.24.77.7
  • 184.24.77.9
  • 184.24.77.12
  • 184.24.77.10
  • 184.24.77.39
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.4
  • 40.126.31.2
  • 20.190.159.23
  • 40.126.31.129
  • 20.190.159.128
  • 20.190.159.68
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar