File name:

2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/0fa813be-8153-470b-b45f-7a2e83072e82
Verdict: Malicious activity
Analysis date: June 21, 2025, 11:12:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

702078C409B7C144E9D3BE6D4ECA855A

SHA1:

DB0645A24F10BC2737C43C4D90416F3B9361F685

SHA256:

6345E253A64FD1721D9A38C2D80F7475AEB0382B6395F06E34BD86CD89482F5D

SSDEEP:

98304:lD/laV+u8MhH3VWjtKxge9XLDbenkuA83wpYp2twuOoqCD+uobUdWK675kAbYpBh:rbmYK3pIwfI49

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops python dynamic module

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Executable content was dropped or overwritten

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Process drops legitimate windows executable

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Application launched itself

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • The process drops C-runtime libraries

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Loads Python modules

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3092)

  • INFO

    • Checks supported languages

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)
      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3092)

    • Reads the computer name

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • The sample compiled with english language support

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Create files in a temporary directory

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 2076)

    • Reads the machine GUID from the registry

      • 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3092)

    • Checks proxy server information

      • slui.exe (PID: 3740)

    • Reads the software policy settings

      • slui.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:17 02:42:56+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe conhost.exe no specs 2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2076"C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3092"C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 557
Read events
3 557
Write events
0
Delete events
0

Modification events

No data
Executable files
53
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\_bz2.pydexecutable
MD5:86D1B2A9070CD7D52124126A357FF067
SHA256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\_decimal.pydexecutable
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:9F746F4F7D845F063FEA3C37DCEBC27C
SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\_lzma.pydexecutable
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-fibers-l1-1-1.dllexecutable
MD5:050A30A687E7A2FA6F086A0DB89AA131
SHA256:FC9D86CEC621383EAB636EBC87DDD3F5C19A3CB2A33D97BE112C051D0B275429
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:86023497FA48CA2C7705D3F90B76EBC5
SHA256:53B25E753CA785BF8B695D89DDE5818A318890211DC992A89146F16658F0B606
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:9F45A47EBFD9D0629F4935764243DD5A
SHA256:1CA895ABA4E7435563A6B43E85EBA67A0F8C74AA6A6A94D0FC48FA35535E2585
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:CC228FF8D86B608E73026B1E9960B2F8
SHA256:4CADBC0C39DA7C6722206FDCEBD670ABE5B8D261E7B041DD94F9397A89D1990D
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:E368A236F5676A3DA44E76870CD691C9
SHA256:93C624B366BA16C643FC8933070A26F03B073AD0CF7F80173266D67536C61989
20762025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:416AA8314222DB6CBB3760856BE13D46
SHA256:39095F59C41D76EC81BB2723D646FDE4C148E7CC3402F4980D2ADE95CB9C84F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
47
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2028
RUXIMICS.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2028
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.31.1:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2028
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2028
RUXIMICS.exe
184.24.77.38:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 184.24.77.38
  • 184.24.77.40
  • 184.24.77.41
  • 184.24.77.36
  • 184.24.77.7
  • 184.24.77.9
  • 184.24.77.12
  • 184.24.77.10
  • 184.24.77.39
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.4
  • 40.126.31.2
  • 20.190.159.23
  • 40.126.31.129
  • 20.190.159.128
  • 20.190.159.68
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_702078c409b7c144e9d3be6d4eca855a_black-basta_cobalt-strike_luca-stealer_satacom_vidar