| File name: | 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom |
| Full analysis: | https://app.any.run/tasks/3579ca3d-b85f-4224-b3d1-8b6bd280086b |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 29, 2025, 02:53:56 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 13 sections |
| MD5: | 0D1E20C4D40F8FBB8570D8610C18B7C5 |
| SHA1: | 066DDE1A5C03ED8898A42A495B5A623C69B4B96E |
| SHA256: | 64BFB8E28F421328D917945E6F69E0F0CC66138FEBEEC2DB9FFBBCEFCE1D6064 |
| SSDEEP: | 49152:BVzxCv3mRcTwE4uSBY4ZKVmDDaNSMh6jD4oF1AfZlGC7KVdiF00b10UGMGj1FF10:r1C/x0juSSGKgDDXR1ABlGC7gdir6L1e |
MALICIOUS
Executing a file with an untrusted certificate
- 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe (PID: 7356)
Connects to the CnC server
- svchost.exe (PID: 2196)
LUMMA mutex has been found
- MSBuild.exe (PID: 7404)
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2196)
LUMMA has been detected (YARA)
- MSBuild.exe (PID: 7404)
Actions looks like stealing of personal data
- MSBuild.exe (PID: 7404)
SUSPICIOUS
Starts a Microsoft application from unusual location
- 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe (PID: 7356)
Process drops legitimate windows executable
- 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe (PID: 7356)
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2196)
There is functionality for taking screenshot (YARA)
- MSBuild.exe (PID: 7404)
Searches for installed software
- MSBuild.exe (PID: 7404)
Process requests binary or script from the Internet
- MSBuild.exe (PID: 7404)
Connects to the server without a host name
- MSBuild.exe (PID: 7404)
INFO
The sample compiled with english language support
- 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe (PID: 7356)
Checks supported languages
- 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe (PID: 7356)
- MSBuild.exe (PID: 7404)
Reads the computer name
- MSBuild.exe (PID: 7404)
Reads the machine GUID from the registry
- MSBuild.exe (PID: 7404)
Reads the software policy settings
- MSBuild.exe (PID: 7404)
- slui.exe (PID: 7800)
Checks proxy server information
- slui.exe (PID: 7800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Lumma
(PID) Process(7404) MSBuild.exe
C2 (10)jawdedmirror.run/ewqd
zestmodp.top/zeda
toptalentw.top/qena
salaccgfa.top/gsooz
owlflright.digital/qopy
nighetwhisper.top/lekd
liftally.top/xasj
clarmodq.top/qoxo
lonfgshadow.live/xawi
changeaie.top/geps
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:04:14 16:13:17+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14 |
| CodeSize: | 924672 |
| InitializedDataSize: | 105984 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc1af8 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 10.0.19041.1 |
| ProductVersionNumber: | 10.0.19041.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft® HTML Help Executable |
| FileVersion: | 10.0.19041.1 (WinBuild.160101.0800) |
| InternalName: | HH 1.41 |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFileName: | HH.exe |
| ProductName: | HTML Help |
| ProductVersion: | 10.0.19041.1 |
Total processes
126
Monitored processes
5
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7356 | "C:\Users\admin\Desktop\2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe" | C:\Users\admin\Desktop\2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7396 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | — | 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7404 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | 2025-04-29_0d1e20c4d40f8fbb8570d8610c18b7c5_black-basta_cobalt-strike_mespinoza_ryuk_satacom.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Version: 4.8.9037.0 built by: NET481REL1 Modules
Lumma(PID) Process(7404) MSBuild.exe C2 (10)jawdedmirror.run/ewqd zestmodp.top/zeda toptalentw.top/qena salaccgfa.top/gsooz owlflright.digital/qopy nighetwhisper.top/lekd liftally.top/xasj clarmodq.top/qoxo lonfgshadow.live/xawi changeaie.top/geps | |||||||||||||||
| 7800 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 779
Read events
6 779
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
32
DNS requests
16
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7404 | MSBuild.exe | GET | — | 185.215.113.51:80 | http://185.215.113.51/conhost.exe | unknown | — | — | malicious |
— | — | GET | 200 | 23.197.130.99:443 | https://steamcommunity.com/profiles/76561199845513035 | unknown | html | 34.6 Kb | whitelisted |
— | — | POST | 200 | 188.114.97.3:443 | https://toptalentw.top/qena | unknown | binary | 71 b | unknown |
— | — | POST | 200 | 188.114.96.3:443 | https://toptalentw.top/qena | unknown | binary | 32.7 Kb | unknown |
— | — | POST | 200 | 188.114.96.3:443 | https://toptalentw.top/qena | unknown | binary | 71 b | unknown |
— | — | POST | 200 | 188.114.96.3:443 | https://toptalentw.top/qena | unknown | binary | 71 b | unknown |
— | — | POST | 200 | 188.114.97.3:443 | https://toptalentw.top/qena | unknown | binary | 71 b | unknown |
— | — | POST | 200 | 188.114.97.3:443 | https://toptalentw.top/qena | unknown | binary | 71 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2104 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
7404 | MSBuild.exe | 23.197.130.99:443 | steamcommunity.com | Akamai International B.V. | US | whitelisted |
7404 | MSBuild.exe | 188.114.97.3:443 | toptalentw.top | CLOUDFLARENET | NL | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
7404 | MSBuild.exe | 185.215.113.51:80 | — | 1337team Limited | SC | malicious |
7184 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
clarmodq.top |
| malicious |
jawdedmirror.run |
| malicious |
changeaie.top |
| unknown |
lonfgshadow.live |
| malicious |
liftally.top |
| malicious |
nighetwhisper.top |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | A Network Trojan was detected | MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (clarmodq .top) |
2196 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clarmodq .top) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lonfgshadow .live) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nighetwhisper .top) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jawdedmirror .run) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (salaccgfa .top) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (liftally .top) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zestmodp .top) |
2196 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owlflright .digital) |