File name:	2025-05-16_97e48a81f9b10bb47bf25af127f11404_black-basta_cobalt-strike_satacom
Full analysis:	https://app.any.run/tasks/ae858686-1991-4c87-97e0-1c9e61b03038
Verdict:	Malicious activity
Analysis date:	May 16, 2025, 11:45:46
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:	97E48A81F9B10BB47BF25AF127F11404
SHA1:	F3E3EE55DDB4C6824AE3DEAC1B18DF4A3B6048D7
SHA256:	6550BF25000C2AF20949BD39098B0E39EE0A3654489E22B4A5AECCAAEA721C15
SSDEEP:	12288:xyav/lCjiMgenyIMTJZ7RS9hquf+Vqxy:xyav/LMvUVSuuf+Ky

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:05:16 01:23:45+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	176640
InitializedDataSize:	110592
UninitializedDataSize:	-
EntryPoint:	0x8618
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4172	RUXIMICS.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7608	2025-05-16_97e48a81f9b10bb47bf25af127f11404_black-basta_cobalt-strike_satacom.exe	GET	200	158.247.211.154:80	http://158.247.211.154/encrypted_payload.bin	unknown	—	—	unknown
8076	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
8076	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4172	RUXIMICS.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
8076	SIHClient.exe	GET	200	23.216.77.10:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
8076	SIHClient.exe	GET	200	23.216.77.10:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
8076	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
8076	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4172	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7608	2025-05-16_97e48a81f9b10bb47bf25af127f11404_black-basta_cobalt-strike_satacom.exe	158.247.211.154:80	—	AS-CHOOPA	KR	unknown
4172	RUXIMICS.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
4172	RUXIMICS.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
2104	svchost.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114 23.216.77.10 23.216.77.35 23.216.77.7 23.216.77.5 23.216.77.33 23.216.77.31 23.216.77.30 23.216.77.37 23.216.77.42	whitelisted
www.microsoft.com	23.219.150.101 23.35.229.160	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.32.138 40.126.32.74 20.190.160.128 20.190.160.64 20.190.160.14 40.126.32.134 40.126.32.136 20.190.160.130	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.19	whitelisted

PID	Process	Class	Message
7608	2025-05-16_97e48a81f9b10bb47bf25af127f11404_black-basta_cobalt-strike_satacom.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7608	2025-05-16_97e48a81f9b10bb47bf25af127f11404_black-basta_cobalt-strike_satacom.exe	Potentially Bad Traffic	ET HUNTING Generic .bin download from Dotted Quad
7752	notepad.exe	A Network Trojan was detected	ET MALWARE Win32/Suspected Reverse Shell Connection

General Info

2025-05-16_97e48a81f9b10bb47bf25af127f11404_black-basta_cobalt-strike_satacom

97E48A81F9B10BB47BF25AF127F11404

F3E3EE55DDB4C6824AE3DEAC1B18DF4A3B6048D7

6550BF25000C2AF20949BD39098B0E39EE0A3654489E22B4A5AECCAAEA721C15

12288:xyav/lCjiMgenyIMTJZ7RS9hquf+Vqxy:xyav/LMvUVSuuf+Ky

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Starts CMD.EXE for commands execution

INFO

Reads the computer name

Checks supported languages

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings