File name:

2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/08d3b49c-804e-4a47-861e-0783f27f1515
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 23:02:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
python
stealer
umbralstealer
auto-startup
discord
exfiltration
discordgrabber
generic
umbral
divulgestealer
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

E89DC5BAEA4DFF32E9A6BB9FBAC6AA4B

SHA1:

B41A51E803B1DB5670860B069B0E4D974CB81265

SHA256:

6C19B8473FBDF1AFA05F4D3FC42719AE9CC33BCCC9157283E1DBE976DE53A98E

SSDEEP:

98304:BC3CpAkJuapmlGaRS980QbHxn4kzKVfqGTGwdvk1aXdNHUXSeIMn3v1Zqp9+q+Df:0mT/fbHOds6+VldT/P881mw9uzNOL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • temp_ANTI.exe (PID: 3396)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 5348)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 5348)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 5348)

    • Changes settings for real-time protection

      • powershell.exe (PID: 5348)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 5348)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 5348)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 5348)

    • Create files in the Startup directory

      • temp_ANTI.exe (PID: 3396)

    • Steals credentials from Web Browsers

      • temp_ANTI.exe (PID: 3396)

    • Actions looks like stealing of personal data

      • temp_ANTI.exe (PID: 3396)

    • UMBRALSTEALER has been detected (SURICATA)

      • temp_ANTI.exe (PID: 3396)

    • DIVULGESTEALER has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • UMBRAL has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • UMBRALSTEALER has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • DISCORDGRABBER has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • Starts CMD.EXE for self-deleting

      • temp_ANTI.exe (PID: 3396)

    • Adds path to the Windows Defender exclusion list

      • temp_ANTI.exe (PID: 3396)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)
      • temp_ANTI.exe (PID: 3396)

    • Process drops legitimate windows executable

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Application launched itself

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • temp_ANTI.exe (PID: 7000)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)
      • temp_ANTI.exe (PID: 3396)

    • Loads Python modules

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)

    • Process drops python dynamic module

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4104)
      • WMIC.exe (PID: 1604)
      • WMIC.exe (PID: 5116)

    • Reads security settings of Internet Explorer

      • temp_ANTI.exe (PID: 7000)

    • Uses WMIC.EXE to obtain Windows Installer data

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Reads the date of Windows installation

      • temp_ANTI.exe (PID: 7000)

    • The process drops C-runtime libraries

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Uses ATTRIB.EXE to modify file attributes

      • temp_ANTI.exe (PID: 3396)

    • Script disables Windows Defender's IPS

      • temp_ANTI.exe (PID: 3396)

    • Uses WMIC.EXE to obtain operating system information

      • temp_ANTI.exe (PID: 3396)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 3956)

    • Uses WMIC.EXE to obtain computer system information

      • temp_ANTI.exe (PID: 3396)

    • Uses WMIC.EXE to obtain a list of video controllers

      • temp_ANTI.exe (PID: 3396)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 4236)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • Script adds exclusion path to Windows Defender

      • temp_ANTI.exe (PID: 3396)

    • The process connected to a server suspected of theft

      • temp_ANTI.exe (PID: 3396)

    • Script disables Windows Defender's real-time protection

      • temp_ANTI.exe (PID: 3396)

    • Starts POWERSHELL.EXE for commands execution

      • temp_ANTI.exe (PID: 3396)

    • Modifies hosts file to alter network resolution

      • temp_ANTI.exe (PID: 3396)

  • INFO

    • Reads the computer name

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)
      • z5YS5.scr (PID: 5692)

    • Checks supported languages

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)
      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)
      • z5YS5.scr (PID: 5692)

    • Create files in a temporary directory

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • temp_ANTI.exe (PID: 3396)

    • Disables trace logs

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Reads the machine GUID from the registry

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Checks proxy server information

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)
      • slui.exe (PID: 4036)

    • The sample compiled with english language support

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4104)
      • WMIC.exe (PID: 1604)
      • WMIC.exe (PID: 3956)
      • WMIC.exe (PID: 4880)
      • WMIC.exe (PID: 5116)
      • WMIC.exe (PID: 4236)

    • Process checks computer location settings

      • temp_ANTI.exe (PID: 7000)

    • Reads Environment values

      • temp_ANTI.exe (PID: 3396)
      • temp_ANTI.exe (PID: 7000)

    • Reads the software policy settings

      • temp_ANTI.exe (PID: 3396)
      • temp_ANTI.exe (PID: 7000)
      • slui.exe (PID: 4036)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2028)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 5348)
      • powershell.exe (PID: 2356)
      • powershell.exe (PID: 4104)

    • Creates files in the program directory

      • temp_ANTI.exe (PID: 3396)

    • Launching a file from the Startup directory

      • temp_ANTI.exe (PID: 3396)

    • Manual execution by a user

      • z5YS5.scr (PID: 5692)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3396) temp_ANTI.exe
Discord-Webhook-Tokens (1)1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Discord-Info-Links
1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Get Webhook Infohttps://discord.com/api/webhooks/1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 09:11:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
36
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe cmd.exe no specs conhost.exe no specs temp_anti.exe wmic.exe no specs conhost.exe no specs svchost.exe #UMBRALSTEALER temp_anti.exe wmic.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs z5ys5.scr no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1604"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exetemp_ANTI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1688\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2028"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\admin\Desktop\temp_ANTI.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exetemp_ANTI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2356"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exetemp_ANTI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3048\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3396"C:\Users\admin\Desktop\temp_ANTI.exe" C:\Users\admin\Desktop\temp_ANTI.exe
temp_ANTI.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\temp_anti.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
ims-api
(PID) Process(3396) temp_ANTI.exe
Discord-Webhook-Tokens (1)1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Discord-Info-Links
1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Get Webhook Infohttps://discord.com/api/webhooks/1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Total events
34 113
Read events
34 099
Write events
14
Delete events
0

Modification events

(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
15
Suspicious files
7
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_lzma.pydexecutable
MD5:D165B7B9A127F66704CEAA196BE319E5
SHA256:B78F5A8476139FF04731046459EFD047BB8F52DC92C5B2082EABF2929C0CA02D
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\cryptography-45.0.4.dist-info\INSTALLERtext
MD5:365C9BFEB7D89244F2CE01C1DE44CB85
SHA256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_hashlib.pydexecutable
MD5:9EC1021FA8A3C252E1F805AC7F172753
SHA256:1430E4A2ED19EDA840668A292C39FF44488B598F53E903A61739A86B779ECBFE
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_decimal.pydexecutable
MD5:90071379B9E53B2D1834D49F4FD804EC
SHA256:90045140E45EDCFE4F4859B3190184FAFF1249220011330A9D01319745766607
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\cryptography-45.0.4.dist-info\WHEELtext
MD5:DF49613A5E68D0FA0517500CE308FA24
SHA256:5DDA9EF564CA358ED978EB0200F0327F7BCFF5CD383739FE587219F6C2295F81
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\base_library.zipcompressed
MD5:3927738EC830F5D9AED0F8B85E517204
SHA256:330ACA7F45D70ADF03E14F080BA3878455981A75316A4A9E80AEE279BF54E4E0
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\python313.dllexecutable
MD5:5ACD4D4F35E13EF79C883ACE05C4EAF5
SHA256:0565965617D94274D7F2C2958D0BEF33392CD9D2F346F99D8E1BEDBDF264EE85
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_bz2.pydexecutable
MD5:ED9F4C1CF33DB08CAC3C7BA7A973E61B
SHA256:965F199679AFA9B31D537D98C3CA8403AFD6B9E58E1A463AE47697AE4BF12771
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\cryptography-45.0.4.dist-info\METADATAtext
MD5:F4491F073B10D696CDECD18C1CF2EDB5
SHA256:117656B7D0FB0B51606E69CBFAC7BDB6B110EAA9F03E247FB3DE665B636162B3
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\cryptography-45.0.4.dist-info\RECORDcsv
MD5:F906AE5D76A2A19CFB5C5C994E444A0A
SHA256:ABBF1F58EFFAB784A449C62FC6E643948C4DB3C6E5B58FEF9004343A070BB014
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
48
DNS requests
23
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
204
142.250.184.227:443
https://gstatic.com/generate_204
unknown
unknown
GET
204
142.250.184.227:443
https://gstatic.com/generate_204
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2336
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.130
  • 20.190.159.128
  • 40.126.31.128
  • 40.126.31.1
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.75
  • 40.126.31.129
whitelisted
gstatic.com
  • 142.250.186.131
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
discord.com
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.137.232
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7000
temp_ANTI.exe
A Network Trojan was detected
ET MALWARE Common Stealer Behavior - Source IP Associated with Hosting Provider Check via ip.api .com
7000
temp_ANTI.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
7000
temp_ANTI.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
3396
temp_ANTI.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
3396
temp_ANTI.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
3396
temp_ANTI.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
3396
temp_ANTI.exe
A Network Trojan was detected
STEALER [ANY.RUN] UmbralStealer Generic External IP Check
2200
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar