File name:

2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/08d3b49c-804e-4a47-861e-0783f27f1515
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 23:02:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
python
stealer
umbralstealer
auto-startup
discord
exfiltration
discordgrabber
generic
umbral
divulgestealer
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

E89DC5BAEA4DFF32E9A6BB9FBAC6AA4B

SHA1:

B41A51E803B1DB5670860B069B0E4D974CB81265

SHA256:

6C19B8473FBDF1AFA05F4D3FC42719AE9CC33BCCC9157283E1DBE976DE53A98E

SSDEEP:

98304:BC3CpAkJuapmlGaRS980QbHxn4kzKVfqGTGwdvk1aXdNHUXSeIMn3v1Zqp9+q+Df:0mT/fbHOds6+VldT/P881mw9uzNOL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • temp_ANTI.exe (PID: 3396)

    • Adds path to the Windows Defender exclusion list

      • temp_ANTI.exe (PID: 3396)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 5348)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 5348)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 5348)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 5348)

    • Changes settings for real-time protection

      • powershell.exe (PID: 5348)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 5348)

    • Create files in the Startup directory

      • temp_ANTI.exe (PID: 3396)

    • Actions looks like stealing of personal data

      • temp_ANTI.exe (PID: 3396)

    • Steals credentials from Web Browsers

      • temp_ANTI.exe (PID: 3396)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 5348)

    • DISCORDGRABBER has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • UMBRALSTEALER has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • UMBRALSTEALER has been detected (SURICATA)

      • temp_ANTI.exe (PID: 3396)

    • UMBRAL has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • DIVULGESTEALER has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • Starts CMD.EXE for self-deleting

      • temp_ANTI.exe (PID: 3396)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Process drops python dynamic module

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Executable content was dropped or overwritten

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)
      • temp_ANTI.exe (PID: 3396)

    • Application launched itself

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • temp_ANTI.exe (PID: 7000)

    • The process drops C-runtime libraries

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Loads Python modules

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)
      • temp_ANTI.exe (PID: 3396)

    • Uses WMIC.EXE to obtain Windows Installer data

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4104)
      • WMIC.exe (PID: 1604)
      • WMIC.exe (PID: 5116)

    • Reads security settings of Internet Explorer

      • temp_ANTI.exe (PID: 7000)

    • Reads the date of Windows installation

      • temp_ANTI.exe (PID: 7000)

    • Checks for external IP

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)
      • svchost.exe (PID: 2200)

    • Uses ATTRIB.EXE to modify file attributes

      • temp_ANTI.exe (PID: 3396)

    • Script adds exclusion path to Windows Defender

      • temp_ANTI.exe (PID: 3396)

    • Starts POWERSHELL.EXE for commands execution

      • temp_ANTI.exe (PID: 3396)

    • Script disables Windows Defender's real-time protection

      • temp_ANTI.exe (PID: 3396)

    • Script disables Windows Defender's IPS

      • temp_ANTI.exe (PID: 3396)

    • Modifies hosts file to alter network resolution

      • temp_ANTI.exe (PID: 3396)

    • Uses WMIC.EXE to obtain operating system information

      • temp_ANTI.exe (PID: 3396)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 3956)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 4236)

    • Uses WMIC.EXE to obtain a list of video controllers

      • temp_ANTI.exe (PID: 3396)

    • The process connected to a server suspected of theft

      • temp_ANTI.exe (PID: 3396)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • temp_ANTI.exe (PID: 3396)

    • Uses WMIC.EXE to obtain computer system information

      • temp_ANTI.exe (PID: 3396)

  • INFO

    • Checks supported languages

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4888)
      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)
      • z5YS5.scr (PID: 5692)

    • Reads the computer name

      • temp_ANTI.exe (PID: 7000)
      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • temp_ANTI.exe (PID: 3396)
      • z5YS5.scr (PID: 5692)

    • The sample compiled with english language support

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)

    • Create files in a temporary directory

      • 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4120)
      • temp_ANTI.exe (PID: 3396)

    • Disables trace logs

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Reads the software policy settings

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)
      • slui.exe (PID: 4036)

    • Checks proxy server information

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)
      • slui.exe (PID: 4036)

    • Reads the machine GUID from the registry

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4104)
      • WMIC.exe (PID: 1604)
      • WMIC.exe (PID: 3956)
      • WMIC.exe (PID: 5116)
      • WMIC.exe (PID: 4880)
      • WMIC.exe (PID: 4236)

    • Process checks computer location settings

      • temp_ANTI.exe (PID: 7000)

    • Reads Environment values

      • temp_ANTI.exe (PID: 7000)
      • temp_ANTI.exe (PID: 3396)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2028)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 5348)
      • powershell.exe (PID: 2356)
      • powershell.exe (PID: 4104)

    • Creates files in the program directory

      • temp_ANTI.exe (PID: 3396)

    • Launching a file from the Startup directory

      • temp_ANTI.exe (PID: 3396)

    • Manual execution by a user

      • z5YS5.scr (PID: 5692)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3396) temp_ANTI.exe
Discord-Webhook-Tokens (1)1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Discord-Info-Links
1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Get Webhook Infohttps://discord.com/api/webhooks/1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 09:11:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
36
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe cmd.exe no specs conhost.exe no specs temp_anti.exe wmic.exe no specs conhost.exe no specs svchost.exe #UMBRALSTEALER temp_anti.exe wmic.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs z5ys5.scr no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1604"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exetemp_ANTI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1688\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2028"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\admin\Desktop\temp_ANTI.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exetemp_ANTI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2356"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exetemp_ANTI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3048\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3396"C:\Users\admin\Desktop\temp_ANTI.exe" C:\Users\admin\Desktop\temp_ANTI.exe
temp_ANTI.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\temp_anti.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
ims-api
(PID) Process(3396) temp_ANTI.exe
Discord-Webhook-Tokens (1)1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Discord-Info-Links
1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Get Webhook Infohttps://discord.com/api/webhooks/1378063371126968430/mTr72dCSnEuXCXF2fOh7dP_-IIBtvDvndxh5U63HjSzUlwuVDtor9HvBGS_4W9jucTpT
Total events
34 113
Read events
34 099
Write events
14
Delete events
0

Modification events

(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7000) temp_ANTI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\temp_ANTI_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
15
Suspicious files
7
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_bz2.pydexecutable
MD5:ED9F4C1CF33DB08CAC3C7BA7A973E61B
SHA256:965F199679AFA9B31D537D98C3CA8403AFD6B9E58E1A463AE47697AE4BF12771
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_socket.pydexecutable
MD5:C2938DBDCDABA1CCBEFEE37F6A06CD0C
SHA256:C63E8E6A369CBE86E57C9823FB48BC5D4E7BB18455B9B001986B4768C49007DA
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_decimal.pydexecutable
MD5:90071379B9E53B2D1834D49F4FD804EC
SHA256:90045140E45EDCFE4F4859B3190184FAFF1249220011330A9D01319745766607
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_lzma.pydexecutable
MD5:D165B7B9A127F66704CEAA196BE319E5
SHA256:B78F5A8476139FF04731046459EFD047BB8F52DC92C5B2082EABF2929C0CA02D
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_cffi_backend.cp313-win_amd64.pydexecutable
MD5:5CBA92E7C00D09A55F5CBADC8D16CD26
SHA256:0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\_hashlib.pydexecutable
MD5:9EC1021FA8A3C252E1F805AC7F172753
SHA256:1430E4A2ED19EDA840668A292C39FF44488B598F53E903A61739A86B779ECBFE
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\cryptography-45.0.4.dist-info\WHEELtext
MD5:DF49613A5E68D0FA0517500CE308FA24
SHA256:5DDA9EF564CA358ED978EB0200F0327F7BCFF5CD383739FE587219F6C2295F81
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\base_library.zipcompressed
MD5:3927738EC830F5D9AED0F8B85E517204
SHA256:330ACA7F45D70ADF03E14F080BA3878455981A75316A4A9E80AEE279BF54E4E0
41202025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41202\cryptography-45.0.4.dist-info\licenses\LICENSE.BSDtext
MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
48
DNS requests
23
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
204
142.250.184.227:443
https://gstatic.com/generate_204
unknown
GET
204
142.250.184.227:443
https://gstatic.com/generate_204
unknown
7000
temp_ANTI.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2336
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.130
  • 20.190.159.128
  • 40.126.31.128
  • 40.126.31.1
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.75
  • 40.126.31.129
whitelisted
gstatic.com
  • 142.250.186.131
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
discord.com
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.137.232
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7000
temp_ANTI.exe
A Network Trojan was detected
ET MALWARE Common Stealer Behavior - Source IP Associated with Hosting Provider Check via ip.api .com
7000
temp_ANTI.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
7000
temp_ANTI.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
3396
temp_ANTI.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
3396
temp_ANTI.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
3396
temp_ANTI.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
3396
temp_ANTI.exe
A Network Trojan was detected
STEALER [ANY.RUN] UmbralStealer Generic External IP Check
2200
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_e89dc5baea4dff32e9a6bb9fbac6aa4b_black-basta_cobalt-strike_luca-stealer_satacom_vidar