File name:

2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/8c11aa36-6b77-4034-b83e-686d026c45db
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 04:40:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
njrat
rat
bladabindi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

426747C0DCB3E383BB6DF66D751642C6

SHA1:

74D789D8B61B2AAFCD6C89E872CA6F7B1402542F

SHA256:

7D9C5AD31C0256737FD82E50FC1C88FBA65FCD722745BD4E17D67A6A08A4FB98

SSDEEP:

98304:4CYzBR0cbSb4Y6ZhkDQet54nHZU/n118Sox2bfDSYFPjc8q+TrlBkL+VmIIueCY8:KbUlNi881mw2/kiXb3V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NjRAT is detected

      • WindowsServices.exe (PID: 4120)

    • NJRAT has been detected (YARA)

      • WindowsServices.exe (PID: 4120)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Loads Python modules

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)

    • Executable content was dropped or overwritten

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)
      • light_stub.exe (PID: 4652)
      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)

    • Process drops python dynamic module

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Application launched itself

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Starts itself from another location

      • light_stub.exe (PID: 4652)

    • The process creates files with name similar to system file names

      • light_stub.exe (PID: 4652)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • WindowsServices.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • light_stub.exe (PID: 4652)

    • The process drops C-runtime libraries

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

  • INFO

    • The sample compiled with english language support

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Create files in a temporary directory

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)
      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)
      • light_stub.exe (PID: 4652)

    • Checks supported languages

      • light_stub.exe (PID: 4652)
      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)
      • WindowsServices.exe (PID: 4120)
      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Reads the computer name

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)
      • light_stub.exe (PID: 4652)
      • WindowsServices.exe (PID: 4120)

    • Process checks computer location settings

      • light_stub.exe (PID: 4652)

    • Reads the software policy settings

      • slui.exe (PID: 5360)

    • Checks proxy server information

      • slui.exe (PID: 5360)

    • Reads the machine GUID from the registry

      • WindowsServices.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(4120) WindowsServices.exe
C2127.0.0.1
Ports1177
BotnetMyBot
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\2d8dcda152f7cbfad1bf57e36d6a7e3e
SplitterY262SUCZ4UJJ
Version0.7d
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:21 15:54:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe light_stub.exe #NJRAT windowsservices.exe no specs netsh.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1912"C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4120"C:\Users\admin\AppData\Local\Temp\WindowsServices.exe" C:\Users\admin\AppData\Local\Temp\WindowsServices.exe
light_stub.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\windowsservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(4120) WindowsServices.exe
C2127.0.0.1
Ports1177
BotnetMyBot
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\2d8dcda152f7cbfad1bf57e36d6a7e3e
SplitterY262SUCZ4UJJ
Version0.7d
4652C:\Users\admin\AppData\Local\Temp\light_stub.exeC:\Users\admin\AppData\Local\Temp\light_stub.exe
2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\light_stub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5360C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5864netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLEC:\Windows\SysWOW64\netsh.exeWindowsServices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7152"C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
4 461
Read events
4 452
Write events
9
Delete events
0

Modification events

(PID) Process:(4120) WindowsServices.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(4120) WindowsServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\2d8dcda152f7cbfad1bf57e36d6a7e3e
Operation:writeName:[kl]
Value:
Executable files
51
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_decimal.pydexecutable
MD5:21FCB8E3D4310346A5DC1A216E7E23CA
SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_socket.pydexecutable
MD5:566CB4D39B700C19DBD7175BD4F2B649
SHA256:77EBA293FE03253396D7BB6E575187CD026C80766D7A345EB72AD92F0BBBC3AA
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_bz2.pydexecutable
MD5:684D656AADA9F7D74F5A5BDCF16D0EDB
SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:B90485EB6D2E835F975C6F1011BE880F
SHA256:72E79CE895AB6506D2C85BCD1709EF6A250B63C990C76C9DF530EC4E5B5CBB6A
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:B3F46F0820B641C5A9A9D0A4BFC94355
SHA256:E353ECF9DEB083DA0F00F40F2FE99CC4EEA4A904E7118A1CAC4EF6E43F89B154
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-memory-l1-1-0.dllexecutable
MD5:D14C0B3BC3032A043DDFFBC39D26DB7C
SHA256:D699E0C0DE1D2F12BB69B3D464FAA7AD4734D18A3E725877D8A96AABF29C0542
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-libraryloader-l1-1-0.dllexecutable
MD5:3E3A777CAD2AAFDE613836EE88179A58
SHA256:4A02983D6632C2FB92409D56269CA9A5BB0C31D33A8F2A89B0AB847D263C3F96
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_hashlib.pydexecutable
MD5:3E540EF568215561590DF215801B0F59
SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_lzma.pydexecutable
MD5:D63E2E743EA103626D33B3C1D882F419
SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4220
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4220
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4812
SIHClient.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4812
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4812
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4812
SIHClient.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4812
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4220
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4220
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4220
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.131
  • 40.126.31.129
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.71
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom