File name:

2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom

Full analysis: https://app.any.run/tasks/8c11aa36-6b77-4034-b83e-686d026c45db
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 04:40:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
njrat
rat
bladabindi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

426747C0DCB3E383BB6DF66D751642C6

SHA1:

74D789D8B61B2AAFCD6C89E872CA6F7B1402542F

SHA256:

7D9C5AD31C0256737FD82E50FC1C88FBA65FCD722745BD4E17D67A6A08A4FB98

SSDEEP:

98304:4CYzBR0cbSb4Y6ZhkDQet54nHZU/n118Sox2bfDSYFPjc8q+TrlBkL+VmIIueCY8:KbUlNi881mw2/kiXb3V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NJRAT has been detected (YARA)

      • WindowsServices.exe (PID: 4120)

    • NjRAT is detected

      • WindowsServices.exe (PID: 4120)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Process drops python dynamic module

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Executable content was dropped or overwritten

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)
      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)
      • light_stub.exe (PID: 4652)

    • Process drops legitimate windows executable

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Application launched itself

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Loads Python modules

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)

    • The process creates files with name similar to system file names

      • light_stub.exe (PID: 4652)

    • Reads security settings of Internet Explorer

      • light_stub.exe (PID: 4652)

    • Starts itself from another location

      • light_stub.exe (PID: 4652)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • WindowsServices.exe (PID: 4120)

  • INFO

    • Reads the computer name

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)
      • light_stub.exe (PID: 4652)
      • WindowsServices.exe (PID: 4120)

    • Checks supported languages

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)
      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)
      • light_stub.exe (PID: 4652)
      • WindowsServices.exe (PID: 4120)

    • Create files in a temporary directory

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)
      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 7152)
      • light_stub.exe (PID: 4652)

    • The sample compiled with english language support

      • 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe (PID: 1912)

    • Process checks computer location settings

      • light_stub.exe (PID: 4652)

    • Reads the machine GUID from the registry

      • WindowsServices.exe (PID: 4120)

    • Checks proxy server information

      • slui.exe (PID: 5360)

    • Reads the software policy settings

      • slui.exe (PID: 5360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(4120) WindowsServices.exe
C2127.0.0.1
Ports1177
BotnetMyBot
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\2d8dcda152f7cbfad1bf57e36d6a7e3e
SplitterY262SUCZ4UJJ
Version0.7d
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:21 15:54:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 173568
InitializedDataSize: 155648
UninitializedDataSize: -
EntryPoint: 0xce30
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe 2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe light_stub.exe #NJRAT windowsservices.exe no specs netsh.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1912"C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4120"C:\Users\admin\AppData\Local\Temp\WindowsServices.exe" C:\Users\admin\AppData\Local\Temp\WindowsServices.exe
light_stub.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\windowsservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(4120) WindowsServices.exe
C2127.0.0.1
Ports1177
BotnetMyBot
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\2d8dcda152f7cbfad1bf57e36d6a7e3e
SplitterY262SUCZ4UJJ
Version0.7d
4652C:\Users\admin\AppData\Local\Temp\light_stub.exeC:\Users\admin\AppData\Local\Temp\light_stub.exe
2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\light_stub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5360C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5864netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLEC:\Windows\SysWOW64\netsh.exeWindowsServices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7152"C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe" C:\Users\admin\Desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
4 461
Read events
4 452
Write events
9
Delete events
0

Modification events

(PID) Process:(4120) WindowsServices.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(4120) WindowsServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\2d8dcda152f7cbfad1bf57e36d6a7e3e
Operation:writeName:[kl]
Value:
Executable files
51
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_hashlib.pydexecutable
MD5:3E540EF568215561590DF215801B0F59
SHA256:0ED7A6ED080499BC6C29D7113485A8A61BDBA93087B010FCA67D9B8289CBE6FA
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_bz2.pydexecutable
MD5:684D656AADA9F7D74F5A5BDCF16D0EDB
SHA256:A5DFB4A663DEF3D2276B88866F6D220F6D30CC777B5D841CF6DBB15C6858017C
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:E4A519EF5D0A378EA82C423FE1E4586E
SHA256:5C1CBD16ACF9191F17525F5DD887D944B4EB0083C5EC1ADB68CE1B82639182AE
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_lzma.pydexecutable
MD5:D63E2E743EA103626D33B3C1D882F419
SHA256:7C2D2030D5D246739C5D85F087FCF404BC36E1815E69A8AC7C9541267734FC28
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\_decimal.pydexecutable
MD5:21FCB8E3D4310346A5DC1A216E7E23CA
SHA256:9A0E05274CAD8D90F6BA6BC594261B36BFBDDF4F5CA6846B6367FE6A4E2FDCE4
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:31990AAAB1AEEAE6BFF96EAF3809EDA9
SHA256:D71714C34FABF8A93AE316A0D8679BB8CDC843F6128C9AFD42E18E0DE70B1A91
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:968C1759F5D4AA2BED859A2DF67ACC8F
SHA256:8A52A26AFAF4D7CD698CF79DCD339EC3F1B3AB3C0031A8AE9064D50F63462B99
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:7EE0013D07ED45C081DF41E64AB14889
SHA256:26F90D2086687EDF6FC02BE5DCFD7575FAAD2022C3D716CDD0B5CA3E70A3C022
19122025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom.exeC:\Users\admin\AppData\Local\Temp\_MEI19122\api-ms-win-core-namedpipe-l1-1-0.dllexecutable
MD5:627327251BC258AA258848DE32B698BA
SHA256:5EBD891DF029E795372F8665DB7F15B4964D434AA8D58EB2B50634BC58D74132
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
50
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4220
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4220
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
4812
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4812
SIHClient.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
4812
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4220
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4220
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4220
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.131
  • 40.126.31.129
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.71
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_426747c0dcb3e383bb6df66d751642c6_black-basta_cobalt-strike_satacom