File name:

2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe

Full analysis: https://app.any.run/tasks/7b816a27-fc66-4da7-a677-e1571c248def
Verdict: Malicious activity
Analysis date: July 12, 2025, 21:56:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

42A07325274676E144CF71C589F349EE

SHA1:

8A11B87709855C4E8A8632C5BDEF01698727C99E

SHA256:

7FEB9B335EF48C7EBD5C8AFD1E2A140754F52E2B9051D0E3AD75872EFB505825

SSDEEP:

196608:1X5r4fVjt4f/fY83VwCTA9GaEtazmQkIiEEe4IAstwIs5MxkIK:1X5r4EHfYy3TAHzAIiEbfazMaIK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)

    • Executable content was dropped or overwritten

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)

    • Process drops python dynamic module

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)

    • Process drops legitimate windows executable

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)

    • Application launched itself

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)

    • Loads Python modules

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4844)

  • INFO

    • Reads the computer name

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)
      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4844)

    • The sample compiled with english language support

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)

    • Checks supported languages

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)
      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4844)

    • Create files in a temporary directory

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 5884)

    • Checks proxy server information

      • 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4844)
      • slui.exe (PID: 4824)

    • Reads the software policy settings

      • slui.exe (PID: 4824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:11 04:53:09+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 221696
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe conhost.exe no specs 2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4824C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4844"C:\Users\admin\Desktop\2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5884"C:\Users\admin\Desktop\2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6572\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 814
Read events
3 814
Write events
0
Delete events
0

Modification events

No data
Executable files
100
Suspicious files
1
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\MSVCP140.dllexecutable
MD5:BC88B387CAFA556068B5C5D6FF3CCC8F
SHA256:0F885B509A685D2BBFA652FED26B5FB31D88FBDAB0A978C641D1C7B8AA460AA9
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\freeglut32.vc14.dllexecutable
MD5:67882F7987F27C8C2E7B4EBAC37BF42C
SHA256:C9C00A4EA9B9FECDCAE81F6FACAF27E349714D56FE7640CE9C37ED38841A0B87
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\freeglut32.vc9.dllexecutable
MD5:7663CB1E1AC1F1285E755ED8FB22B19C
SHA256:5BA8C62E293BBDC7064A8607992061C55278596300136785E3C11A8C7BB0723F
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\GLE_WIN32_README.txttext
MD5:C02858F933D989EDB257604159557A23
SHA256:A7DF9B1FCC74D4DDF51CA0774CC94F00DC55146052FBE08614DBA0E9DA68F887
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\freeglut64.vc9.dllexecutable
MD5:1953B9A59E6F13DC0DFA0EFFB00F2E18
SHA256:3B8D615246DB6A1C27C9B49E3CAE1E1E81B1E0C8BE432BBEBD153F9479383052
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\freeglut32.vc10.dllexecutable
MD5:894D0FF83745E0484F457D600543689E
SHA256:6F9A26D2989E4DF40D948DF565A661F57FE1FA80801C9C3AE5CD3DE4AADC66BE
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\freeglut64.vc14.dllexecutable
MD5:1167623310A2868C49C5F990D076C7EA
SHA256:E84436244C0F555151719E22DDB31E4175396F851F124680DE5C776B4DB3C898
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\freeglut64.vc10.dllexecutable
MD5:3FA883DB6531510AFB85EDCFF0B53E02
SHA256:01354ABB19F7126EF9461CED319FA9FA0AF213CF741699A4A7F1813DC43918E9
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\MSVCR100.dllexecutable
MD5:366FD6F3A451351B5DF2D7C4ECF4C73A
SHA256:AE3CB6C6AFBA9A4AA5C85F66023C35338CA579B30326DD02918F9D55259503D5
58842025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI58842\OpenGL\DLLS\gle64.vc10.dllexecutable
MD5:A87058334881E2479C26E1374BB04EA7
SHA256:3EFBE4AD79FA83487FCE88504553687436C7692564074D1EFEC5BA8141E9E3DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5104
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5104
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5104
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5104
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5104
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 52.168.117.170
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-12_42a07325274676e144cf71c589f349ee_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe