File name:

2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar

Full analysis: https://app.any.run/tasks/f2a0042c-302f-495d-98f7-426a3dab8d8a
Verdict: Malicious activity
Analysis date: June 21, 2025, 11:11:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

5ABAD4E59FCCCF9F3776CAB3C9731C2F

SHA1:

C3367CA195879A1145EE44B0823E2B62B8F516EE

SHA256:

843B0E8D7A2F458AC62A83C3D3A9BA6B088B2F67779C67A99538F7D1B325B729

SSDEEP:

98304:DM0F9R+Mi2wtv+lClt6u3++7vgv4r3zKcsrwwi7J/CkcubGTCJklp/3fZ1+UnxDb:Z1bVbD4s0boXloJrO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)

    • Checks for external IP

      • FRP.exe (PID: 6312)
      • svchost.exe (PID: 2200)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)
      • FRP.exe (PID: 6312)

    • Reads security settings of Internet Explorer

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)

    • Process drops legitimate windows executable

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)

    • Reads the date of Windows installation

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)

  • INFO

    • Create files in a temporary directory

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)

    • The sample compiled with english language support

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)

    • Reads the software policy settings

      • FRP.exe (PID: 6312)
      • slui.exe (PID: 1132)

    • Creates files in the program directory

      • FRP.exe (PID: 6312)

    • Disables trace logs

      • FRP.exe (PID: 6312)

    • Checks proxy server information

      • FRP.exe (PID: 6312)
      • slui.exe (PID: 1132)

    • Reads the computer name

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)
      • FRP.exe (PID: 6312)

    • Checks supported languages

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)
      • FRP.exe (PID: 6312)

    • Reads Environment values

      • FRP.exe (PID: 6312)

    • Reads the machine GUID from the registry

      • FRP.exe (PID: 6312)

    • Process checks computer location settings

      • 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe (PID: 4192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:12 10:17:07+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.33
CodeSize: 288768
InitializedDataSize: 137216
UninitializedDataSize: -
EntryPoint: 0x32ee0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe frp.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4192"C:\Users\admin\Desktop\2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe" C:\Users\admin\Desktop\2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6312"C:\Users\admin\AppData\Local\Temp\RarSFX0\FRP.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\FRP.exe
2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XiaomiPaid & Developed by HXRU Team
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\frp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
7 876
Read events
7 862
Write events
14
Delete events
0

Modification events

(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6312) FRP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FRP_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
29
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LibUsbDotNet.dllexecutable
MD5:318035E1668DB4D85B0C4039702564B7
SHA256:58984B90611C0A58586E44BF7FF2C8EBDD176E367CBD8D64F9FB41CD7C3B067C
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Guna.UI.dllexecutable
MD5:8673EAE95D67E5EB19F0ECA3111408E8
SHA256:576D2DE2C9EF5BC1EA9BDD73AE8F408004260037C3B72227EED27E995166276D
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\FRP.exeexecutable
MD5:A6A5EDB57BCF99B3E80F8B25BC234B65
SHA256:79430B67F3DC414D7C32E53C33B5F5790DFDF5CE11D8186715ED4AE009D81C57
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\FRP.exe.configxml
MD5:DE9A517147DE0EF076F8B6C1BB1E2514
SHA256:CA7A90FBD7FF3AAAD83876E9E2EB9AF36EEBC9426EB6F8942E86C89EC5AD710F
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\System.Text.Json.dllexecutable
MD5:A29D8FFB65AFD4837B39E0F0EA7A79CE
SHA256:AAD290BABCAEE9D3CB7B2A6E6A885FDC3F60A6A13DF9F972BD249BB608BC5F0D
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\adb\AdbWinUsbApi.dllexecutable
MD5:1016DECEEEDC4493F7BA05750AEBCF43
SHA256:C45F8659B7705C0625BC71E8E2810F398A05E7EC87896565EA16B7048D410D61
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\System.Buffers.dllexecutable
MD5:ECDFE8EDE869D2CCC6BF99981EA96400
SHA256:ACCCCFBE45D9F08FFEED9916E37B33E98C65BE012CFFF6E7FA7B67210CE1FEFB
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\System.Threading.Tasks.Extensions.dllexecutable
MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7
SHA256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\System.Numerics.Vectors.dllexecutable
MD5:AAA2CBF14E06E9D3586D8A4ED455DB33
SHA256:1D3EF8698281E7CF7371D1554AFEF5872B39F96C26DA772210A33DA041BA1183
41922025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.Bcl.AsyncInterfaces.dllexecutable
MD5:7BFC54C1CD6680968D959E3B400FB521
SHA256:59F2E6DCEACD9435033BB932D4A1ADD7356F72E9EFF1BF5C396AB3F8254AD81D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
23
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
188.114.97.3:443
https://xiaomipaid.com/apihidden/get_prices.php
unknown
text
89 b
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5476
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6312
FRP.exe
GET
200
34.117.59.81:80
http://ipinfo.io/ip
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
188.114.97.3:443
https://xiaomipaid.com/apihidden/serverstat.php?id=2
unknown
POST
200
188.114.97.3:443
https://xiaomipaid.com/apihidden/server_status.php
unknown
binary
1.08 Kb
GET
200
188.114.96.3:443
https://xiaomipaid.com/apihidden/serverstat.php?id=1
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5476
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5476
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
xiaomipaid.com
  • 188.114.96.3
  • 188.114.97.3
unknown
ipinfo.io
  • 34.117.59.81
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 51.116.253.169
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6312
FRP.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
6312
FRP.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_5abad4e59fcccf9f3776cab3c9731c2f_black-basta_cobalt-strike_satacom_vidar