File name:

2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/4418016c-7121-4060-aa21-2bbe632a846b
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 15:40:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
hijackloader
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

FB0B52FBEC33C25D97EB5C79EFBC190F

SHA1:

123D9464C559D1A8B7F052731C7B3A9559F129B5

SHA256:

9889502B9C51D5214D2762D193CD6E79525053F07B151F6AED3EC8651F74ABF6

SSDEEP:

98304:HbBoZxdMUdIwYTG+g2TmwWhDnOdZYjyDlSGnyLHYWQ29dQf0lyaMP6yWBZ+/CsBC:xnmW6vIU/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • DigUn41.exe (PID: 5644)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)

    • Reads the date of Windows installation

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)

    • Reads security settings of Internet Explorer

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)

    • Executes application which crashes

      • DigUn41.exe (PID: 5644)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)
      • DigUn41.exe (PID: 5644)

  • INFO

    • Reads the computer name

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)
      • DigUn41.exe (PID: 5644)

    • Create files in a temporary directory

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)

    • Process checks computer location settings

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)

    • The sample compiled with english language support

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)

    • Checks supported languages

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)
      • DigUn41.exe (PID: 5644)

    • Compiled with Borland Delphi (YARA)

      • 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 3632)
      • DigUn41.exe (PID: 5644)

    • Checks proxy server information

      • WerFault.exe (PID: 3504)
      • slui.exe (PID: 4224)

    • Reads the software policy settings

      • WerFault.exe (PID: 3504)
      • slui.exe (PID: 4224)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:20 10:01:39+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 260096
InitializedDataSize: 269824
UninitializedDataSize: -
EntryPoint: 0x275c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe #HIJACKLOADER digun41.exe werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3504C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5644 -s 872C:\Windows\SysWOW64\WerFault.exe
DigUn41.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3632"C:\Users\admin\Desktop\2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4224C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5644"C:\Users\admin\AppData\Local\Temp\RarSFX0\DigUn41.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\DigUn41.exe
2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ezwHookpp
Exit code:
3221226356
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\digun41.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
10 092
Read events
10 092
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3504WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DigUn41.exe_c43e173c5e0f28f8570d91467cb82a2a4ae56_19e2af14_da45df68-22ed-45aa-b0f0-d6cbc4135f21\Report.wer
MD5:
SHA256:
36322025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\sdHookpp.32.dllexecutable
MD5:F56EA34EFF7D1E7D70F866B4599CD5C4
SHA256:28EA68E15D062A8A55CE5B8CD32E9D26A57C38708ACF639986ED04BCBB034576
36322025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Frokoon.iwpibinary
MD5:600BFF25E50E0162D2A496D31C154B59
SHA256:32BB79EC8593FB58AF538E75745CAB48AA2E812FE8E470699DB0907A5183CCA8
36322025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\DigUn41.exeexecutable
MD5:76C6FA6BEC0ECC08D33A2F2B7360F2C0
SHA256:39679EE4DE6993C82B73BCF8AB58D86B9551DA860EF242F5D3C8EBF577BFBD77
36322025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Kroonjaed.fvubinary
MD5:F3CDB64FE0DEF8F3F290F825472DD45F
SHA256:CD3B9BEECB80EA1BDA54A5510B69615BDFC259BC26D8410411F9FCC778601DA3
3504WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\DigUn41.exe.5644.dmpbinary
MD5:31495BB52638BE923372911D7A42CF52
SHA256:D7C1DDD1C34720D1A30079607A825C40FED9651F1B4588DC10F103A296EE6EBE
3504WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER761C.tmp.xmlxml
MD5:9DFD9F9C047A05AFD7D4251990FE775E
SHA256:DA32DE891A765DE59C5080F9585E8354614F36C2551D43866296F4C088B8CFA9
3504WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7520.tmp.dmpbinary
MD5:DB0DE1BDE74224CBCDD51033F22D873C
SHA256:94398FC245824F0399C7B6C2AF39A7B6D2A3B1C77425EF883F098B0ED7D4C08C
3504WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER75EC.tmp.WERInternalMetadata.xmlxml
MD5:6690AD5C8EFDD22FAC54A379E364503B
SHA256:BDF24BEAD14F7F0CF94C51B3385D03F5B0C7E2406EF0DC128083DD8B24F01112
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
53
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2468
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2468
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
1.87 Kb
whitelisted
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2468
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2468
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2468
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.131
  • 20.190.159.129
  • 40.126.31.0
  • 40.126.31.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
watson.events.data.microsoft.com
  • 52.182.143.212
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_fb0b52fbec33c25d97eb5c79efbc190f_black-basta_cobalt-strike_luca-stealer_satacom_vidar