File name:

2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/cc401160-45a8-48a6-b7f4-2dd57d188857
Verdict: Malicious activity
Analysis date: April 29, 2025, 16:35:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

C139EE657E177FC615DFEB96C5694A62

SHA1:

DBF57E85443A9A24FAE92307FE1C467BF85A2528

SHA256:

9981C64488E96039D9BE6B56944D3658CB9CD58A7BA3600555FEB9F9A8EB9043

SSDEEP:

12288:wKSl6XaWv3ob9N1oO8QMLcTcnI6S2eVDb9shs:wBlCaWv3oxfgQMI6S2eVDbes

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • FileCoAuth.exe (PID: 7908)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 7984)

  • SUSPICIOUS

    • Mutex name with non-standard characters

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • FileCoAuth.exe (PID: 7908)

    • Executable content was dropped or overwritten

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • FileCoAuth.exe (PID: 7908)

    • There is functionality for taking screenshot (YARA)

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)

    • Reads security settings of Internet Explorer

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7660)
      • FileCoAuth.exe (PID: 7908)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 7908)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 7984)

  • INFO

    • The sample compiled with chinese language support

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)

    • Create files in a temporary directory

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • FileCoAuth.exe (PID: 7984)

    • Reads the computer name

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7660)
      • FileCoAuth.exe (PID: 7984)

    • Checks supported languages

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7660)
      • FileCoAuth.exe (PID: 7984)

    • Process checks computer location settings

      • 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 7616)
      • FileCoAuth.exe (PID: 7908)

    • The sample compiled with english language support

      • FileCoAuth.exe (PID: 7908)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 7984)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 7984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x8178
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe 2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4880C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7616"C:\Users\admin\Desktop\2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7660"C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7908C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7984"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
4 300
Read events
4 300
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
76162025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:62B17C396323A05211FCB806947C9A73
SHA256:ADD9754D24558AD5692521CFE97E9F1E71144F41E4E99D984BEE71F697D25F55
76162025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeexecutable
MD5:0415CC04AAD0E21900E129D40868CE82
SHA256:C2F6E934B293DE31C585A3D1916CE6ADEAB8701CA416D6A17E9861EAB0E0F5C6
76162025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:12A15C2EAF14CAE8B2B42AA74ADCE267
SHA256:091E59D43AF2C3784BC7F1F853DC5262888ECF340C15A81864E10A506281F65B
76162025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:21DA59CE25A2391BD3B0032B2CACDA60
SHA256:25A12C3598CFE9705928B3110FA40E36E885BEDEEB51F405B063E806D3A4FA4B
76602025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\config.initext
MD5:025ABA3FE3CA0BBAA70DF8CC21CB281C
SHA256:A67235B81A98F90ECDF2607173062CE953DBDDE5038B05E6310AA9DB93EF2326
7984FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-29.1636.7984.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
76162025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:717773EA512935FF43DB2A240F73F065
SHA256:FC72BC56F7EEEC39433F09B3756B7664F90575FDA38B037DFA70CBC666A4C80E
76162025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:DA208322FA12146ECCAFB2CBED567F21
SHA256:09BB93A4C010AF9F607006EFA76D5D3A7435864A513BEF9AF0FFA665A3B18440
76162025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:5AD18D4DCE1261D22EEE787EF3ACA521
SHA256:6675AC4E0DC6A36D3F684EE9B2FB17D597989E2CB7C28955A5530E7800D2C505
7908FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
52
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.7:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
8040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
8040
SIHClient.exe
GET
200
23.216.77.31:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.7:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.216.77.7
  • 23.216.77.26
  • 23.216.77.36
  • 23.216.77.13
  • 23.216.77.23
  • 23.216.77.11
  • 23.216.77.21
  • 23.216.77.10
  • 23.216.77.12
  • 23.216.77.31
  • 23.216.77.37
  • 23.216.77.39
  • 23.216.77.29
  • 23.216.77.8
  • 23.216.77.17
  • 23.216.77.30
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.71
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.129
  • 40.126.31.131
  • 40.126.31.69
  • 20.190.159.128
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_c139ee657e177fc615dfeb96c5694a62_adposhel_black-basta_cobalt-strike_elex_luca-stealer_neshta