File name:

2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta

Full analysis: https://app.any.run/tasks/8ee39c1d-8004-45fb-b2c8-6abfbacb3b98
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 07, 2025, 06:28:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

CD2664F9A35F1DE44E058620DE40A9CE

SHA1:

0C77BB047A919770071EEFA357145C2A7CBA5CD6

SHA256:

9ED9CDB84EDC7CEF756DF1D2950829815E8B847E2D9D1D9723AFE94EE19AE33A

SSDEEP:

49152:9TsLa8N6GMT+qTfS8jInTWLZpwsWHq+WMyzSCB8h9OX9wS0djllxkg:xsbY+qDSWInTWtpwPHq+WV/LXgfxkg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 5380)

    • Actions looks like stealing of personal data

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 4692)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 5380)

    • Reads security settings of Internet Explorer

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 5380)

    • Starts a Microsoft application from unusual location

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 5720)
      • FileCoAuth.exe (PID: 4692)

    • Mutex name with non-standard characters

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 5380)

    • Executable content was dropped or overwritten

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 5380)

    • There is functionality for taking screenshot (YARA)

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)

  • INFO

    • Checks supported languages

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 4692)

    • Reads the computer name

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 4692)

    • The sample compiled with english language support

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 5380)

    • Create files in a temporary directory

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 4692)

    • Process checks computer location settings

      • 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe (PID: 4988)
      • FileCoAuth.exe (PID: 5380)

    • Reads the software policy settings

      • slui.exe (PID: 4428)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 4692)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 4692)

    • Checks proxy server information

      • slui.exe (PID: 4428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe 2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe no specs conhost.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4428C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4692"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4988"C:\Users\admin\Desktop\2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe" C:\Users\admin\Desktop\2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5380C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5720"C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
3221225781
Version:
4.18.25030.2 (000028f0c1f345a538ea89b768605447f1c02bdf)
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
4 018
Read events
4 018
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
49882025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:13C2D5BF03C4A2B28E930F990CCC32DB
SHA256:12D24D0BC0E7CDC902E3540A3C6F7B755094F011A8EAD49A47A00563710B8F80
49882025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:1C0BE16E6ED8F5B6F0910650A25F4FA7
SHA256:3028F6A6A7A10DC5D63F256FEEB8275F3818BF3371EAF8B20A2D0BF2FCD5F4A9
49882025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:178B773B3FB050FCE26E40A9E8C2EE9A
SHA256:1E03573733F25B44004049A535E7E79366FD86FE953F6DFEDAAD05513B46A6C5
5380FileCoAuth.exeC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeexecutable
MD5:394DEEEF3E5FFE6C77A9CDA1832361BB
SHA256:37DCEC7509B0803F2BBA453845ED67FDBAA15771F8A60FC11F9082FD2A64BD23
49882025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
49882025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeexecutable
MD5:C1C6C250371E810FEB5B7A77D9D075EA
SHA256:BCC0DCEFBFB24BECAF1DF9B2C9492666066612E661301AD604A138A4044F1D86
4692FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-07.0628.4692.1.odlbinary
MD5:93EFD77ABC2D098E3CACB6989471A9A9
SHA256:CB20B71B9E456C949C2839CB8869FC4CBC000206B3E39C4234379EC3E6D09CC0
49882025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmptext
MD5:DA9081EF4D2E095DCC7F8DC4011AAC11
SHA256:F7AA470C785A7D4CCBEC5A5ED74D85829B39BDD493926AA60CAD5447EB628B88
4692FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-07.0628.4692.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
49882025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
44
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5640
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5640
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5640
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5640
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5640
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5640
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
40.69.42.241:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4200
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5640
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5640
SIHClient.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5640
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5640
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.1
  • 40.126.31.130
  • 40.126.31.131
  • 40.126.31.0
  • 40.126.31.73
  • 20.190.159.129
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-07_cd2664f9a35f1de44e058620de40a9ce_black-basta_neshta