File name:

2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/0031c308-1010-454c-87c6-5572a856ca6a
Verdict: Malicious activity
Analysis date: July 03, 2025, 21:50:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

38FEEA6391D33B1BB74ABB43883E00C7

SHA1:

6850D6F154314F7F45CC7A63E1AA81133E822929

SHA256:

A466676F4EABC4FED8CFB6158A8D173F20FB54F96ACE59D849F9E0C70C742101

SSDEEP:

98304:HbBoZk5devUSobx6xI+YaeZMKUGh/Cm/yGr3ZgO5cYQ6aNSCPFvkVHch1vNs8Epu:5PY+X9yHJFk2AVVAJYMGIv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Process drops SQLite DLL files

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • The process creates files with name similar to system file names

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Reads security settings of Internet Explorer

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Reads the date of Windows installation

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Executes application which crashes

      • Delta_Enterprise64.exe (PID: 6732)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • Delta_Enterprise64.exe (PID: 6732)

  • INFO

    • Reads the computer name

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)
      • Delta_Enterprise64.exe (PID: 6732)

    • Checks supported languages

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)
      • Delta_Enterprise64.exe (PID: 6732)

    • The sample compiled with english language support

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Create files in a temporary directory

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Process checks computer location settings

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Creates files or folders in the user directory

      • Delta_Enterprise64.exe (PID: 6732)
      • WerFault.exe (PID: 1052)
      • WerFault.exe (PID: 6268)

    • Reads CPU info

      • Delta_Enterprise64.exe (PID: 6732)

    • Checks proxy server information

      • WerFault.exe (PID: 6268)
      • slui.exe (PID: 3740)

    • Reads the software policy settings

      • WerFault.exe (PID: 6268)
      • slui.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:20 10:01:39+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 260096
InitializedDataSize: 269824
UninitializedDataSize: -
EntryPoint: 0x275c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe delta_enterprise64.exe svchost.exe werfault.exe no specs werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1052C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6732 -s 1396C:\Windows\SysWOW64\WerFault.exeDelta_Enterprise64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1080"C:\Users\admin\Desktop\2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6268C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6732 -s 1468C:\Windows\SysWOW64\WerFault.exe
Delta_Enterprise64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6732"C:\Users\admin\AppData\Local\Temp\RarSFX0\Delta_Enterprise64.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Delta_Enterprise64.exe
2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Smart Game Booster
Integrity Level:
MEDIUM
Description:
Smart Game Booster
Exit code:
3221225477
Version:
5.3.0.670
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\delta_enterprise64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wintrust.dll
Total events
11 984
Read events
11 984
Write events
0
Delete events
0

Modification events

No data
Executable files
18
Suspicious files
2
Text files
6
Unknown types
5

Dropped files

PID
Process
Filename
Type
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\libssl-1_1.dllexecutable
MD5:F39C7230313B29377B8C4D4E2B532B03
SHA256:3F0B7303689ED947254B5318CD9EE09BA9E0F94959B65B8FFCE9AA567DB3A126
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Delta_Enterprise64.exeexecutable
MD5:BD61566AF089CACEBDD1B4C41BFA4E85
SHA256:14D140999AB5D2AB903DDF1AEDDA4D868BE68DB054424C7FAD70B8927B32A145
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\HardwareLib.dllexecutable
MD5:022568111D51B5DBB92C0AB0872B380C
SHA256:4E5F1F42F90316819B9FE431722C5CC8C0A91D90E0FEA87E580F17629E088A9A
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Scan.dllexecutable
MD5:1FBB754A64F4C48984F47FC0532799D4
SHA256:313778D51081F38FEB3B9EA5279F941B4793291A1842306022D329242A57E0D7
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Register.dllexecutable
MD5:D4E9244AED9D8FFC18F7D928F2E520C4
SHA256:0408EE9513A32D5C5C1495E2EE3DCF43F02533CEA770AB1F07E1AB0167F4067B
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\sdassist.dllexecutable
MD5:D76D18C5D897B043827FF03739B8298C
SHA256:4A79AD74E70700B8DB6BF101023D70FCD5B1B28F0E28584EE93610A873263995
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\libcrypto-1_1.dllexecutable
MD5:439E9FB8D5E39B48BFAA4F2700F65B83
SHA256:2CF28F824D1C452B63087A7434996C05E897C486A04299DD2D72AB8E9FF39A0A
1052WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Delta_Enterprise_813fcbbf25e12e2e4c55f155ee6e829194b180a8_8147a4eb_746352d0-e912-4be8-8277-8659f8398c44\Report.wer
MD5:
SHA256:
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\madExcept_.bplexecutable
MD5:9E5F266F5B7C8771A2A25DCF5FC23873
SHA256:F700AB8251EE590CB5A22E242BDE3D8B7C62288278C0C051352CCC99B56ACE4E
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\madDisAsm_.bplexecutable
MD5:3F02EAC260AB175A46849C2B70CAF483
SHA256:3C930BBC232DC6E3C06B77A372431197AD31F4E75F2F68B9547FC29B015D9E49
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
24
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6732
Delta_Enterprise64.exe
GET
200
34.117.59.81:80
http://ipinfo.io/
unknown
whitelisted
6732
Delta_Enterprise64.exe
GET
200
34.117.59.81:80
http://ipinfo.io/
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.153
  • 23.48.23.141
  • 23.48.23.192
  • 23.48.23.145
  • 23.48.23.139
  • 23.48.23.138
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.150
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
watson.events.data.microsoft.com
  • 104.40.67.19
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
self.events.data.microsoft.com
  • 20.189.173.6
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6732
Delta_Enterprise64.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6732
Delta_Enterprise64.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
6732
Delta_Enterprise64.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6732
Delta_Enterprise64.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Process
Message
Delta_Enterprise64.exe
Win32MinorVersion: 0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar