File name:

2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/0031c308-1010-454c-87c6-5572a856ca6a
Verdict: Malicious activity
Analysis date: July 03, 2025, 21:50:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

38FEEA6391D33B1BB74ABB43883E00C7

SHA1:

6850D6F154314F7F45CC7A63E1AA81133E822929

SHA256:

A466676F4EABC4FED8CFB6158A8D173F20FB54F96ACE59D849F9E0C70C742101

SSDEEP:

98304:HbBoZk5devUSobx6xI+YaeZMKUGh/Cm/yGr3ZgO5cYQ6aNSCPFvkVHch1vNs8Epu:5PY+X9yHJFk2AVVAJYMGIv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Executable content was dropped or overwritten

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Reads the date of Windows installation

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • The process creates files with name similar to system file names

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Process drops SQLite DLL files

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Executes application which crashes

      • Delta_Enterprise64.exe (PID: 6732)

    • Checks for external IP

      • Delta_Enterprise64.exe (PID: 6732)
      • svchost.exe (PID: 2200)

  • INFO

    • Reads the computer name

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)
      • Delta_Enterprise64.exe (PID: 6732)

    • Checks supported languages

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)
      • Delta_Enterprise64.exe (PID: 6732)

    • Create files in a temporary directory

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • The sample compiled with english language support

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Process checks computer location settings

      • 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 1080)

    • Reads CPU info

      • Delta_Enterprise64.exe (PID: 6732)

    • Reads the software policy settings

      • WerFault.exe (PID: 6268)
      • slui.exe (PID: 3740)

    • Creates files or folders in the user directory

      • Delta_Enterprise64.exe (PID: 6732)
      • WerFault.exe (PID: 1052)
      • WerFault.exe (PID: 6268)

    • Checks proxy server information

      • WerFault.exe (PID: 6268)
      • slui.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:20 10:01:39+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 260096
InitializedDataSize: 269824
UninitializedDataSize: -
EntryPoint: 0x275c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe delta_enterprise64.exe svchost.exe werfault.exe no specs werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1052C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6732 -s 1396C:\Windows\SysWOW64\WerFault.exeDelta_Enterprise64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1080"C:\Users\admin\Desktop\2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6268C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6732 -s 1468C:\Windows\SysWOW64\WerFault.exe
Delta_Enterprise64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6732"C:\Users\admin\AppData\Local\Temp\RarSFX0\Delta_Enterprise64.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Delta_Enterprise64.exe
2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Smart Game Booster
Integrity Level:
MEDIUM
Description:
Smart Game Booster
Exit code:
3221225477
Version:
5.3.0.670
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\delta_enterprise64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wintrust.dll
Total events
11 984
Read events
11 984
Write events
0
Delete events
0

Modification events

No data
Executable files
18
Suspicious files
2
Text files
6
Unknown types
5

Dropped files

PID
Process
Filename
Type
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\libssl-1_1.dllexecutable
MD5:F39C7230313B29377B8C4D4E2B532B03
SHA256:3F0B7303689ED947254B5318CD9EE09BA9E0F94959B65B8FFCE9AA567DB3A126
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Delta_Enterprise64.exeexecutable
MD5:BD61566AF089CACEBDD1B4C41BFA4E85
SHA256:14D140999AB5D2AB903DDF1AEDDA4D868BE68DB054424C7FAD70B8927B32A145
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\madDisAsm_.bplexecutable
MD5:3F02EAC260AB175A46849C2B70CAF483
SHA256:3C930BBC232DC6E3C06B77A372431197AD31F4E75F2F68B9547FC29B015D9E49
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\PowerMgr.dllexecutable
MD5:D0D3E744178EEA35DDB3E55568EEEDCA
SHA256:461A9122A5C3A63644D005CAA601CF9E4B7E5EF6F852E8767E398F39486E4E34
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Sheesviegreer.wbobinary
MD5:8A373B25AD0AC8BC193A6BAA13E05B90
SHA256:F995034D65E1111B70BF23D7C9BAD4E574E2A82D038EDF81833E0E12E97AF4BB
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Nem.rilsbinary
MD5:DD31661D3483310F2E50237927DD65C5
SHA256:BD345877E3683879E6E5A253EA7B487AE57773FAB6B4A8323D151FF2ECA8286E
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\madExcept_.bplexecutable
MD5:9E5F266F5B7C8771A2A25DCF5FC23873
SHA256:F700AB8251EE590CB5A22E242BDE3D8B7C62288278C0C051352CCC99B56ACE4E
1052WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Delta_Enterprise_813fcbbf25e12e2e4c55f155ee6e829194b180a8_8147a4eb_746352d0-e912-4be8-8277-8659f8398c44\Report.wer
MD5:
SHA256:
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\madBasic_.bplexecutable
MD5:C4BB0A8BFBD4A632180B7A2C62E82B10
SHA256:4B2E1C988A09E5B318C4DCDD51A25887D02BF48CBDEF239B9CC86742459A50E6
10802025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\rtl120.bplexecutable
MD5:886BCDD81BBCE31FA03C23E78F11158C
SHA256:9D299887FB4A886BE03F11A86AF0D1021A2331AB0283C90BA6D790FA366D3767
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
24
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6732
Delta_Enterprise64.exe
GET
200
34.117.59.81:80
http://ipinfo.io/
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6732
Delta_Enterprise64.exe
GET
200
34.117.59.81:80
http://ipinfo.io/
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.153
  • 23.48.23.141
  • 23.48.23.192
  • 23.48.23.145
  • 23.48.23.139
  • 23.48.23.138
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.150
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
watson.events.data.microsoft.com
  • 104.40.67.19
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
self.events.data.microsoft.com
  • 20.189.173.6
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6732
Delta_Enterprise64.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6732
Delta_Enterprise64.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
6732
Delta_Enterprise64.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6732
Delta_Enterprise64.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Process
Message
Delta_Enterprise64.exe
Win32MinorVersion: 0
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-03_38feea6391d33b1bb74abb43883e00c7_black-basta_cobalt-strike_luca-stealer_satacom_vidar