File name:

2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta

Full analysis: https://app.any.run/tasks/62f55656-57c7-40c3-b556-71a404023e8b
Verdict: Malicious activity
Analysis date: April 29, 2025, 08:32:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

D5F4DE8C3589F882FE1A341972E947E6

SHA1:

8C6F357409AC5B0275320D6BDE3E5647027FE79D

SHA256:

B0FB940B31B723188303AFCED4316F5C0DAB5BAD2AAE54ECA98B52B9CBFAB6F7

SSDEEP:

6144:99fakd0a6c7IKz1QDlBzJY4a89AELojmqfR:95akgPKz1QDbz9a8K4MmqfR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • FileCoAuth.exe (PID: 1188)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 3332)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • FileCoAuth.exe (PID: 1188)

    • There is functionality for taking screenshot (YARA)

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)

    • Mutex name with non-standard characters

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • FileCoAuth.exe (PID: 1188)

    • Executable content was dropped or overwritten

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • FileCoAuth.exe (PID: 1188)

    • Process drops legitimate windows executable

      • FileCoAuth.exe (PID: 1188)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 3332)

  • INFO

    • Checks supported languages

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4740)
      • FileCoAuth.exe (PID: 3332)

    • Create files in a temporary directory

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • FileCoAuth.exe (PID: 3332)

    • Process checks computer location settings

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • FileCoAuth.exe (PID: 1188)

    • Reads the computer name

      • 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe (PID: 4724)
      • FileCoAuth.exe (PID: 3332)

    • The sample compiled with english language support

      • FileCoAuth.exe (PID: 1188)

    • Reads the machine GUID from the registry

      • FileCoAuth.exe (PID: 3332)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (93.8)
.dll | Win32 Dynamic Link Library (generic) (2.3)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)
.exe | Generic Win/DOS Executable (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe 2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe no specs conhost.exe no specs filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1188C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3332"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4724"C:\Users\admin\Desktop\2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe" C:\Users\admin\Desktop\2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4740"C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe" C:\Users\admin\AppData\Local\Temp\3582-490\2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.1.0.1
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll
6708C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 019
Read events
4 019
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\3582-490\2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeexecutable
MD5:BCF67FD187FA2A799C1A18DE13ECBB35
SHA256:6A6BDC187F08339946DA9F4E45189ACF53DBF8D47254B1878CC58A657CF7320C
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeexecutable
MD5:A747FA4161FE3C00C3FBB4BF391D4D4E
SHA256:B7BA59428AF7AE08C5BF927B57E326D5259E6ED31BD4237AA6A44378177364C1
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveUpdaterService.exeexecutable
MD5:E73AC057B2CFEF016B8199389F0DF590
SHA256:20ABA9D6001E5CDC287CD5BD452D0F2D05980D83F851D2B309BF49E9D9A8AC4C
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:178B773B3FB050FCE26E40A9E8C2EE9A
SHA256:1E03573733F25B44004049A535E7E79366FD86FE953F6DFEDAAD05513B46A6C5
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exeexecutable
MD5:13C2D5BF03C4A2B28E930F990CCC32DB
SHA256:12D24D0BC0E7CDC902E3540A3C6F7B755094F011A8EAD49A47A00563710B8F80
3332FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-29.0832.3332.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
3332FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-29.0832.3332.1.odlbinary
MD5:EDBB0233680351AE0F04288C3500C2F2
SHA256:1DEC2C5078ECA45B55C9AE71CE7356B37FF51CF3764BB43ACBCB9CC38B34CFEE
47242025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmptext
MD5:F35A7EC23E9E3B5D90F7547B30E2D02C
SHA256:9EBD3E7151AAD4A18F387A5341C20DE2885CE64D72028B00E2D2A4A588D476E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
40
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
1324
SIHClient.exe
GET
200
2.16.164.129:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
2.16.164.129:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
2.16.164.129:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1324
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1324
SIHClient.exe
2.16.164.129:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1324
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
1324
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1812
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 2.16.164.129
  • 2.16.164.113
  • 2.16.164.131
  • 2.16.164.25
  • 2.16.164.32
  • 2.16.164.11
  • 2.16.164.106
  • 2.16.164.121
  • 2.16.164.130
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.131
  • 20.190.159.129
  • 40.126.31.0
  • 20.190.159.75
  • 20.190.159.2
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_d5f4de8c3589f882fe1a341972e947e6_black-basta_cobalt-strike_elex_luca-stealer_neshta