File name:

2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit

Full analysis: https://app.any.run/tasks/7c1beb3b-8310-491c-b9ed-962791e15185
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 13:19:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
valleyrat
winos
rat
silverfox
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

398E8229F73ECE262F88D2589EFD7D50

SHA1:

244FE7FDC8B53685637ACCBA6501B2CA6BC598A8

SHA256:

B938868D0B5E9513DC97BA842AAAF8EFB177E7CC83B0FCE3EB41E64640C88EFD

SSDEEP:

12288:d3NWNtnrD6lW0cGGn5pOsi8A8Kw/5mqaKY7tn+WZ2WXezepk+SIB+YX:d3NY0Gn5pOsi8A8Kw/5pYZtzXezepAl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VALLEYRAT has been detected (YARA)

      • 2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe (PID: 7452)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe (PID: 7452)

  • INFO

    • Checks supported languages

      • 2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe (PID: 7452)

    • Reads the computer name

      • 2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe (PID: 7452)

    • Checks proxy server information

      • slui.exe (PID: 7996)

    • Reads the software policy settings

      • slui.exe (PID: 7996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:02 12:54:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 161280
InitializedDataSize: 303104
UninitializedDataSize: -
EntryPoint: 0x1313c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VALLEYRAT 2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7452"C:\Users\admin\Desktop\2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe" C:\Users\admin\Desktop\2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7996C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 527
Read events
3 527
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
61
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1852
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1852
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7760
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7760
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7760
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7760
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7760
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7760
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1852
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1852
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1852
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7452
2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit.exe
101.43.156.141:443
unknown
7760
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7760
SIHClient.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.59.18.102
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.128
  • 20.190.160.2
  • 20.190.160.20
  • 20.190.160.5
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-25_398e8229f73ece262f88d2589efd7d50_cobalt-strike_lockbit