File name:	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom
Full analysis:	https://app.any.run/tasks/e4ae3b35-b0bc-43a1-aa34-862771dda4d6
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. Malware Trends Tracker >>>
Analysis date:	June 07, 2025, 01:32:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader auto-reg botnet phorpiex auto coinminer miner winring0x64-sys vuln-driver upx xor-url xmrig generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	2451A6444DF5F5A5B2556390A1F513E4
SHA1:	7FC1359E0EB0D7DA21A98441047D5EAA1DE68FAA
SHA256:	E35457601206D437B338D56FB29E51264100BE1664CC8D9738CEE7E64D333E4B
SSDEEP:	3072:MBCLlS3hfvOJtyb5W/aL3py8WhzS9RY5+//ZW6obMa/h7BhV7I:MQLlS3JvQtyIaY8WhzS9akJja/1zV7

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	1970:01:01 15:50:05+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	90112
InitializedDataSize:	57856
UninitializedDataSize:	-
EntryPoint:	0x2a000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	3.29.10.471
ProductVersionNumber:	3.29.10.471
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileDescription:	腾讯会议
FileVersion:	3.29.10.471
LegalCopyright:	© Tencent Corporation. All rights reserved.
ProductName:	腾讯会议
ProductVersion:	3.29.10.471


(PID) Process:	(2980) 2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2980) 2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2980) 2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2980) 2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:	write	Name:	C:\Users\admin\Desktop\2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe
Value: 1
(PID) Process:	(3192) 94F.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3192) 94F.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3192) 94F.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1472) 2847428198.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Settings
Value: C:\WINDOWS\syscrondvr.exe
(PID) Process:	(208) syscrondvr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(208) syscrondvr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

PID	Process	Filename		Type
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\64[1].exe		executable
		MD5:0EC46393976EB51F307CC11D80BAE845	SHA256:9175BA77AC91AFDC513CA64788A72BF12915247F64BB1F95C06B5A1938FA4A84
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	C:\Users\admin\AppData\Local\Temp\94F.exe		executable
		MD5:0EC46393976EB51F307CC11D80BAE845	SHA256:9175BA77AC91AFDC513CA64788A72BF12915247F64BB1F95C06B5A1938FA4A84
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	C:\Users\admin\Desktop\virtualdisplay		text
		MD5:67C4598DA641838029F5C0F8F90AA398	SHA256:92280C45AEAC5FDA5F43495C635D67209A842288CC386B0E03F2F33F275E4B50
208	syscrondvr.exe	C:\Users\admin\AppData\Local\Temp\1356822933.exe		binary
		MD5:9B64B08969AD80705FADB8FD9D654DCB	SHA256:44ECC25D894EE478494F1CABF52F41145BE12F42F43D9032CC7CB10B28068213
208	syscrondvr.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\1[1]		binary
		MD5:9B64B08969AD80705FADB8FD9D654DCB	SHA256:44ECC25D894EE478494F1CABF52F41145BE12F42F43D9032CC7CB10B28068213
3192	94F.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\newtpp[1].exe		executable
		MD5:F30FDBF3448F67CBC3566F31729CB7A6	SHA256:3A902ABB21D204ED6A0776789C9661F8B98E561FD0CA661EE37A7D8BD079E57B
208	syscrondvr.exe	C:\Users\admin\AppData\Local\Temp\368114503.exe		binary
		MD5:D0FBD536386427688100D0C7DFF5770D	SHA256:CE8B5A21126D8D551066DA8A229D7337234554F0EFB8018620EA6C770B48011C
208	syscrondvr.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\3[1]		binary
		MD5:B1CF906941494F4E6050B2C73EF27314	SHA256:4C4E195A909DD0F05847BFC1631654E97924EB4C9301ECC191B1D18F853BBF77
3192	94F.exe	C:\Users\admin\AppData\Local\Temp\2847428198.exe		executable
		MD5:F30FDBF3448F67CBC3566F31729CB7A6	SHA256:3A902ABB21D204ED6A0776789C9661F8B98E561FD0CA661EE37A7D8BD079E57B
7288	184906430.exe	C:\Users\admin\Desktop\2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe		executable
		MD5:2451A6444DF5F5A5B2556390A1F513E4	SHA256:E35457601206D437B338D56FB29E51264100BE1664CC8D9738CEE7E64D333E4B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3760	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3760	RUXIMICS.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	GET	200	185.156.72.39:80	http://185.156.72.39/64.exe	unknown	—	—	malicious
3192	94F.exe	GET	200	185.156.72.39:80	http://185.156.72.39/newtpp.exe	unknown	—	—	malicious
208	syscrondvr.exe	GET	—	185.156.72.39:80	http://185.156.72.39/1	unknown	—	—	malicious
3192	94F.exe	GET	200	185.156.72.39:80	http://185.156.72.39/peinstall.php	unknown	—	—	malicious
208	syscrondvr.exe	GET	—	185.156.72.39:80	http://185.156.72.39/2	unknown	—	—	malicious
208	syscrondvr.exe	GET	200	185.156.72.39:80	http://185.156.72.39/1	unknown	—	—	malicious
208	syscrondvr.exe	GET	—	185.156.72.39:80	http://185.156.72.39/3	unknown	—	—	malicious
208	syscrondvr.exe	GET	200	185.156.72.39:80	http://185.156.72.39/2	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3760	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	185.156.72.39:80	—	Tov Vaiz Partner	RU	malicious
3760	RUXIMICS.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3760	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3192	94F.exe	185.156.72.39:80	—	Tov Vaiz Partner	RU	malicious
208	syscrondvr.exe	185.156.72.39:80	—	Tov Vaiz Partner	RU	malicious
208	syscrondvr.exe	45.141.233.6:80	—	Euro Crypt EOOD	DE	malicious

Domain	IP	Reputation
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
www.update.microsoft.com	132.196.74.18	whitelisted
self.events.data.microsoft.com	104.208.16.95	whitelisted

PID	Process	Class	Message
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	Misc activity	ET INFO Observed UA-CPU Header
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	A Network Trojan was detected	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
2980	2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom.exe	A Network Trojan was detected	ET MALWARE Possible Malicious Macro DL EXE Feb 2016
3192	94F.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
3192	94F.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
3192	94F.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
208	syscrondvr.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Phorpiex CnC Communication
208	syscrondvr.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Phorpiex CnC Communication
208	syscrondvr.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Phorpiex CnC Communication

General Info

2025-06-07_2451a6444df5f5a5b2556390a1f513e4_black-basta_cobalt-strike_hijackloader_luca-stealer_satacom

2451A6444DF5F5A5B2556390A1F513E4

7FC1359E0EB0D7DA21A98441047D5EAA1DE68FAA

E35457601206D437B338D56FB29E51264100BE1664CC8D9738CEE7E64D333E4B

3072:MBCLlS3hfvOJtyb5W/aL3py8WhzS9RY5+//ZW6obMa/h7BhV7I:MQLlS3JvQtyIaY8WhzS9akJja/1zV7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

PHORPIEX has been detected (SURICATA)

Connects to the CnC server

PHORPIEX has been detected (YARA)

COINMINER has been found (auto)

Vulnerable driver has been detected

XMRIG has been detected (YARA)

XORed URL has been found (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Connects to the server without a host name

Starts itself from another location

Contacting a server suspected of hosting an CnC

Starts SC.EXE for service management

Process drops legitimate windows executable

Connects to unusual port

Windows service management via SC.EXE

Creates a new Windows service

Stops a currently running service

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

INFO

The sample compiled with chinese language support

Checks supported languages

Reads the computer name

Checks proxy server information

Creates files or folders in the user directory

Create files in a temporary directory

Launching a file from a Registry key

Manual execution by a user

The sample compiled with english language support

The sample compiled with japanese language support

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events