File name:

2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/1c4d6958-2cbd-4e76-8131-893990610efe
Verdict: Malicious activity
Analysis date: July 06, 2025, 01:20:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
telegram
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

81B9D58D6D5D085BA840F3ADA667C105

SHA1:

5C3D7B216496F25A60C44C3D6669D7895E74AE3C

SHA256:

E9652B40127AB420CA6E68C69D9C09A9E108B542964F715B8F6EBFEBFB2FD2C2

SSDEEP:

98304:Kcd2o1kcaCJr/VzkvddwCXkFqdz3aC3bww/Al+Biyz6oqV2kMmLYvI9yf+8Gm1MS:YwaTb2OaZ2CTyY/Gtx++oMaB7qE3DVt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • Process drops python dynamic module

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • The process drops C-runtime libraries

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • Process drops legitimate windows executable

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • Application launched itself

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • Loads Python modules

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 7028)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 7028)

  • INFO

    • Checks supported languages

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)
      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 7028)

    • Reads the computer name

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • The sample compiled with english language support

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • Create files in a temporary directory

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 768)

    • Checks proxy server information

      • 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 7028)
      • slui.exe (PID: 7100)

    • Reads the software policy settings

      • slui.exe (PID: 7100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:05 22:53:26+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 176640
InitializedDataSize: 152576
UninitializedDataSize: -
EntryPoint: 0xc380
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe conhost.exe no specs 2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
768"C:\Users\admin\Desktop\2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7028"C:\Users\admin\Desktop\2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe" C:\Users\admin\Desktop\2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7100C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 934
Read events
3 934
Write events
0
Delete events
0

Modification events

No data
Executable files
113
Suspicious files
1
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_chacha20.pydexecutable
MD5:CB5238E2D4149636377F9A1E2AF6DC57
SHA256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_arc2.pydexecutable
MD5:D2175300E065347D13211F5BF7581602
SHA256:94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_blowfish.pydexecutable
MD5:45616B10ABE82D5BB18B9C3AB446E113
SHA256:F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_cfb.pydexecutable
MD5:43BBE5D04460BD5847000804234321A6
SHA256:FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:D9E7218460AEE693BEA07DA7C2B40177
SHA256:38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_ofb.pydexecutable
MD5:4D9182783EF19411EBD9F1F864A2EF2F
SHA256:C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_cast.pydexecutable
MD5:CF3C2F35C37AA066FA06113839C8A857
SHA256:1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:FEE13D4FB947835DBB62ACA7EAFF44EF
SHA256:3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:BBEA5FFAE18BF0B5679D5C5BCD762D5A
SHA256:1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
7682025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:D48BFFA1AF800F6969CFB356D3F75AA6
SHA256:4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
49
DNS requests
17
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.5
  • 20.190.160.20
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7028
2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar