File name:	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar
Full analysis:	https://app.any.run/tasks/1c4d6958-2cbd-4e76-8131-893990610efe
Verdict:	Malicious activity
Analysis date:	July 06, 2025, 01:20:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python telegram
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:	81B9D58D6D5D085BA840F3ADA667C105
SHA1:	5C3D7B216496F25A60C44C3D6669D7895E74AE3C
SHA256:	E9652B40127AB420CA6E68C69D9C09A9E108B542964F715B8F6EBFEBFB2FD2C2
SSDEEP:	98304:Kcd2o1kcaCJr/VzkvddwCXkFqdz3aC3bww/Al+Biyz6oqV2kMmLYvI9yf+8Gm1MS:YwaTb2OaZ2CTyY/Gtx++oMaB7qE3DVt

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:03:05 22:53:26+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	176640
InitializedDataSize:	152576
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

PID	Process	Filename		Type
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_chacha20.pyd		executable
		MD5:CB5238E2D4149636377F9A1E2AF6DC57	SHA256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_ARC4.pyd		executable
		MD5:6176101B7C377A32C01AE3EDB7FD4DE6	SHA256:EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_cbc.pyd		executable
		MD5:20708935FDD89B3EDDEEA27D4D0EA52A	SHA256:11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_Salsa20.pyd		executable
		MD5:371776A7E26BAEB3F75C93A8364C9AE0	SHA256:15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_blowfish.pyd		executable
		MD5:45616B10ABE82D5BB18B9C3AB446E113	SHA256:F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_pkcs1_decode.pyd		executable
		MD5:D9E7218460AEE693BEA07DA7C2B40177	SHA256:38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_arc2.pyd		executable
		MD5:D2175300E065347D13211F5BF7581602	SHA256:94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_ctr.pyd		executable
		MD5:C6B20332B4814799E643BADFFD8DF2CD	SHA256:61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_ofb.pyd		executable
		MD5:4D9182783EF19411EBD9F1F864A2EF2F	SHA256:C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
768	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	C:\Users\admin\AppData\Local\Temp\_MEI7682\Crypto\Cipher\_raw_eksblowfish.pyd		executable
		MD5:76F88D89643B0E622263AF676A65A8B4	SHA256:605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5116	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5116	SIHClient.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.73:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.159.73:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
google.com	172.217.18.110	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
login.live.com	40.126.32.138 20.190.160.17 20.190.160.14 40.126.32.134 40.126.32.74 40.126.32.68 20.190.160.5 20.190.160.20	whitelisted
api.telegram.org	149.154.167.220	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
nexusrules.officeapps.live.com	52.111.243.31	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
7028	2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)

General Info

2025-07-06_81b9d58d6d5d085ba840f3ada667c105_black-basta_cobalt-strike_luca-stealer_satacom_vidar

81B9D58D6D5D085BA840F3ADA667C105

5C3D7B216496F25A60C44C3D6669D7895E74AE3C

E9652B40127AB420CA6E68C69D9C09A9E108B542964F715B8F6EBFEBFB2FD2C2

98304:Kcd2o1kcaCJr/VzkvddwCXkFqdz3aC3bww/Al+Biyz6oqV2kMmLYvI9yf+8Gm1MS:YwaTb2OaZ2CTyY/Gtx++oMaB7qE3DVt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops python dynamic module

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops legitimate windows executable

Application launched itself

Loads Python modules

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Checks supported languages

Reads the computer name

The sample compiled with english language support

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings