File name:

2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar

Full analysis: https://app.any.run/tasks/8e0afd77-1928-4687-91e9-72a8e6c5adb7
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: June 18, 2025, 05:31:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
auto-sch
pyinstaller
rat
njrat
bladabindi
susp-powershell
auto-reg
auto-startup
delphi
inno
installer
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

F1E3728E2CEB8F3C627848B240E3D563

SHA1:

94E82ED6238B46620799A1C0189799AAE930BD01

SHA256:

F5F1EBB6BC5FDC4D33A6D5975E8DFF37FB221156FE2571E9C136772F938D2A85

SSDEEP:

98304:cC3CpAOUEyShDPCH4mAtOD6H9yciGnBU8nA4sOVi0gPj6OylTFD47yRQ7AFpSCO7:ZOdL5NsTPvfkj881mwe/kix9UZlI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • LIME RAT.exe (PID: 5764)
      • LIME RAT.exe (PID: 684)
      • svchost.exe (PID: 5456)
      • svchost.exe (PID: 1948)
      • svchost.exe (PID: 4580)
      • svchost.exe (PID: 5708)
      • svchost.exe (PID: 6292)
      • svchost.exe (PID: 4580)

    • NJRAT mutex has been found

      • LIME RAT.exe (PID: 5764)
      • LIME RAT.exe (PID: 684)
      • svchost.exe (PID: 5456)
      • svchost.exe (PID: 1948)
      • svchost.exe (PID: 5708)
      • svchost.exe (PID: 4580)
      • svchost.exe (PID: 6292)
      • svchost.exe (PID: 4580)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 5456)

    • Create files in the Startup directory

      • svchost.exe (PID: 5456)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)
      • xx-svchost.exe (PID: 3788)
      • SWAInstaller.exe (PID: 2076)
      • SWAInstaller.tmp (PID: 6936)
      • cmd.exe (PID: 3780)
      • LIME RAT.exe (PID: 5764)
      • svchost.exe (PID: 5456)

    • The process drops C-runtime libraries

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)

    • Process drops python dynamic module

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)

    • Loads Python modules

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)

    • Application launched itself

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)
      • powershell.exe (PID: 5564)

    • Process drops legitimate windows executable

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)

    • BASE64 encoded PowerShell command has been detected

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)
      • powershell.exe (PID: 5564)

    • Starts POWERSHELL.EXE for commands execution

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)
      • powershell.exe (PID: 5564)
      • cmd.exe (PID: 3780)

    • Base64-obfuscated command line is found

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)
      • powershell.exe (PID: 5564)

    • The process creates files with name similar to system file names

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)
      • LIME RAT.exe (PID: 5764)
      • svchost.exe (PID: 5456)

    • There is functionality for taking screenshot (YARA)

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)
      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)

    • Executing commands from a ".bat" file

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)

    • Starts CMD.EXE for commands execution

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3780)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 5172)

    • Reads the date of Windows installation

      • xx-svchost.exe (PID: 3788)

    • Reads security settings of Internet Explorer

      • xx-svchost.exe (PID: 3788)
      • LIME RAT.exe (PID: 5764)

    • Reads the Windows owner or organization settings

      • SWAInstaller.tmp (PID: 6936)

    • The executable file from the user directory is run by the CMD process

      • xx-svchost.exe (PID: 3788)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 5900)
      • schtasks.exe (PID: 1512)
      • schtasks.exe (PID: 2972)
      • schtasks.exe (PID: 4084)
      • schtasks.exe (PID: 4460)
      • schtasks.exe (PID: 4960)
      • schtasks.exe (PID: 1508)
      • schtasks.exe (PID: 6428)
      • schtasks.exe (PID: 6776)
      • schtasks.exe (PID: 4708)
      • schtasks.exe (PID: 3048)
      • schtasks.exe (PID: 6828)
      • schtasks.exe (PID: 7156)
      • schtasks.exe (PID: 1948)
      • schtasks.exe (PID: 6676)
      • schtasks.exe (PID: 7096)

    • Starts itself from another location

      • LIME RAT.exe (PID: 5764)

    • Connects to unusual port

      • svchost.exe (PID: 5456)

    • The process executes via Task Scheduler

      • svchost.exe (PID: 4580)
      • svchost.exe (PID: 6292)

  • INFO

    • Checks supported languages

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)
      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)
      • xx-svchost.exe (PID: 3788)
      • LIME RAT.exe (PID: 5764)
      • SWAInstaller.exe (PID: 2076)
      • SWAInstaller.tmp (PID: 6936)
      • LIME RAT.exe (PID: 684)
      • svchost.exe (PID: 5456)
      • svchost.exe (PID: 1948)
      • svchost.exe (PID: 5708)
      • svchost.exe (PID: 4580)
      • svchost.exe (PID: 6292)
      • svchost.exe (PID: 4580)

    • Reads the computer name

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)
      • SWAInstaller.exe (PID: 2076)
      • SWAInstaller.tmp (PID: 6936)
      • xx-svchost.exe (PID: 3788)
      • LIME RAT.exe (PID: 5764)
      • LIME RAT.exe (PID: 684)
      • svchost.exe (PID: 5456)
      • svchost.exe (PID: 1948)
      • svchost.exe (PID: 4580)
      • svchost.exe (PID: 5708)
      • svchost.exe (PID: 6292)
      • svchost.exe (PID: 4580)

    • Create files in a temporary directory

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)
      • SWAInstaller.exe (PID: 2076)
      • SWAInstaller.tmp (PID: 6936)

    • The sample compiled with english language support

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)

    • Creates files or folders in the user directory

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)
      • xx-svchost.exe (PID: 3788)
      • svchost.exe (PID: 5456)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5172)

    • PyInstaller has been detected (YARA)

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4156)
      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe (PID: 4644)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5456)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5456)

    • Process checks computer location settings

      • xx-svchost.exe (PID: 3788)
      • LIME RAT.exe (PID: 5764)

    • Reads the machine GUID from the registry

      • xx-svchost.exe (PID: 3788)
      • LIME RAT.exe (PID: 684)
      • LIME RAT.exe (PID: 5764)
      • svchost.exe (PID: 5456)
      • svchost.exe (PID: 5708)

    • Manual execution by a user

      • LIME RAT.exe (PID: 684)
      • svchost.exe (PID: 1948)
      • svchost.exe (PID: 5708)
      • svchost.exe (PID: 4580)

    • Launching a file from Task Scheduler

      • LIME RAT.exe (PID: 5764)
      • LIME RAT.exe (PID: 684)
      • svchost.exe (PID: 5456)
      • svchost.exe (PID: 1948)
      • svchost.exe (PID: 4580)
      • svchost.exe (PID: 5708)
      • svchost.exe (PID: 6292)
      • svchost.exe (PID: 4580)

    • Detects InnoSetup installer (YARA)

      • SWAInstaller.exe (PID: 2076)
      • SWAInstaller.tmp (PID: 6936)

    • Compiled with Borland Delphi (YARA)

      • SWAInstaller.exe (PID: 2076)
      • SWAInstaller.tmp (PID: 6936)

    • Launching a file from a Registry key

      • svchost.exe (PID: 5456)

    • Launching a file from the Startup directory

      • svchost.exe (PID: 5456)

    • .NET Reactor protector has been detected

      • svchost.exe (PID: 5456)

    • Checks proxy server information

      • slui.exe (PID: 6364)

    • Reads the software policy settings

      • slui.exe (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:14 19:11:46+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 99840
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
86
Malicious processes
10
Suspicious processes
4

Behavior graph

Click at the process to see the details
start 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs xx-svchost.exe #NJRAT lime rat.exe swainstaller.exe swainstaller.tmp schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #NJRAT lime rat.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #NJRAT svchost.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #NJRAT svchost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs svchost.exe #NJRAT svchost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #NJRAT svchost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs slui.exe #NJRAT svchost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs #NJRAT svchost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs 2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684"C:\Users\admin\AppData\Local\LIME RAT.exe"C:\Users\admin\AppData\Local\LIME RAT.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\lime rat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036schtasks /create /tn NYANP /tr "C:\Users\admin\AppData\Local\LIME RAT.exe" /sc minute /mo 5C:\Windows\SysWOW64\schtasks.exeLIME RAT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1480schtasks /create /tn NYAN /tr "C:\WINDOWS\svchost.exe" /sc minute /mo 1C:\Windows\SysWOW64\schtasks.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
21 247
Read events
21 003
Write events
244
Delete events
0

Modification events

(PID) Process:(5456) svchost.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(5456) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchost.exe
Value:
"C:\WINDOWS\svchost.exe" ..
(PID) Process:(5456) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchost.exe
Value:
"C:\WINDOWS\svchost.exe" ..
(PID) Process:(5456) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\svchost.exe
Operation:writeName:[kl]
Value:
Executable files
71
Suspicious files
5
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_raw_eksblowfish.pydexecutable
MD5:1A6B2B8D0ED65C54C609815445D6C45B
SHA256:3800ED2BEAB7F9C33337A8E9C7B14CCBDC17D538DE8EF35E2B179F9A77F927F4
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_pkcs1_decode.pydexecutable
MD5:0900E8E081214B321E38C80670BE196E
SHA256:5ACAE29721A43D32B2602D32BF8CC9F4224191F886894CBB0BC0A4407C4D16FE
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:73D2494C8BCD6738B2767FE7819DF72A
SHA256:93ECBA417C3E6E0C44DFD0D86D2A04474E0DDDCA5C7835E4802E6139C0A732D4
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_raw_ctr.pydexecutable
MD5:C22F3989DD44FCB927F0E9B2DFE7805D
SHA256:6BFE4C4637D81D815051B357C0593D9351D9409D28BFB3D87D2FAF89E46C9A30
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_chacha20.pydexecutable
MD5:AE0D9CBAF7463843E438DBCCEF1B27FE
SHA256:F044DF62C4F14E5E7608463D34EC3B5F4229F6F8F3E7EB29F8A1A235079F4296
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_raw_cast.pydexecutable
MD5:85EF185BC09402AB82F26D77119A8C94
SHA256:DBB5559743D3474D557811366F2B24E4C8CE134D254FDA8F1BFEDE5187F12292
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_raw_arc2.pydexecutable
MD5:85F63E63DF3607939B73A8DFD6E97378
SHA256:EA0D32C15FFF0FB6FC91F4878DB501C8B92B52A3B09BA73AA53EC0C86BD81AE9
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:0B2596C23BD2792FA5CDB304417DD36D
SHA256:2369F44274DC7F03B5F37D77F39BA77EC9146CF53170CB4E9EFC2001197C698F
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_raw_cbc.pydexecutable
MD5:A8CD12651F1F241E6664E92F135072E1
SHA256:B28B5FD2EA3856811AFABF8648628A000A1BE127B07D85B2D08A7A1E7F6045CD
41562025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exeC:\Users\admin\AppData\Local\Temp\_MEI41562\Cryptodome\Cipher\_raw_blowfish.pydexecutable
MD5:BCD7095AD7E4EDC042D58D4EC72CEA9F
SHA256:771D467660DC6F6572AEA53A322DA4E0CADB96749AF7E9B995D3846B2A6450B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3788
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3788
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3788
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3788
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3788
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
published-experience.gl.at.ply.gg
  • 147.185.221.17
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2200
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2200
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-18_f1e3728e2ceb8f3c627848b240e3d563_black-basta_cobalt-strike_luca-stealer_satacom_vidar