General
-
Target
2025-05-07_328a7f42e4033ebf33c21d5c300a5066_black-basta_cobalt-strike_hijackloader_satacom
-
Size
392KB
-
Sample
250507-kfje9ahq3t
-
MD5
328a7f42e4033ebf33c21d5c300a5066
-
SHA1
83983a524d727c90ae55617689f67762cf8d4f7d
-
SHA256
8786d575ee157dfc892891374737cb6290aa4ed8a1a3e71b8edfd0d0d1e2e2de
-
SHA512
ff4aa4e6a667a2257fb6e8c7f2b78d40af7f55c50da82415ae253dda1c306a43f179323f33acd4032531d0a6a164c326f15ec7f7f01432eb763fdb5d54ca5a73
-
SSDEEP
6144:MU7NUr7+n700aYThVuCNOeZz/3l+ME/ap1dXohkGJ:1M7O0GuCNR9Xon
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-07_328a7f42e4033ebf33c21d5c300a5066_black-basta_cobalt-strike_hijackloader_satacom.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
phorphiex
http://185.156.72.39
185.156.72.39
Extracted
phorphiex
http://185.156.72.39/
http://185.215.113.66/
TW3wpRJmZgC5WifuY468JBUCF3TEkzBT5H
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MF6iVGLmErYP9y4B9SwtzarDoy3ETSzYrh
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0x46e5cc402BC848ceC9f4d65c9B48aE7D7A24821B
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1B8FF5WwJXNnjkVzxgPkAznVZ8uKb3Watx
ltc1qyfzdpxky7q2grz4zmqv5x0t0uwfuznl5u43c93
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3GcQJkfHq7NWgBhhNKjz7uSfM6LzADpLvX
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1q9tgkga69k094n5v0pn7ewmpp2kn66sh9hu65gq
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
h7g5df54sdf
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Targets
-
-
Target
2025-05-07_328a7f42e4033ebf33c21d5c300a5066_black-basta_cobalt-strike_hijackloader_satacom
-
Size
392KB
-
MD5
328a7f42e4033ebf33c21d5c300a5066
-
SHA1
83983a524d727c90ae55617689f67762cf8d4f7d
-
SHA256
8786d575ee157dfc892891374737cb6290aa4ed8a1a3e71b8edfd0d0d1e2e2de
-
SHA512
ff4aa4e6a667a2257fb6e8c7f2b78d40af7f55c50da82415ae253dda1c306a43f179323f33acd4032531d0a6a164c326f15ec7f7f01432eb763fdb5d54ca5a73
-
SSDEEP
6144:MU7NUr7+n700aYThVuCNOeZz/3l+ME/ap1dXohkGJ:1M7O0GuCNR9Xon
-
Phorphiex family
-
Phorphiex payload
-
Xmrig family
-
XMRig Miner payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1