Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f5e2xahq4w
Target 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar
SHA256 6dce3bb278d52d294092c3cfe6511a2505c659fbe0377f673548ff1478fc853c
Tags
pyinstaller ransomware
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6dce3bb278d52d294092c3cfe6511a2505c659fbe0377f673548ff1478fc853c

Threat Level: Shows suspicious behavior

The file 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller ransomware

Loads dropped DLL

Sets desktop wallpaper using registry

Detects Pyinstaller

Unsigned PE

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:27

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:27

Reported

2025-07-03 05:29

Platform

win10v2004-20250619-en

Max time kernel

105s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI49442\\trollface.png" C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"

C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x320 0x3a0

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49442\python313.dll

MD5 ad29d9424e5666d6637452a5ccf2ded0
SHA1 66bfc0d93ac097257925ca02afbb757506ed12a3
SHA256 941e773568d36cc598ee837a489fd4c44474a6574075e1cf156100bd83f22379
SHA512 f5287437b8fa36d334cdd282297081ee5acad35059e8c28b42e269b6b67a2f5eeff4f602f47224ce626c21391051ed8f8dd95a7ccec26db6d7cf3b0870b39528

C:\Users\Admin\AppData\Local\Temp\_MEI49442\base_library.zip

MD5 6eaaedfcb46b0d67a5202b941b24bb24
SHA1 80c6ec92e99e06865b21a61280b3b1acb7ea7cfe
SHA256 f96e2accc2f18c93ebb88e46b275a5d5b7b99ab744097f4e9ae8a04766f98d57
SHA512 f66abd3bdf296b01014aa4e8acbdfc53994798f43c8e3a61a9dc85b9e8adadde582d056977db569d2cb2a9b22e32af6b915b130c78684156d215c70dcb989090

C:\Users\Admin\AppData\Local\Temp\_MEI49442\VCRUNTIME140.dll

MD5 32da96115c9d783a0769312c0482a62d
SHA1 2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
SHA256 052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
SHA512 616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_ctypes.pyd

MD5 429cb0177d5ab205f289d0cc830549ff
SHA1 21f749279ee95ed458e73463f7f845e9f54d0ab2
SHA256 6e804ed42cca2eb401a896fe9542201d4d77df22acbd935a3c56dc68530dae33
SHA512 eb309a531f110a01e0956a18d7b71d81591e8b6bc546bc8374d9d86e1afa1385afb4ea829160f3bf28faeefff42d730db06e06f4d2b5d994a6c694889cf22cf2

C:\Users\Admin\AppData\Local\Temp\_MEI49442\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_wmi.pyd

MD5 d83b0df3376afa1414f3c8a56c7a592a
SHA1 f157d71d956251123aa81c0e25754745c232ba13
SHA256 486fc63bfba93239e59c167329908eb6d213a1a3903a73a2ee4c10405d87464b
SHA512 7b2bc73f371424a32c70ee2b75394202233b9e2a54fb2c289346ae3a277a8de2ec800dee071759a4bfd72d71edd6e658667b5643cb0b462158a8e0b998ab6ae3

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_ssl.pyd

MD5 6e6e510e8fa4555c9fd671981bbe513a
SHA1 f6bd718482717461378c6a7b15c3071eef9e7ad2
SHA256 cc5c21c1b5a8890d2bb14fd5cfab5114d2b427e17dcc567578ebb3f7d4b014e8
SHA512 14c98babec9b6cdd6979db075bcdc7d5aea6e7f12d5d3cde078066b89f8e23d2158e90d852f892d034afa0163969c8baff31daa3449c67c7b6e4e9262e429dba

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_socket.pyd

MD5 1ad8628499a107382153348a14a1dfc7
SHA1 87b9900e38212bda27e3c43898e6ee937510cf27
SHA256 7a20fe96274f554cc527c65f42a8de9cf0c201852bedddc12e44d9106bab728f
SHA512 e321dd917d3891359dff6b86e6bcb44cd931efc22a2e3bb763263187b52b5d0336daeab0ec1c09defe49970dc25071387b3d60e928f32107790c84fec9255a09

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_hashlib.pyd

MD5 692837eb1fcb73ef33a1474b18dfc7cd
SHA1 515fe13d2a15fab844584d9cba6f545b6c6b118b
SHA256 d674d53f7e2f906fbaf0d19ab871f9cff53956d40b3ce003a2b4b44b549d4b92
SHA512 4d38a68b6119783c5e625797461b6e5a21b876305c66cfbcbbaf7f6fac7446848963d2c241c690dbba7685aee0a09530ceeb5ec82f53c8f0e39d84e0063e25c5

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_decimal.pyd

MD5 584652f877074fe71d7b1f8eea1f849e
SHA1 fef33b2edf0ff33e68206705f6f3f8fbcc1179bd
SHA256 e0f93185cd64f1db3b9d1d20d620a691c5c453094b14d3b2ba2837f908f13304
SHA512 618499953b3b5b955eb4f361570c45655516a66593415e5a3c004139a8ca7af8168b1abe000efe401bb0ff9bc18bfe2345f80f7eb7bbde54986b9bd080457ecd

C:\Users\Admin\AppData\Local\Temp\_MEI49442\VCRUNTIME140_1.dll

MD5 c0c0b4c611561f94798b62eb43097722
SHA1 523f515eed3af6d50e57a3eaeb906f4ccc1865fe
SHA256 6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
SHA512 35db454dbcc7ed89842c0440b92ce0b0b0db41dbd5432a36a0b7e1eddf51704b1f0d6cff5e3a3b0c3ff5db3d8632fed000471180ad72e39d8dbe68a757ccdfb0

C:\Users\Admin\AppData\Local\Temp\_MEI49442\unicodedata.pyd

MD5 8fbf78ef18630a50809af155f66bc9fa
SHA1 94ee987780d711d0df8dbd620ff67729967086f4
SHA256 1056a954080af0798df9bb00e5715892936d510239f3ba830014d25c69c8df83
SHA512 c24214ca60c8470a2fe3b9f1f713a7f0053e304fe7f2d2b365c5bf7389a75f11de5ae5285464b40315487be99ac326ac0fa5b0a3d7fa3f3393900ce1d82ab64b

C:\Users\Admin\AppData\Local\Temp\_MEI49442\select.pyd

MD5 0d9fba0fe756bf147bf203a8d6e6ef68
SHA1 cd02d0a644a192b898a2cd85fd0d7a1b6a8b4dea
SHA256 4ad2692a4566175f5def440a45eee2382f72a70a46a60a63e0829a4a5e31c1ec
SHA512 6a38ca8de97182dd6efff4cfebd8b768fed54ae330cd792296446c46cfb629cffa8a0b6740c8e0a481512e5307b98912a9a77febb64f44657c900602b37fc7d2

C:\Users\Admin\AppData\Local\Temp\_MEI49442\trollface.png

MD5 556d8192dfaa7ae79c9f1351186f3dbf
SHA1 9f4ca1cd7b1dbc3cb6e4a07851ece27fa2ed38f3
SHA256 d67213a01bf3aa94ed86498342b1b72aff0d944a7220358387132ad5168d603a
SHA512 09969d5660f3f10c2dc34804e971a66f4328cdef4563dcc7d47d735a4a87a48d947a604be7478b6f25071c5bbd8030bed371b2f6c60ce50acabc6bb3d4950300

C:\Users\Admin\AppData\Local\Temp\_MEI49442\mango.wav

MD5 100115cb602884c42ebbd988e4eba76c
SHA1 4d0dab51ece4df563c30033f6f0d00d3e733c74a
SHA256 0ee77d53f313bc8e253dfac2a0f8b3aa12a7e096f747341e12ff504d3a2a6a9b
SHA512 144f2cae817b6f2a5c0698beca8e13084a49a2f17205ef0b6067aaed488ba4019d412353bbd63785a51ff64915164d08a75f2fcf39ea18d6d970d3107c85c6ca

C:\Users\Admin\AppData\Local\Temp\_MEI49442\libssl-3.dll

MD5 8d4805f0651186046c48d3e2356623db
SHA1 18c27c000384418abcf9c88a72f3d55d83beda91
SHA256 007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
SHA512 1c4895d912f7085d6e46f6776034c9e3d8d7bf934be858683bf6dedb13abca360ba816d8a5528ec7a3ac6e33010fdb6fc89b2699b5cfeedaabfdd5df143dffd1

C:\Users\Admin\AppData\Local\Temp\_MEI49442\libcrypto-3.dll

MD5 ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 9f9a14efc15c904f408a0d364d55a144427e4949
SHA256 ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
SHA512 36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_lzma.pyd

MD5 0d549f688e0b2424b549afcac58d5fa7
SHA1 4a9a6ec353ebc3e6dace80c9430318589cf16a4e
SHA256 80df30ed0f2c532c07ea7fdc44836e40a8ebd9e7611365a1a26989147e1a4210
SHA512 5faa4d456de3da1dfa996dea895ad298dad038ae82411aa1fb6dfdaa3d1f8883c02482e3e8c01faa4258d4cc84e42bd1f0e743f97f20c23ace6b13d739c5a5c2

C:\Users\Admin\AppData\Local\Temp\_MEI49442\_bz2.pyd

MD5 51ca0713f8fd5f142625a44df7ed7100
SHA1 a8ca5b3fe2fb79a0ccaa2816642097b57c5d70a0
SHA256 8768315b1e0e81ccd0d96c3d6a863803f5dd1de6af849285c439d61abd32b647
SHA512 1d36249c4bd0533effba35290ce0f719e075994787a68e622dac39a0e4d237dc1382e13e536cfd3add36bb24f8e612e040c64c738a5394c52145dd8291420d61