File name:	2025-08-01_22b5feffb409d79b8dff56ff44d4c67e_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stop.exe
Full analysis:	https://app.any.run/tasks/f9133b5b-bce7-4932-90dd-a83bccc2764a
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. Malware Trends Tracker >>>
Analysis date:	August 01, 2025, 03:03:27
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sality sainbox rat upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	22B5FEFFB409D79B8DFF56FF44D4C67E
SHA1:	E40FA49461749E1035A64FA1F78C4D58395DF1DE
SHA256:	0B8F57BCB286AC33D4A81CA44E733F6C25F395732BA99756086215FF44894631
SSDEEP:	3072:c/phWipsYpgdWPoEAW5RwUVu+xIqN77ajnwoS9QAcnIU4lqFRXR/3:sbbsYpgdD+78+i2yDwo4QdIU4lu/3

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:11:23 01:58:19+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	32256
InitializedDataSize:	109056
UninitializedDataSize:	-
EntryPoint:	0x1725
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI


(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:	write	Name:	Hidden
Value: 2
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	GlobalUserOffline
Value: 0
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a1_0
Value:
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a2_0
Value: 6868
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a3_0
Value: 17001001
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a4_0
Value: 0
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a1_1
Value:
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a2_1
Value:
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a3_1
Value:
(PID) Process:	(7052) f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a4_1
Value:

PID	Process	Filename		Type
7052	f9133b5b-bce7-4932-90dd-a83bccc2764a.exe	C:\Users\admin\AppData\Local\Temp\winftoc.exe		executable
		MD5:B360FA63134A63F9ACFE046D2DFE10D9	SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4168	RUXIMICS.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
4168	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.106.86.13:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5944	MoUsoCoreWorker.exe	20.106.86.13:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4168	RUXIMICS.exe	20.106.86.13:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4168	RUXIMICS.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.106.86.13 40.127.240.158	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.120	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
self.events.data.microsoft.com	20.189.173.28	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

2025-08-01_22b5feffb409d79b8dff56ff44d4c67e_amadey_elex_redline-stealer_rhadamanthys_smoke-loader_stop.exe

22B5FEFFB409D79B8DFF56FF44D4C67E

E40FA49461749E1035A64FA1F78C4D58395DF1DE

0B8F57BCB286AC33D4A81CA44E733F6C25F395732BA99756086215FF44894631

3072:c/phWipsYpgdWPoEAW5RwUVu+xIqN77ajnwoS9QAcnIU4lqFRXR/3:sbbsYpgdD+78+i2yDwo4QdIU4lu/3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALITY has been detected

Changes appearance of the Explorer extensions

SALITY mutex has been found

SAINBOX has been detected

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

UPX packer has been detected

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings