File name:	2025-07-06_8af8453dad2d2259516e73b8c3d0031c_amadey_elex_rhadamanthys_sakula_smoke-loader_stop
Full analysis:	https://app.any.run/tasks/09c6e400-6a75-447b-ad3f-c75aed014cb9
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	July 06, 2025, 02:40:47
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rat mivast sakula auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	8AF8453DAD2D2259516E73B8C3D0031C
SHA1:	96071D7C114446818E9774099B7156B8EABD158A
SHA256:	13283FF066C8694056E5A9D5A45DA5267DB3BB8573B7A4433AD1773A51F3D819
SSDEEP:	1536:IDFdm050yuiRUkzTs4sGXOnjENkZYYeCCIjTX2aJEVHuc5xAE5d:2FuiRUfMOnINkZYFIjTX2E6uc5/

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:02:05 04:03:07+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	56320
InitializedDataSize:	33792
UninitializedDataSize:	-
EntryPoint:	0x473a
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI


(PID) Process:	(5140) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5140) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5140) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2044) 2025-07-06_8af8453dad2d2259516e73b8c3d0031c_amadey_elex_rhadamanthys_sakula_smoke-loader_stop.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MicroMedia
Value: C:\Users\admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
(PID) Process:	(6668) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6668) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6668) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
6668	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\qrfxgbctwtyywyq649566714[1].htm		html
		MD5:7F0E8FF9765F34269D859E6198CC1108	SHA256:6C2D0A5410D42488163C459AB37C81ADCD869D5A654F91232DA18D32525CFA5B
2044	2025-07-06_8af8453dad2d2259516e73b8c3d0031c_amadey_elex_rhadamanthys_sakula_smoke-loader_stop.exe	C:\Users\admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe		executable
		MD5:9AEF3D7E33BC80CF9E5E299CD93EB729	SHA256:A348CF74F3FAC5889CA7790AB4B08FA33BD9AFDD15A7EC1A14404556E27873B2
6668	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\viewphoto[1].htm		html
		MD5:F5124FFD5F6388311A70F93219B9A77C	SHA256:BFFD7B5FD8AB16CD6251ED37B1A19AD5DE4D2D59FF9D97B8E53981FDC7AEAC4E
5140	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\viewphoto[1].htm		html
		MD5:13B67D12AC059EF0F76F4CFE3211E4C7	SHA256:9AB19DB276B1DCFA7C31D857991315C8A642F56E37215FBFC724BF70F6A06C8C
5140	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\qrfxgbctwtyywyq649566714[1].htm		html
		MD5:EE31D90B13D310E503A9DC1FDBD7321D	SHA256:0A1BBD03BEDEF1777A8AE7562E644E6ECE26CD4FD360CB5017262D8EC3FF3881

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5504	RUXIMICS.exe	GET	200	2.20.245.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.20.245.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.20.245.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5504	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5140	MediaCenter.exe	POST	405	13.248.169.48:80	http://www.polarroute.com/newimage.asp?imageid=qrfxgbctwtyywyq649566714&type=0&resid=1532328	unknown	—	—	malicious
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5140	MediaCenter.exe	GET	200	13.248.169.48:80	http://www.polarroute.com/photo/qrfxgbctwtyywyq649566714.jpg?resid=1532796	unknown	—	—	malicious
5140	MediaCenter.exe	GET	200	13.248.169.48:80	http://www.polarroute.com/viewphoto.asp?resid=1533000&photoid=qrfxgbctwtyywyq649566714	unknown	—	—	malicious
6668	MediaCenter.exe	POST	405	13.248.169.48:80	http://www.polarroute.com/newimage.asp?imageid=qrfxgbctwtyywyq649566714&type=0&resid=1540437	unknown	—	—	malicious
6668	MediaCenter.exe	GET	200	13.248.169.48:80	http://www.polarroute.com/photo/qrfxgbctwtyywyq649566714.jpg?resid=1541093	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5504	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5504	RUXIMICS.exe	2.20.245.139:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
1268	svchost.exe	2.20.245.139:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
5944	MoUsoCoreWorker.exe	2.20.245.139:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
5504	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.184.238	whitelisted
crl.microsoft.com	2.20.245.139 2.20.245.137	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
www.polarroute.com	13.248.169.48 76.223.54.146	malicious
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	52.182.143.215	whitelisted

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
—	—	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 1
—	—	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 2
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
—	—	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 3
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
—	—	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 1
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)

General Info

2025-07-06_8af8453dad2d2259516e73b8c3d0031c_amadey_elex_rhadamanthys_sakula_smoke-loader_stop

8AF8453DAD2D2259516E73B8C3D0031C

96071D7C114446818E9774099B7156B8EABD158A

13283FF066C8694056E5A9D5A45DA5267DB3BB8573B7A4433AD1773A51F3D819

1536:IDFdm050yuiRUkzTs4sGXOnjENkZYYeCCIjTX2aJEVHuc5xAE5d:2FuiRUfMOnINkZYFIjTX2E6uc5/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SAKULA has been detected

Changes the autorun value in the registry

Connects to the CnC server

SAKULA has been detected (SURICATA)

SAKULA has been detected (YARA)

Starts CMD.EXE for self-deleting

SUSPICIOUS

Starts itself from another location

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Launching a file from a Registry key

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Creates files or folders in the user directory

Manual execution by a user

Process checks computer location settings

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings