File name:

2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas

Full analysis: https://app.any.run/tasks/325fbf1c-1f80-4595-8cde-f1af99a508f8
Verdict: Malicious activity
Analysis date: May 18, 2025, 04:50:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 3 sections
MD5:

45650FDAB667D71F5C188846D3EA7EB5

SHA1:

648620CE0873A28A4FBCDE928CF9539043D9D6A2

SHA256:

19116846BB899A94E2F7304E1D0AD9D82B7E9AC06D9AEE19C4E285D738A849C5

SSDEEP:

12288:G8T263i00zxoZthdXnG3xRqpNGkPEGlPekO:G8a6y00zx0HG3xRUIkPEGlPeX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)
      • cmd.exe (PID: 7432)
      • ojitr.exe (PID: 7412)

    • Connects to the CnC server

      • ojitr.exe (PID: 7412)

    • URELAS mutex has been found

      • ojitr.exe (PID: 7412)

    • URELAS has been detected (YARA)

      • ojitr.exe (PID: 7412)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Starts itself from another location

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Reads security settings of Internet Explorer

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Starts CMD.EXE for commands execution

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Executing commands from a ".bat" file

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Contacting a server suspected of hosting an CnC

      • ojitr.exe (PID: 7412)

    • Connects to unusual port

      • ojitr.exe (PID: 7412)

  • INFO

    • Create files in a temporary directory

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Reads the computer name

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)
      • ojitr.exe (PID: 7412)

    • Checks supported languages

      • ojitr.exe (PID: 7412)
      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Process checks computer location settings

      • 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe (PID: 7368)

    • Reads the software policy settings

      • slui.exe (PID: 7756)

    • Checks proxy server information

      • slui.exe (PID: 7756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:09:05 17:02:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 110592
InitializedDataSize: 253952
UninitializedDataSize: -
EntryPoint: 0xc9e9
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe #URELAS ojitr.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7368"C:\Users\admin\Desktop\2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe" C:\Users\admin\Desktop\2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7412"C:\Users\admin\AppData\Local\Temp\ojitr.exe" C:\Users\admin\AppData\Local\Temp\ojitr.exe
2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\ojitr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7432C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7756C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 949
Read events
3 949
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
73682025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:A9CCED34B50432F1C058C655BFA53645
SHA256:72C920421618448BBB03EC577212D2FDB14217BD24A85C25286352F249004F34
73682025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:1C11D0C48739A930E225C8BC339D2C5F
SHA256:CB31093460E9F9B885C40A36A8A78DF096413C961572AC094FC61598A271A993
73682025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas.exeC:\Users\admin\AppData\Local\Temp\ojitr.exeexecutable
MD5:9807A44B9BC63E48235BEAD665633B76
SHA256:D2C18154D4FEFD4B24B79611E4F2B8DF64E0F6F6A7E0032F5D4084A237E68473
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
24
DNS requests
5
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4008
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4008
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4008
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4008
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
7412
ojitr.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
4008
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:137
whitelisted
7240
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7756
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7412
ojitr.exe
1.234.83.146:11170
SK Broadband Co Ltd
KR
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7412
ojitr.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
7412
ojitr.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_45650fdab667d71f5c188846d3ea7eb5_amadey_elex_rhadamanthys_smoke-loader_urelas