File name:

2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi

Full analysis: https://app.any.run/tasks/9fff3471-bbb8-4e12-9a44-a3740ff01544
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 19:50:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
backdoor
bdaejec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 6 sections
MD5:

04A157916954CD7B2633ABD0B7B94805

SHA1:

9302D901C12ADB66E174AE4C84069AC6FD9558C4

SHA256:

209132378502066BC62F13A83B1165E5B0C972C5A70031698179DEE6B41CAB5B

SSDEEP:

3072:kOdVyI7bHP/hbCSFRSiEe/j11/AYKHvMPHQKc7UaERPv0dqb+EhFLB1a1ApmeRpK:kOdVyI7b3XFRdEmOHvMPfcY0qbWy9g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe (PID: 920)

    • Reads security settings of Internet Explorer

      • RmD.exe (PID: 6768)

    • Executing commands from a ".bat" file

      • RmD.exe (PID: 6768)

    • Starts CMD.EXE for commands execution

      • RmD.exe (PID: 6768)

    • Connects to unusual port

      • RmD.exe (PID: 6768)

  • INFO

    • Checks supported languages

      • 2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe (PID: 920)
      • RmD.exe (PID: 6768)

    • Create files in a temporary directory

      • 2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe (PID: 920)
      • RmD.exe (PID: 6768)

    • Reads the computer name

      • RmD.exe (PID: 6768)

    • Checks proxy server information

      • RmD.exe (PID: 6768)
      • slui.exe (PID: 1388)

    • Process checks computer location settings

      • RmD.exe (PID: 6768)

    • Reads the software policy settings

      • slui.exe (PID: 1388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:06:21 21:07:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10.1
CodeSize: 112128
InitializedDataSize: 30720
UninitializedDataSize: -
EntryPoint: 0x26000
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe conhost.exe no specs rmd.exe cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Users\admin\Desktop\2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe" C:\Users\admin\Desktop\2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1388C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6768C:\Users\admin\AppData\Local\Temp\RmD.exeC:\Users\admin\AppData\Local\Temp\RmD.exe
2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6876C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\6a41076d.bat" "C:\Windows\SysWOW64\cmd.exeRmD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 100
Read events
4 096
Write events
4
Delete events
0

Modification events

(PID) Process:(6768) RmD.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6768) RmD.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6768) RmD.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6768) RmD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GTplus
Operation:writeName:Time
Value:
7E20930140B9DB01
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
9202025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi.exeC:\Users\admin\AppData\Local\Temp\RmD.exeexecutable
MD5:56B2C3810DBA2E939A8BB9FA36D3CF96
SHA256:4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
6768RmD.exeC:\Users\admin\AppData\Local\Temp\6a41076d.battext
MD5:07B9C4B9894AA2406B3BE80344E2802B
SHA256:D6785A6D6E475B1434C48A116D7F114EFBA2CBD452E3D0D9A32CA72F67FFADED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
59
DNS requests
19
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
RmD.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
6768
RmD.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
6768
RmD.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
2104
svchost.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
RmD.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
RmD.exe
GET
502
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5204
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5204
SIHClient.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6768
RmD.exe
3.229.117.57:799
ddos.dnsnb8.net
AMAZON-AES
US
malicious
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
ddos.dnsnb8.net
  • 3.229.117.57
malicious
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.11
  • 23.216.77.9
  • 23.216.77.42
  • 23.216.77.21
  • 23.216.77.18
  • 23.216.77.5
  • 23.216.77.10
  • 23.216.77.29
  • 23.216.77.25
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.131
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.23
  • 40.126.31.0
  • 20.190.159.4
  • 40.126.31.69
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Domain previously seen in multiple payload deliveries (ddos .dnsnb8 .net)
6768
RmD.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
6768
RmD.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
6768
RmD.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
6768
RmD.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
6768
RmD.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_04a157916954cd7b2633abd0b7b94805_elex_karagany_mafia_rhadamanthys_wapomi