File name:	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader
Full analysis:	https://app.any.run/tasks/779d765a-6ef6-43d3-8bfb-650f88cce980
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 18, 2025, 21:06:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader upx stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	E1BFA3DD2C8C6C607C139EFF9E1AB653
SHA1:	E1A2CAB5C25F16FD4C4E971ABA5FAF6C8A1A20A3
SHA256:	2B333C6F27D9746ABE51572A9F37802482669823AD2782A4912E4608EE02D05F
SSDEEP:	49152:f6n5W/nI4/H5AMQ7i2g61WX7UIuvJU8tWmbf8+hQAHPAkR0CGss/eg4gYoqBsYgP:AW/I4P5AM+pgcIuvN8mYFAvAkR0CGsV8

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:13 09:03:11+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	423424
InitializedDataSize:	1051648
UninitializedDataSize:	-
EntryPoint:	0x4d203
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	6.6.0.1060
ProductVersionNumber:	6.6.0.1060
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Qihoo 360 Technology Co. Ltd.
FileDescription:	360 Total Security Online Installer
FileVersion:	6, 6, 0, 1060
InternalName:	360Installer
LegalCopyright:	(C) Qihoo 360 Technology Co. Ltd., All rights reserved.
OriginalFileName:	360Installer.exe
ProductName:	360 Total Security Online Installer
ProductVersion:	6, 6, 0, 1060


(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\Liveup
Operation:	write	Name:	mid
Value: 80342cb959da2233832ae840f019ccba8b56b331eb673be97c52113eab1cd1bc
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LiveUpdate360
Operation:	write	Name:	proxytype
Value: 1
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7520) 2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

PID	Process	Filename		Type
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Users\admin\Desktop\360TS_Setup.exe.P2P		—
		MD5:—	SHA256:—
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Users\admin\Desktop\360TS_Setup.exe		—
		MD5:—	SHA256:—
6156	360TS_Setup.exe	C:\Program Files (x86)\1745010462_0\360TS_Setup.exe		—
		MD5:—	SHA256:—
4980	360TS_Setup.exe	C:\Users\admin\AppData\Local\Temp\360_install_20250418210745_1182375\temp.7z		—
		MD5:—	SHA256:—
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{3B77B6C5-87E6-4303-AD82-9FA459F0839F}.tmp		image
		MD5:B1DDD3B1895D9A3013B843B3702AC2BD	SHA256:46CDA5AD256BF373F5ED0B2A20EFA5275C1FFD96864C33F3727E76A3973F4B3C
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\C__Users_admin_AppData_Local_Temp_!@tCAF3.tmp.mem		binary
		MD5:D6DE318D2AD70DC81A8B52B8586A03E0	SHA256:CFAE85FF290B42C99BEE61BB949356E354BD51D74E3D90F215D840C6A9D4EC02
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\!@tCAF3.tmp.P2P		compressed
		MD5:2FC638705CE85DC1F3D643A7D4D57442	SHA256:46D06E129954380204A1EEC5B1731E113CB32645AF5EA5C2872391D4AC9E50EC
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{F50E1640-4662-496a-B399-4E0BA377581F}.tmp\360P2SP.dll		executable
		MD5:FC1796ADD9491EE757E74E65CEDD6AE7	SHA256:BF1B96F5B56BE51E24D6314BC7EC25F1BDBA2435F4DFC5BE87DE164FE5DE9E60
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Program Files\Common Files\System\symsrv.dll		executable
		MD5:7574CF2C64F35161AB1292E2F532AABF	SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\{8A18EB07-D4D6-4666-83DD-F0D2A0B92993}.tmp		compressed
		MD5:7D883E7A121DD2A690E3A04BB196DA6F	SHA256:9A54E77EDD072495D1A9C0BBA781F14C63F344EAAFA4F466D3DE770979691410

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4164	RUXIMICS.exe	GET	200	23.216.77.8:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	200	151.236.71.147:80	http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab	unknown	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	200	52.29.179.141:80	http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.MEmu.CPI202310&os=10.0&mid=80342cb959da2233832ae840f019ccba&state=153	unknown	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	200	52.29.179.141:80	http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=80342cb959da2233832ae840f019ccba&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=656&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|6,HttpNum\|1,DnFailCount\|6,FStatus\|1,P2SS\|656,P2PS\|0,PDMode\|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS	unknown	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	403	45.56.79.23:80	http://www.aieov.com/logo.gif	unknown	—	—	malicious
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	—	104.192.108.20:80	http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1185.exe	unknown	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	200	108.138.24.16:80	http://sd.p.360safe.com/FA1A0875EF2B3DDC65617C494EA48F451559B187.trt	unknown	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	—	104.192.108.21:80	http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1185.exe	unknown	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	GET	—	104.192.108.21:80	http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1185.exe	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4164	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	54.76.174.118:80	tr.p.360safe.com	—	—	whitelisted
2104	svchost.exe	23.216.77.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6544	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4164	RUXIMICS.exe	23.216.77.8:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	54.77.42.29:3478	st.p.360safe.com	—	—	whitelisted

Domain	IP	Reputation
google.com	142.250.184.238	whitelisted
crl.microsoft.com	23.216.77.8 23.216.77.16 23.216.77.6 23.216.77.9 23.216.77.13 23.216.77.4 23.216.77.18 23.216.77.11 23.216.77.15 23.216.77.35 23.216.77.42 23.216.77.39 23.216.77.41 23.216.77.37 23.216.77.43	whitelisted
login.live.com	20.190.160.130 40.126.32.76 20.190.160.17 20.190.160.131 20.190.160.67 20.190.160.128 20.190.160.66 40.126.32.68	whitelisted
st.p.360safe.com	54.77.42.29	whitelisted
s.360safe.com	52.29.179.141 18.184.178.29	whitelisted
iup.360safe.com	151.236.71.147	whitelisted
tr.p.360safe.com	54.76.174.118	whitelisted
5isohu.com	—	whitelisted
www.aieov.com	45.56.79.23 45.33.20.235 45.33.23.183 96.126.123.244 45.79.19.196 45.33.2.79 173.255.194.134 72.14.185.43 45.33.18.44 45.33.30.197 72.14.178.174 198.58.118.167	malicious
int.down.360safe.com	104.192.108.17 104.192.108.20 104.192.108.21	whitelisted

PID	Process	Class	Message
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Possible Floxif CnC Communication
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Misc activity	ET INFO Packed Executable Download
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Possible Floxif CnC Communication
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Possible Floxif CnC Communication
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Possible Floxif CnC Communication
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Possible Floxif CnC Communication
7520	2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Possible Floxif CnC Communication

General Info

2025-04-18_e1bfa3dd2c8c6c607c139eff9e1ab653_amadey_elex_floxif_remcos_smoke-loader

E1BFA3DD2C8C6C607C139EFF9E1AB653

E1A2CAB5C25F16FD4C4E971ABA5FAF6C8A1A20A3

2B333C6F27D9746ABE51572A9F37802482669823AD2782A4912E4608EE02D05F

49152:f6n5W/nI4/H5AMQ7i2g61WX7UIuvJU8tWmbf8+hQAHPAkR0CGss/eg4gYoqBsYgP:AW/I4P5AM+pgcIuvN8mYFAvAkR0CGsV8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Connects to the CnC server

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

Reads security settings of Internet Explorer

Process requests binary or script from the Internet

Starts itself from another location

Creates file in the systems drive root

Drops 7-zip archiver for unpacking

There is functionality for taking screenshot (YARA)

Drops a system driver (possible attempt to evade defenses)

The process verifies whether the antivirus software is installed

INFO

The sample compiled with english language support

Disables trace logs

Checks supported languages

Checks proxy server information

Creates files or folders in the user directory

Create files in a temporary directory

Creates files in the program directory

Reads the computer name

UPX packer has been detected

Process checks computer location settings

The sample compiled with chinese language support

Reads the machine GUID from the registry

Reads the software policy settings

The sample compiled with turkish language support

The sample compiled with russian language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings