File name:

2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc

Full analysis: https://app.any.run/tasks/53a40ac2-5014-4035-9c11-d3765c03ad33
Verdict: Malicious activity
Analysis date: May 19, 2025, 04:38:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, PECompact2 compressed, 3 sections
MD5:

F8E385878607FE97B785BF101F4758C0

SHA1:

F949F394F2A3396AA4280F0FDDEB55A7435FA4A0

SHA256:

330FA40C54CCC6D3A1312916FBA1FC1334B4E95C1B0405EA75DD060E5D513627

SSDEEP:

12288:h85Gqsk8Ys2khyDbFyvoHvHQLmswpOH5QxW:h85Ge5bFyvoPHQqswpOH5QxW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)
      • cmd.exe (PID: 2236)
      • pamob.exe (PID: 6800)

    • URELAS mutex has been found

      • pamob.exe (PID: 6800)

    • URELAS has been detected (YARA)

      • pamob.exe (PID: 6800)

    • Connects to the CnC server

      • pamob.exe (PID: 6800)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • Starts itself from another location

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • Reads security settings of Internet Explorer

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • Starts CMD.EXE for commands execution

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • Executing commands from a ".bat" file

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • There is functionality for taking screenshot (YARA)

      • pamob.exe (PID: 6800)

    • Connects to unusual port

      • pamob.exe (PID: 6800)

    • Contacting a server suspected of hosting an CnC

      • pamob.exe (PID: 6800)

  • INFO

    • Create files in a temporary directory

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • Process checks computer location settings

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • Checks supported languages

      • pamob.exe (PID: 6800)
      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)

    • Reads the computer name

      • 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe (PID: 6708)
      • pamob.exe (PID: 6800)

    • Reads the software policy settings

      • slui.exe (PID: 2692)

    • Checks proxy server information

      • slui.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (33)
.exe | Win32 Executable MS Visual C++ (generic) (23.9)
.exe | Win64 Executable (generic) (21.2)
.scr | Windows screen saver (10)
.dll | Win32 Dynamic Link Library (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:09 07:43:47+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 9
CodeSize: 156160
InitializedDataSize: 330240
UninitializedDataSize: -
EntryPoint: 0x14b40
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe #URELAS pamob.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2236C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2692C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6708"C:\Users\admin\Desktop\2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6800"C:\Users\admin\AppData\Local\Temp\pamob.exe" C:\Users\admin\AppData\Local\Temp\pamob.exe
2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\pamob.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 943
Read events
3 943
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
67082025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:B9F1E95F176FF28A6A16AEDE93E90039
SHA256:8111AAE9FF3C3A121EF89E144EB9B57FE6FB407B681EF12984127E88F8CF6CB5
67082025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\pamob.exeexecutable
MD5:60703426C73856C050134617C9B751D7
SHA256:F7EA83E50E1AC41E213720E64A4B0A01D56A5538FD854BF9FE7B0095739594D2
67082025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:6428FEEDF67676EF88877A7E9E4779E6
SHA256:96774AD84287B14A217661F16989812C6D45957FF3BE18F21AC86DB9295397BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
52
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3100
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3100
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3100
SIHClient.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
3100
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3100
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3100
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3100
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6800
pamob.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.20
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.64
  • 40.126.32.74
  • 40.126.32.72
  • 20.190.160.131
  • 20.190.160.2
  • 20.190.160.66
  • 20.190.160.20
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted

Threats

PID
Process
Class
Message
6800
pamob.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
6800
pamob.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-19_f8e385878607fe97b785bf101f4758c0_amadey_elex_smoke-loader_stealc