File name:

2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee

Full analysis: https://app.any.run/tasks/e3a96787-6c6c-415a-a089-2d6c64e9d872
Verdict: Malicious activity
Analysis date: May 17, 2025, 01:19:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, PECompact2 compressed, 3 sections
MD5:

7379D0F0BD5BFE428402B1C7505BBCFB

SHA1:

3A6BCE096379D3E79E9D2CF114FA22466ABBC6CB

SHA256:

3E2BC9965DC1A59D2AA4D77A1066893396CA387D463429FC482D29006BAFF856

SSDEEP:

12288:DMf3I+1Y+QxpRXn2T7UraRMeUd/dP82m/Y9:m33Qd2T7IaRMRd/dkn/Y9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)
      • izzos.exe (PID: 7396)

    • Connects to the CnC server

      • izzos.exe (PID: 7396)

    • URELAS mutex has been found

      • izzos.exe (PID: 7396)

    • URELAS has been detected (YARA)

      • izzos.exe (PID: 7396)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)

    • Reads security settings of Internet Explorer

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)

    • Starts itself from another location

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)

    • Contacting a server suspected of hosting an CnC

      • izzos.exe (PID: 7396)

    • Connects to unusual port

      • izzos.exe (PID: 7396)

  • INFO

    • Create files in a temporary directory

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)

    • Reads the computer name

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)
      • izzos.exe (PID: 7396)

    • Checks supported languages

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)

    • Process checks computer location settings

      • 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7352)

    • Checks proxy server information

      • slui.exe (PID: 7972)

    • Reads the software policy settings

      • slui.exe (PID: 7972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:27 00:45:34+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 9
CodeSize: 132096
InitializedDataSize: 258560
UninitializedDataSize: -
EntryPoint: 0x11dcf
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe #URELAS izzos.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7352"C:\Users\admin\Desktop\2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7396"C:\Users\admin\AppData\Local\Temp\izzos.exe" C:\Users\admin\AppData\Local\Temp\izzos.exe
2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\wshbth.dll
c:\windows\syswow64\nlaapi.dll
7972C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 901
Read events
3 901
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
73522025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:2CF3359AB30ABC5E53A87BAA6A21E994
SHA256:147C8F3B3526982CE054CCDDA919F3DA437807123387FE11E4D3897502B5336C
73522025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\izzos.exeexecutable
MD5:276385400931B12AA19D8971D48A924E
SHA256:51E6A555DBCAA91E1C8AE62046DC6E96B74722A60D172BD6FAD77E493A8833B4
73522025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:A922E23C83AEA6F17F7E30830EB90028
SHA256:EB58B555ED30892E6C43F2318923F25A6500AB29CEBCBAD26288B1F7EBB5586C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
43
DNS requests
21
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7396
izzos.exe
218.54.31.226:11120
SK Broadband Co Ltd
KR
malicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.3
  • 40.126.32.138
  • 20.190.160.64
  • 20.190.160.14
  • 20.190.160.130
  • 40.126.32.140
  • 40.126.32.134
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted

Threats

PID
Process
Class
Message
7396
izzos.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
7396
izzos.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_7379d0f0bd5bfe428402b1c7505bbcfb_amadey_elex_smoke-loader_stealc_tofsee