File name:

2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee

Full analysis: https://app.any.run/tasks/b464a170-1c40-4a1c-b388-0297b512e136
Verdict: Malicious activity
Analysis date: May 15, 2025, 19:54:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

206E7C506D232EA902EA2D9BF06DE241

SHA1:

4C08A3A1316928475B515F610938951DF962A9D7

SHA256:

3F876134745D62F5023999BC961814D8F19E97D5F098C2B24D50A97687B5E807

SSDEEP:

12288:tMf3I+1Y+QxpOsZE+0F5HxuhqmVBSc/op1F:o33QOs2+0F5HEhFVBUp1F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)
      • cmd.exe (PID: 7788)
      • piewl.exe (PID: 7768)

    • URELAS mutex has been found

      • piewl.exe (PID: 7768)

    • Connects to the CnC server

      • piewl.exe (PID: 7768)

    • URELAS has been detected (YARA)

      • piewl.exe (PID: 7768)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)

    • Reads security settings of Internet Explorer

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)

    • Starts itself from another location

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)

    • Executing commands from a ".bat" file

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)

    • Starts CMD.EXE for commands execution

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)

    • Contacting a server suspected of hosting an CnC

      • piewl.exe (PID: 7768)

    • Connects to unusual port

      • piewl.exe (PID: 7768)

  • INFO

    • Create files in a temporary directory

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)

    • Checks supported languages

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)
      • piewl.exe (PID: 7768)

    • Reads the computer name

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)
      • piewl.exe (PID: 7768)

    • Process checks computer location settings

      • 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7712)

    • Checks proxy server information

      • slui.exe (PID: 7020)

    • Reads the software policy settings

      • slui.exe (PID: 7020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:26 06:32:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 132096
InitializedDataSize: 261120
UninitializedDataSize: -
EntryPoint: 0x11dcf
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe #URELAS piewl.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7020C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7712"C:\Users\admin\Desktop\2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7768"C:\Users\admin\AppData\Local\Temp\piewl.exe" C:\Users\admin\AppData\Local\Temp\piewl.exe
2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\piewl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7788C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 943
Read events
3 943
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
77122025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:44346057FA1661E49EBB39CDCEC1D6CC
SHA256:7605450235FE74D2D767DADA3BDE7F914649065038886E32B35691A6DD2ECA2E
77122025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:822DEC4A625DAECD791724D8DFA9F1DA
SHA256:A0E4AB2E8300B0F53F13DF330F608BD67EB4A63F1BB40BED699339ACFFCFA266
77122025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\piewl.exeexecutable
MD5:DA352B3BA81F5B8FA7E84D5C7C845654
SHA256:5ABD375C4052F52CEB57DE4C6BE0D5B08EEBB41B54CE73BC226E5AF8619EAE29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
16
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7284
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7284
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7284
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7284
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7284
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7284
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7284
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7768
piewl.exe
218.54.31.226:11120
SK Broadband Co Ltd
KR
malicious
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7284
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7284
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.140
  • 23.48.23.169
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.180
  • 23.48.23.159
  • 23.48.23.138
  • 23.48.23.194
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.74
  • 40.126.32.136
  • 20.190.160.2
  • 20.190.160.131
  • 40.126.32.138
  • 20.190.160.66
  • 40.126.32.134
whitelisted

Threats

PID
Process
Class
Message
7768
piewl.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
7768
piewl.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_206e7c506d232ea902ea2d9bf06de241_amadey_elex_smoke-loader_stealc_tofsee