File name:

2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc

Full analysis: https://app.any.run/tasks/3f8608b9-cd17-43d7-9f53-7576b446018a
Verdict: Malicious activity
Analysis date: May 19, 2025, 06:38:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, PECompact2 compressed, 3 sections
MD5:

3029273482025C5E4047581EEA9794C6

SHA1:

DB0920D4DC199C68BFFBEECFB96D80760EE9252D

SHA256:

79BC8670DF80C9DE24C72FB66451EE9D80AB61A1525F7506E40B4ACE3F05F2D9

SSDEEP:

12288:h85Gqsk8Ys2khyDbFyvoHvHQLmswpOH5QxK:h85Ge5bFyvoPHQqswpOH5QxK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)
      • hajub.exe (PID: 2692)
      • cmd.exe (PID: 6272)

    • URELAS mutex has been found

      • hajub.exe (PID: 2692)

    • URELAS has been detected (YARA)

      • hajub.exe (PID: 2692)

    • Connects to the CnC server

      • hajub.exe (PID: 2692)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • Starts CMD.EXE for commands execution

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • Starts itself from another location

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • Reads security settings of Internet Explorer

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • Executing commands from a ".bat" file

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • There is functionality for taking screenshot (YARA)

      • hajub.exe (PID: 2692)

    • Connects to unusual port

      • hajub.exe (PID: 2692)

    • Contacting a server suspected of hosting an CnC

      • hajub.exe (PID: 2692)

  • INFO

    • Reads the computer name

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)
      • hajub.exe (PID: 2692)

    • Checks supported languages

      • hajub.exe (PID: 2692)
      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • Create files in a temporary directory

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • Process checks computer location settings

      • 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe (PID: 3096)

    • Checks proxy server information

      • slui.exe (PID: 6668)

    • Reads the software policy settings

      • slui.exe (PID: 6668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (33)
.exe | Win32 Executable MS Visual C++ (generic) (23.9)
.exe | Win64 Executable (generic) (21.2)
.scr | Windows screen saver (10)
.dll | Win32 Dynamic Link Library (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:10:09 07:43:47+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 9
CodeSize: 156160
InitializedDataSize: 330240
UninitializedDataSize: -
EntryPoint: 0x14b40
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe #URELAS hajub.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2692"C:\Users\admin\AppData\Local\Temp\hajub.exe" C:\Users\admin\AppData\Local\Temp\hajub.exe
2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\hajub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3096"C:\Users\admin\Desktop\2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6272C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6668C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 943
Read events
3 943
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
30962025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:CF98B6B169941F0C675CCA36A509C61D
SHA256:ECE2327B36F716D39DE06367DF11DFED3B19CD19679AF65EB2D66A61F25BD834
30962025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:92D3F37FAACE9E4BA44BC386C196EC4E
SHA256:F4BECC04BB743AAC475B302300684D5DF4A90453822B2A190013EAA08C075E09
30962025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\hajub.exeexecutable
MD5:69A8C91F8527C07FA327F43930040A98
SHA256:D071BF6AF7A9FB85AB56F0FF4B6B84DBF31E66CE8579BCB7B4C41E3B7A5C1FAA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
22
DNS requests
3
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2692
hajub.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
536
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6668
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2692
hajub.exe
1.234.83.146:11170
SK Broadband Co Ltd
KR
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2692
hajub.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
2692
hajub.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-19_3029273482025c5e4047581eea9794c6_amadey_elex_smoke-loader_stealc