File name:

2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee

Full analysis: https://app.any.run/tasks/77170f59-2e4f-4e00-93ed-71fa72695168
Verdict: Malicious activity
Analysis date: May 18, 2025, 07:03:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 3 sections
MD5:

021E8EBCC185AEEB5A8C9D8A13AF21D7

SHA1:

2CAA57F6554DE77471E784DE70343E1B01489AC0

SHA256:

80BDDCE9E9A8A2E5FD235DF27A5CAAEB867B5B4335C5FADC9E9CF52567B3074A

SSDEEP:

6144:9M2iYnWmoLhTSqYtE5Aeqfu5erqe2e2zdqVrWIHWQkX2NwU4pqmZjL3/Npy:9M2iYnWHhfYtwAcr1ZqWI2TGNwYmZfe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)
      • hajub.exe (PID: 5124)
      • cmd.exe (PID: 5728)

    • Connects to the CnC server

      • hajub.exe (PID: 5124)

    • URELAS mutex has been found

      • hajub.exe (PID: 5124)

    • URELAS has been detected (YARA)

      • hajub.exe (PID: 5124)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Executable content was dropped or overwritten

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Starts itself from another location

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Executing commands from a ".bat" file

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Starts CMD.EXE for commands execution

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Contacting a server suspected of hosting an CnC

      • hajub.exe (PID: 5124)

    • Connects to unusual port

      • hajub.exe (PID: 5124)

  • INFO

    • Create files in a temporary directory

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Reads the computer name

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)
      • hajub.exe (PID: 5124)

    • Checks supported languages

      • hajub.exe (PID: 5124)
      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Process checks computer location settings

      • 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 5720)

    • Checks proxy server information

      • slui.exe (PID: 6744)

    • Reads the software policy settings

      • slui.exe (PID: 6744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:09:30 07:41:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 133120
InitializedDataSize: 86016
UninitializedDataSize: -
EntryPoint: 0x12122
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe #URELAS hajub.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5124"C:\Users\admin\AppData\Local\Temp\hajub.exe" C:\Users\admin\AppData\Local\Temp\hajub.exe
2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\hajub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5720"C:\Users\admin\Desktop\2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe" C:\Users\admin\Desktop\2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5728C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6744C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 943
Read events
3 943
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
57202025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\golfinfo.initext
MD5:EEC94F96370D7A306A2EAA7D72642E2C
SHA256:1CC1889802CD85644B1E2C5350A0AAEAA6C2C8AFDF6C5223FBAB3317CA00A7E5
57202025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:C54EA8B3BF7C015FD5C794A68EE13C64
SHA256:A480230F3CE847A6A04FCC920C50E4BE6B13C766EE42D2B607D3F2B39777F59B
57202025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee.exeC:\Users\admin\AppData\Local\Temp\hajub.exeexecutable
MD5:1A909D72877EFA34AEEA261B7FCE532C
SHA256:583A6B07D14A229EC16074CFB663BD4E70D0221155DAC3802EBB8D5DAE638EE9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
42
DNS requests
12
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
536
SIHClient.exe
GET
200
23.216.77.15:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
536
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
536
SIHClient.exe
GET
200
23.216.77.15:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
536
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
536
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
536
SIHClient.exe
GET
200
23.216.77.15:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
536
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
536
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5124
hajub.exe
218.54.31.226:11110
SK Broadband Co Ltd
KR
malicious
536
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
536
SIHClient.exe
23.216.77.15:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
536
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
536
SIHClient.exe
13.95.31.18:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5244
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.216.77.15
  • 23.216.77.41
  • 23.216.77.31
  • 23.216.77.21
  • 23.216.77.18
  • 23.216.77.22
  • 23.216.77.13
  • 23.216.77.25
  • 23.216.77.37
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.130
  • 20.190.160.67
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.3
  • 40.126.32.138
  • 20.190.160.65
whitelisted

Threats

PID
Process
Class
Message
5124
hajub.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
5124
hajub.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Bootkor Rootkit CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_021e8ebcc185aeeb5a8c9d8a13af21d7_amadey_elex_smoke-loader_stealc_tofsee