File name:

2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc

Full analysis: https://app.any.run/tasks/c0856ec5-003c-4bbc-85af-5b8aee1d53f4
Verdict: Malicious activity
Analysis date: April 29, 2025, 16:29:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
tofsee
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

0877808E2DD1C309442023B3ECAACEF6

SHA1:

D9C139C306C6748A522936E6C86BDBCF009C12CC

SHA256:

8B47A7849672B667CDACAD4508D7B68804F67ECD3A19605AAB5AB6D93B295534

SSDEEP:

6144:fyOVrFe3XoYNdx/aQwS3EUKcyFj8cPDlKjJ1713nqXm+7Mkt9Zzqgv:f63X/DlabS3Ehcy2GKj134m+7B3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)

    • TOFSEE has been detected (YARA)

      • svchost.exe (PID: 4164)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)

    • Executable content was dropped or overwritten

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)

    • Executes application which crashes

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)
      • ppqbwxvd.exe (PID: 6656)
      • ppqbwxvd.exe (PID: 6272)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 1272)
      • svchost.exe (PID: 4164)

    • Connects to SMTP port

      • svchost.exe (PID: 1272)
      • svchost.exe (PID: 4164)

  • INFO

    • Create files in a temporary directory

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)

    • Reads the computer name

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)
      • ppqbwxvd.exe (PID: 6656)
      • ppqbwxvd.exe (PID: 6272)

    • Checks supported languages

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)
      • ppqbwxvd.exe (PID: 6656)
      • ppqbwxvd.exe (PID: 6272)

    • Process checks computer location settings

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)

    • Auto-launch of the file from Registry key

      • 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe (PID: 1180)

    • Reads the software policy settings

      • slui.exe (PID: 2268)

    • Manual execution by a user

      • ppqbwxvd.exe (PID: 6272)

    • Checks proxy server information

      • slui.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:17 05:57:25+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 10
CodeSize: 149504
InitializedDataSize: 9257984
UninitializedDataSize: -
EntryPoint: 0x696c
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe wusa.exe no specs wusa.exe ppqbwxvd.exe werfault.exe no specs svchost.exe werfault.exe no specs ppqbwxvd.exe #TOFSEE svchost.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
896C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6656 -s 580C:\Windows\SysWOW64\WerFault.exeppqbwxvd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1052C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1180 -s 1032C:\Windows\SysWOW64\WerFault.exe2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1180"C:\Users\admin\Desktop\2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe" C:\Users\admin\Desktop\2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1272svchost.exeC:\Windows\SysWOW64\svchost.exe
ppqbwxvd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
2268C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4164svchost.exeC:\Windows\SysWOW64\svchost.exe
ppqbwxvd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
4740C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6272 -s 556C:\Windows\SysWOW64\WerFault.exeppqbwxvd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6272"C:\Users\admin\ppqbwxvd.exe"C:\Users\admin\ppqbwxvd.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\ppqbwxvd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6564"C:\Windows\System32\wusa.exe" C:\Windows\SysWOW64\wusa.exe2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6656"C:\Users\admin\ppqbwxvd.exe" /d"C:\Users\admin\Desktop\2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe" /e550302100000007FC:\Users\admin\ppqbwxvd.exe
2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\ppqbwxvd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
5 319
Read events
5 316
Write events
2
Delete events
1

Modification events

(PID) Process:(1180) 2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:tudcsewn
Value:
"C:\Users\admin\ppqbwxvd.exe"
(PID) Process:(1272) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:writeName:Config0
Value:
008D9A3F13121E3D24EDB47D450DD49D084297DCE82E72BAA4C2638A8DD7641DB0A984E64CCD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D4834C7735E5A8644490BDB27924E4915803CFF58D3C74BBC4103D3CFBA66410DF837D2862B5F9015FABD4E04D27DD
(PID) Process:(1272) svchost.exeKey:HKEY_CURRENT_USER\Control Panel\Buses
Operation:delete valueName:Config1
Value:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
11802025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exeC:\Users\admin\ppqbwxvd.exeexecutable
MD5:FF41D26CA773BA54036C203201EEE384
SHA256:E50FCE92CD6150F8047CA6EE987C3080E81A4E10D2E668AF1757D6BF24173419
11802025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc.exeC:\Users\admin\AppData\Local\Temp\jvuitdlf.exeexecutable
MD5:1702410250C678C3F56261A3CDFD8CC5
SHA256:DEC3D4BF452D201708A3BAB4B9A103D30086FAC60A48898095449A76D6C29A1B
1272svchost.exeC:\Users\admin:.reposbinary
MD5:E5C4941DC348371A16E42F7BDC473EBE
SHA256:82A2CB40AB6A6EDF2EBDE702A84B6EA4F9294175160136755ABA185E68D31FD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
46
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
3884
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3884
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3884
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3884
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
3884
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3884
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3884
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1272
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1272
svchost.exe
52.101.40.24:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4164
svchost.exe
13.107.246.59:80
microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4164
svchost.exe
52.101.40.24:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4164
svchost.exe
43.231.4.7:443
Gigabit Hosting Sdn Bhd
MY
unknown
3884
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
microsoft.com
  • 13.107.246.59
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.40.24
  • 52.101.194.4
  • 52.101.10.12
  • 52.101.9.26
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_0877808e2dd1c309442023b3ecaacef6_amadey_darkgate_elex_rhadamanthys_smoke-loader_stealc