File name:

2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader

Full analysis: https://app.any.run/tasks/381eb031-9b65-41f4-a584-d09e91302044
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 12:28:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qbot
trojan
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

05792AFB23CFB67FE7097E26BA3C1248

SHA1:

BA652430744DACA86C37E457C06D10DBD4FE3ED2

SHA256:

902E601A89C5042116A4AFB78209D56D1310E776F65F4CC8ECC5D9EA577C68A7

SSDEEP:

12288:Fei2os3hhhhhhhhh9hhhhhhhhhLhhhhhhhhhLhhhhhhhhhLhhhhhhhhhLhhhhhhW:FB2os3hhhhhhhhh9hhhhhhhhhLhhhhhp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QBOT has been detected (YARA)

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)
      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7844)

    • QBOT mutex has been found

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)

    • Qbot is detected

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)

  • SUSPICIOUS

    • Application launched itself

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)

    • Starts CMD.EXE for commands execution

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 8040)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 8040)

    • Reads security settings of Internet Explorer

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 8040)

  • INFO

    • Checks supported languages

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)
      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7844)

    • Reads the computer name

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)
      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7844)

    • Process checks computer location settings

      • 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe (PID: 7656)

    • Checks proxy server information

      • slui.exe (PID: 8172)

    • The sample compiled with english language support

      • cmd.exe (PID: 8040)

    • Reads the software policy settings

      • slui.exe (PID: 8172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2002:10:05 16:30:39+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 259072
InitializedDataSize: 14336
UninitializedDataSize: -
EntryPoint: 0x3a189
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QBOT 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe no specs #QBOT 2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe no specs cmd.exe conhost.exe no specs ping.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7656"C:\Users\admin\Desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7844C:\Users\admin\Desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe /CC:\Users\admin\Desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe
2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8040"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\WINDOWS\System32\calc.exe" > "C:\Users\admin\Desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe"C:\Windows\SysWOW64\cmd.exe
2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
8048\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8100ping.exe -n 6 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
8172C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 927
Read events
3 927
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8040cmd.exeC:\Users\admin\Desktop\2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader.exeexecutable
MD5:961E093BE1F666FD38602AD90A5F480F
SHA256:B183BD6414C5123465075D76D2413C999D569492FB543ACBC29690B4B745BDF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7412
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8172
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_05792afb23cfb67fe7097e26ba3c1248_amadey_elex_gcleaner_redline-stealer_smoke-loader