File name:	2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader
Full analysis:	https://app.any.run/tasks/a7eb02aa-ca16-402f-a176-d896f4693d50
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. Malware Trends Tracker >>>
Analysis date:	April 18, 2025, 21:57:05
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sality sainbox rat upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	D05E88AC58639D886784686E7831A5B5
SHA1:	98EC32C1FD8486B2C0EA590A91B9C4B69B1F86B2
SHA256:	9891C1CEA563368C85BB9E1F2F4E28DC9AFE18272B9AD7A22F1E48CB2CE523B9
SSDEEP:	6144:JIJCFqo6ZoF/docSNxctG91n0aeMtppBuOeLe69ChNUXFk54d2vYGp:ECLF/docCctGFZM3CDUAW2YGp

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:19 06:05:14+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.27
CodeSize:	98816
InitializedDataSize:	128512
UninitializedDataSize:	-
EntryPoint:	0x6340
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2139.1.194.0
ProductVersionNumber:	2139.1.194.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Intel Corporation
FileDescription:	PIcon startup utility
FileVersion:	2139.1.194.0
InternalName:	PIconStartup
LegalCopyright:	Copyright © 2007-2021, Intel Corporation. All rights reserved.
OriginalFileName:	PIconStartup.exe
ProductName:	Intel(R) PIconStartup
ProductVersion:	2139.1.194.0


(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	GlobalUserOffline
Value: 0
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a1_0
Value: 98384074
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a2_0
Value: 4800
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a3_0
Value: 17001001
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a4_0
Value: 0
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a1_1
Value:
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a2_1
Value:
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a3_1
Value:
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a4_1
Value:
(PID) Process:	(7396) 2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:	write	Name:	a1_2
Value:

PID	Process	Filename		Type
7396	2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\winrwutq.exe		executable
		MD5:B360FA63134A63F9ACFE046D2DFE10D9	SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
7396	2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe		executable
		MD5:6C2F4EFEA6313CF37DB1F30CEA0181AA	SHA256:6649834963BA515D558264CF9E3E8C4F165528EE56A4844299A3F644C78741F3
7396	2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\winysvc.exe		executable
		MD5:B360FA63134A63F9ACFE046D2DFE10D9	SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7760	SIHClient.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7760	SIHClient.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7760	SIHClient.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7760	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7760	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7760	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7760	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	13.85.23.206:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
7760	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7760	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
7760	SIHClient.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7760	SIHClient.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
7760	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4164	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6544	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	216.58.212.174	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.43	whitelisted
login.live.com	40.126.31.71 20.190.159.128 40.126.31.69 20.190.159.73 40.126.31.73 40.126.31.129 20.190.159.64 20.190.159.71	whitelisted

General Info

2025-04-18_d05e88ac58639d886784686e7831a5b5_amadey_cobalt-strike_elex_smoke-loader

D05E88AC58639D886784686E7831A5B5

98EC32C1FD8486B2C0EA590A91B9C4B69B1F86B2

9891C1CEA563368C85BB9E1F2F4E28DC9AFE18272B9AD7A22F1E48CB2CE523B9

6144:JIJCFqo6ZoF/docSNxctG91n0aeMtppBuOeLe69ChNUXFk54d2vYGp:ECLF/docCctGFZM3CDUAW2YGp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALITY has been detected

SALITY mutex has been found

SAINBOX has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Creates file in the systems drive root

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

UPX packer has been detected

Create files in a temporary directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings