File name:	2025-04-29_a81c70f5d993a1443ee8713ff04ee1c4_amadey_elex_rhadamanthys_sakula_smoke-loader
Full analysis:	https://app.any.run/tasks/ceb5b289-5140-43a2-8c12-660a0b920829
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 21:23:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rat mivast sakula auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	A81C70F5D993A1443EE8713FF04EE1C4
SHA1:	00F057A5A7B2802FF3C8616B7D9A4FB289EC916B
SHA256:	AB84916610EC47AD52A41E4FA7AA9611BB327AAFD2DE8601BAA154CB275B73C1
SSDEEP:	6144:QFPUkOn3ZYcJ67wdHMgkP89PHA2u/z08bIHHHxzSLT6vw6HEGVKlTsfLtZPW3pHY:SPdOpYeywlI0dLwXbHYABbi2N6

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:02:05 04:03:07+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	56320
InitializedDataSize:	33792
UninitializedDataSize:	-
EntryPoint:	0x473a
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI


(PID) Process:	(4736) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4736) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4736) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1228) 2025-04-29_a81c70f5d993a1443ee8713ff04ee1c4_amadey_elex_rhadamanthys_sakula_smoke-loader.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MicroMedia
Value: C:\Users\admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
(PID) Process:	(896) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(896) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(896) MediaCenter.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
1228	2025-04-29_a81c70f5d993a1443ee8713ff04ee1c4_amadey_elex_rhadamanthys_sakula_smoke-loader.exe	C:\Users\admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe		executable
		MD5:8AD34E43E260164C3A7B0C6A5175DE49	SHA256:4321C0603E601838411D721DBA38E466D1A50E0F34B0635FB3088E769AAFB9DF
896	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\viewphoto[1].htm		html
		MD5:ACABA7746C79A526BDA5A8E625242D22	SHA256:7BA7EF287E0A8E625C301B55D564E812FD16EA7A916A71ADD7220EAFA01BE081
4736	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\qrfxgbctwtyywyq649566714[1].htm		html
		MD5:A34FDFCF6F542B999DE3809CC84C7E61	SHA256:53444E2B29641D173813741D0E1510FB4F3D84E886CF9A56B99E77ED134EBAFD
4736	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\viewphoto[1].htm		html
		MD5:548EDDF3F8091BD0BFCCC7ADECE298B7	SHA256:EAD67825353BBCD9109C4C7E467F75FE0332D733470B8058EBCB688CA7046055
896	MediaCenter.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\qrfxgbctwtyywyq649566714[1].htm		html
		MD5:EC020FC28E7B2969D1FA0B5FFEE47B1D	SHA256:073485EBFAC4C483DACE815AC4DFFDF21EDDC3561E15C17812314134DA342039

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4736	MediaCenter.exe	GET	200	13.248.169.48:80	http://www.polarroute.com/photo/qrfxgbctwtyywyq649566714.jpg?resid=1097734	unknown	—	—	malicious
896	MediaCenter.exe	POST	405	13.248.169.48:80	http://www.polarroute.com/newimage.asp?imageid=qrfxgbctwtyywyq649566714&type=0&resid=1100250	unknown	—	—	malicious
4736	MediaCenter.exe	GET	200	13.248.169.48:80	http://www.polarroute.com/viewphoto.asp?resid=1097875&photoid=qrfxgbctwtyywyq649566714	unknown	—	—	malicious
4736	MediaCenter.exe	POST	405	13.248.169.48:80	http://www.polarroute.com/newimage.asp?imageid=qrfxgbctwtyywyq649566714&type=0&resid=1097312	unknown	—	—	malicious
—	—	GET	304	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
896	MediaCenter.exe	GET	200	13.248.169.48:80	http://www.polarroute.com/viewphoto.asp?resid=1102531&photoid=qrfxgbctwtyywyq649566714	unknown	—	—	malicious
7144	SIHClient.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7144	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7144	SIHClient.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
896	MediaCenter.exe	GET	200	13.248.169.48:80	http://www.polarroute.com/photo/qrfxgbctwtyywyq649566714.jpg?resid=1102234	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4736	MediaCenter.exe	13.248.169.48:80	www.polarroute.com	AMAZON-02	US	malicious
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
896	MediaCenter.exe	13.248.169.48:80	www.polarroute.com	AMAZON-02	US	malicious
7144	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7144	SIHClient.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
7144	SIHClient.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.186.142	whitelisted
www.polarroute.com	13.248.169.48 76.223.54.146	malicious
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.120	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted

PID	Process	Class	Message
4736	MediaCenter.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
4736	MediaCenter.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
4736	MediaCenter.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
4736	MediaCenter.exe	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 2
4736	MediaCenter.exe	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 3
4736	MediaCenter.exe	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 1
896	MediaCenter.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
896	MediaCenter.exe	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 1
896	MediaCenter.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS UA (iexplore)
896	MediaCenter.exe	Malware Command and Control Activity Detected	ET MALWARE Sakula/Mivast RAT CnC Beacon 2

General Info

2025-04-29_a81c70f5d993a1443ee8713ff04ee1c4_amadey_elex_rhadamanthys_sakula_smoke-loader

A81C70F5D993A1443EE8713FF04EE1C4

00F057A5A7B2802FF3C8616B7D9A4FB289EC916B

AB84916610EC47AD52A41E4FA7AA9611BB327AAFD2DE8601BAA154CB275B73C1

6144:QFPUkOn3ZYcJ67wdHMgkP89PHA2u/z08bIHHHxzSLT6vw6HEGVKlTsfLtZPW3pHY:SPdOpYeywlI0dLwXbHYABbi2N6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SAKULA has been detected

Changes the autorun value in the registry

SAKULA has been detected (SURICATA)

Connects to the CnC server

SAKULA has been detected (YARA)

Starts CMD.EXE for self-deleting

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Starts CMD.EXE for commands execution

INFO

Create files in a temporary directory

Checks supported languages

Auto-launch of the file from Registry key

Reads the computer name

Checks proxy server information

Creates files or folders in the user directory

Manual execution by a user

Process checks computer location settings

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings