File name:	2025-04-28_76a50ca4620a888b656030745f3f62de_amadey_elex_rhadamanthys_smoke-loader_stealc_tofsee
Full analysis:	https://app.any.run/tasks/68224227-913b-4d69-b276-ebb9a059851b
Verdict:	Malicious activity
Analysis date:	April 29, 2025, 00:21:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg tofsee
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	76A50CA4620A888B656030745F3F62DE
SHA1:	19C1038E1A40364F9375E10549D2013FF0E7F383
SHA256:	B0260DFE6AE1CD45FA336E86D6565308BD3842B47CAC93859FEF1B38FEF59F7B
SSDEEP:	49152:dWQBp99999999999999999999999999999999999999999999999999999999999:80

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:09:17 00:57:44+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	109568
InitializedDataSize:	43883520
UninitializedDataSize:	-
EntryPoint:	0x479e
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(7912) 2025-04-28_76a50ca4620a888b656030745f3f62de_amadey_elex_rhadamanthys_smoke-loader_stealc_tofsee.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	pqzyoasj
Value: "C:\Users\admin\wytzsfp.exe"
(PID) Process:	(6988) svchost.exe	Key:	HKEY_CURRENT_USER\Control Panel\Buses
Operation:	write	Name:	Config0
Value: 008D6B3D11311D3D24EDB47D450DD49D084297DCE82E72BAA4942EFDE422031D0AD4456A48CD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D48248713AE4AC644490BDB57D23E99C5E03CBF3BB54758DF21D5904FCA36F16DF8644743AEC9D084295D9E13F4BB4C06D07FD
(PID) Process:	(6988) svchost.exe	Key:	HKEY_CURRENT_USER\Control Panel\Buses
Operation:	delete value	Name:	Config1
Value:

PID	Process	Filename		Type
6988	svchost.exe	C:\Users\admin:.repos		binary
		MD5:C92CFB44281B4F62F533CFF97FE520AD	SHA256:9B7DC8CBE885C982B6FC60BB0D37900F00D20E437B41E79334893E3BF71A45D0
7912	2025-04-28_76a50ca4620a888b656030745f3f62de_amadey_elex_rhadamanthys_smoke-loader_stealc_tofsee.exe	C:\Users\admin\AppData\Local\Temp\pbaozjrl.exe		executable
		MD5:660AD29CADE9C22726D581C6679978EB	SHA256:50AB5B2D28272485ACBBB2A0D7C5BD9AB5087321973998927BD9ECC8711AF8AD
7912	2025-04-28_76a50ca4620a888b656030745f3f62de_amadey_elex_rhadamanthys_smoke-loader_stealc_tofsee.exe	C:\Users\admin\wytzsfp.exe		executable
		MD5:02A01692D5DB4195F919B545BB9F0F1A	SHA256:26915F3BA396A66547C9E0DC43E741757127A92B8E68FAA904FE7B5F90A6605C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
5968	SIHClient.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
5968	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5968	SIHClient.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5968	SIHClient.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5968	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5968	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5968	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6988	svchost.exe	13.107.246.59:80	microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6988	svchost.exe	52.101.194.19:25	microsoft-com.mail.protection.outlook.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
976	svchost.exe	13.107.246.59:80	microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
976	svchost.exe	52.101.194.19:25	microsoft-com.mail.protection.outlook.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
976	svchost.exe	43.231.4.7:443	—	Gigabit Hosting Sdn Bhd	MY	unknown
5968	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.185.110	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.250	whitelisted
microsoft.com	13.107.246.59	whitelisted
microsoft-com.mail.protection.outlook.com	52.101.194.19 52.101.41.58 52.101.10.1 52.101.42.13	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28 23.216.77.42	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

2025-04-28_76a50ca4620a888b656030745f3f62de_amadey_elex_rhadamanthys_smoke-loader_stealc_tofsee

76A50CA4620A888B656030745F3F62DE

19C1038E1A40364F9375E10549D2013FF0E7F383

B0260DFE6AE1CD45FA336E86D6565308BD3842B47CAC93859FEF1B38FEF59F7B

49152:dWQBp99999999999999999999999999999999999999999999999999999999999:80

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

TOFSEE has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Executes application which crashes

Detected use of alternative data streams (AltDS)

Connects to SMTP port

INFO

Create files in a temporary directory

Reads the computer name

Checks supported languages

Process checks computer location settings

Auto-launch of the file from Registry key

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings