File name:	2025-04-29_05ca13c64265bc4f4ccfee69bb73ec33_elex_rhadamanthys_smoke-loader_stealc
Full analysis:	https://app.any.run/tasks/c2a54da7-196f-4778-83ce-a6131877e0d9
Verdict:	Malicious activity
Analysis date:	April 29, 2025, 00:38:07
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg tofsee
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	05CA13C64265BC4F4CCFEE69BB73EC33
SHA1:	143EDA0688CE8382F4884B394F91E3232BCBE566
SHA256:	BEF2A8C20AB3076F9EFC25B57A030ED7399B6CA4FCD39145C6B60DFD576DF191
SSDEEP:	12288:pvXiM8EBQo8ccvXa9SBwUbHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHn:ViMiDXa9SWU

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:06:06 01:58:44+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	153088
InitializedDataSize:	32161280
UninitializedDataSize:	-
EntryPoint:	0x1668
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	67.0.0.0
ProductVersionNumber:	67.0.0.0
FileFlagsMask:	0x003f
FileFlags:	Debug, Pre-release, Patched, Private build, Special build
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
FileVersion:	67.0.0.55
ProductVersion:	67.0.0.55
LegalCopyright:	Wseg


(PID) Process:	(7748) 2025-04-29_05ca13c64265bc4f4ccfee69bb73ec33_elex_rhadamanthys_smoke-loader_stealc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	qrazpbtk
Value: "C:\Users\admin\kxjgzmrb.exe"
(PID) Process:	(8048) svchost.exe	Key:	HKEY_CURRENT_USER\Control Panel\Buses
Operation:	write	Name:	Config0
Value: 008DBF3FFB321D3D24EDB47D450DD49D084297DCE82E72BAA493FDFFE422031D2DF40F9A48CD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56B15D48248723AE4AE644490BDB57C25EF9C5C02CBF3BC54758DF21D5904E0A06810D5804F7D3DE39D084295D9E13F4BB4C06D07FD
(PID) Process:	(8048) svchost.exe	Key:	HKEY_CURRENT_USER\Control Panel\Buses
Operation:	delete value	Name:	Config1
Value:

PID	Process	Filename		Type
8048	svchost.exe	C:\Users\admin:.repos		binary
		MD5:6A035D42B86EB2F323ED4105D800F322	SHA256:2EFD7D6970EB3EDE286AAA1CBD901AF4FE1854A8DBED0D25F07348A0ED069EB8
7748	2025-04-29_05ca13c64265bc4f4ccfee69bb73ec33_elex_rhadamanthys_smoke-loader_stealc.exe	C:\Users\admin\kxjgzmrb.exe		executable
		MD5:A047090E2B6516E7D2C1EDB6FDE36511	SHA256:B03FEA41E95625EC5B0B8890C4DFA79757A2120AED1F20BE25AC8C098BDBD7B5
7748	2025-04-29_05ca13c64265bc4f4ccfee69bb73ec33_elex_rhadamanthys_smoke-loader_stealc.exe	C:\Users\admin\AppData\Local\Temp\qztyqpkg.exe		executable
		MD5:248283CD4104425CB583141A55B6CE29	SHA256:965B3BA3A8D7362871823181A1461D1BC884E5AE3AEA61BB6C6E05FC3A5568A8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6516	SIHClient.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	20.109.210.53:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
6516	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6516	SIHClient.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	GET	200	20.109.210.53:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
6516	SIHClient.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6516	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6516	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
—	—	GET	200	20.109.210.53:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
8048	svchost.exe	13.107.246.59:80	microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8048	svchost.exe	52.101.8.42:25	microsoft-com.mail.protection.outlook.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8048	svchost.exe	43.231.4.7:443	—	Gigabit Hosting Sdn Bhd	MY	unknown
8180	svchost.exe	13.107.246.59:80	microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8180	svchost.exe	52.101.40.6:25	microsoft-com.mail.protection.outlook.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8180	svchost.exe	43.231.4.7:443	—	Gigabit Hosting Sdn Bhd	MY	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.186.46	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
microsoft.com	13.107.246.59	whitelisted
microsoft-com.mail.protection.outlook.com	52.101.8.42 52.101.194.19 52.101.10.2 52.101.10.8 52.101.40.6 52.101.41.4 52.101.194.4 52.101.41.22	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
crl.microsoft.com	23.32.238.107	whitelisted
www.microsoft.com	23.38.73.129	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted

General Info

2025-04-29_05ca13c64265bc4f4ccfee69bb73ec33_elex_rhadamanthys_smoke-loader_stealc

05CA13C64265BC4F4CCFEE69BB73EC33

143EDA0688CE8382F4884B394F91E3232BCBE566

BEF2A8C20AB3076F9EFC25B57A030ED7399B6CA4FCD39145C6B60DFD576DF191

12288:pvXiM8EBQo8ccvXa9SBwUbHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHn:ViMiDXa9SWU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

TOFSEE has been detected (YARA)

Changes the autorun value in the registry

SUSPICIOUS

Detected use of alternative data streams (AltDS)

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Executes application which crashes

Connects to SMTP port

INFO

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Checks supported languages

Manual execution by a user

Process checks computer location settings

Auto-launch of the file from Registry key

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings