File name:

2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader

Full analysis: https://app.any.run/tasks/465b05d4-86ba-4d56-a376-431b0d98fe64
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 11:36:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
smoke
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

1A7F432D61DC5EEED16796BB466518E1

SHA1:

077EBD91507EB7F22D223A4133692658B093CBDC

SHA256:

C5666B938FC6A75CF7B8A69187CF9F517ED0A1AB5CBD558BA3609EB1396CAA2C

SSDEEP:

12288:JO+GxUD/8IBK2BXrb6OJSZrmEtcLNuKJg+w2wT7W3:JKxUD/8IBK2Rrb6OJecLNuKC+VwvW3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe (PID: 7476)

    • Runs injected code in another process

      • AppLaunch.exe (PID: 7496)

    • Application was injected by another process

      • explorer.exe (PID: 5492)

    • SMOKE mutex has been found

      • explorer.exe (PID: 5492)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe (PID: 7476)
      • explorer.exe (PID: 5492)

    • Executes application which crashes

      • 2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe (PID: 7476)

    • Starts a Microsoft application from unusual location

      • 2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe (PID: 7476)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 5492)

    • Deletes system .NET executable

      • explorer.exe (PID: 5492)

  • INFO

    • Checks supported languages

      • 2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe (PID: 7476)
      • AppLaunch.exe (PID: 7496)

    • The sample compiled with english language support

      • 2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe (PID: 7476)
      • explorer.exe (PID: 5492)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7628)
      • explorer.exe (PID: 5492)

    • Checks proxy server information

      • explorer.exe (PID: 5492)
      • slui.exe (PID: 8184)

    • Reads the software policy settings

      • slui.exe (PID: 8184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:28 05:01:01+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.32
CodeSize: 723968
InitializedDataSize: 245760
UninitializedDataSize: -
EntryPoint: 0x11ae
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.8.4084.0
ProductVersionNumber: 4.0.30319.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft .NET Framework IL assembler
FileVersion: 4.8.4084.0 built by: NET48REL1
InternalName: ilasm.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: ilasm.exe
ProductName: Microsoft® .NET Framework
ProductVersion: 4.8.4084.0
Comments: Flavor=Retail
PrivateBuild: DDBLD340A
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe applaunch.exe no specs werfault.exe no specs svchost.exe slui.exe #SMOKE explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5492C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7476"C:\Users\admin\Desktop\2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework IL assembler
Exit code:
3221225477
Version:
4.8.4084.0 built by: NET48REL1
Modules
Images
c:\users\admin\desktop\2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7496"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7628C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7476 -s 312C:\Windows\SysWOW64\WerFault.exe2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8184C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 679
Read events
5 674
Write events
5
Delete events
0

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
0000000000000000000000000000000003000100010001000F000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001200000000000000610073006D0075006C007400690070006C0065002E007200740066003E00200020000000160000000000000063006F006C006F007200720069006E00670074006F006E00650073002E0070006E0067003E002000200000001A00000000000000650076006500720079007400680069006E00670070006800790073006900630061006C002E0070006E0067003E002000200000001200000000000000700072006F00660069006C0065006600650077002E007200740066003E00200020000000180000000000000073006F00750074006800650072006E0069006C006C0069006E006F00690073002E007200740066003E00200020000000150000000000000074007500650073006400610079006F00660066006900630065002E006A00700067003E00200020000000730000000000000032003000320035002D00300035002D00310038005F00310061003700660034003300320064003600310064006300350065006500650064003100360037003900360062006200340036003600350031003800650031005F0061006D0061006400650079005F0062006C00610063006B002D00620061007300740061005F0063006F00620061006C0074002D0073007400720069006B0065005F0065006C00650078005F006C007500630061002D0073007400650061006C00650072005F0073006D006F006B0065002D006C006F0061006400650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000000F00000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000000400E00
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
5AC6296800000000
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7628WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-05-18_1a7f4_4e7de2bbea4cca810746e671fbbb95dae11428e_a67f3b01_0c19be69-dc07-47c1-beb7-2ea6e8e56840\Report.wer
MD5:
SHA256:
7628WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader.exe.7476.dmpbinary
MD5:850EF65209E894405B9719B114878CB8
SHA256:87B4CCCCC6E25916D66940B9AF464072705E83E539A833D68E613B015DA32EE0
7628WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC834.tmp.dmpbinary
MD5:04C15E84D74B5564409FD1F7A69A6139
SHA256:4FF7F0BD5215D3DAB8CE5A8CD3AB62EA54E5B2FDB464CACC1FA431E55F1E6150
7628WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC8A2.tmp.WERInternalMetadata.xmlbinary
MD5:DDF84854E4CF079166CE5219CA32B706
SHA256:E014D65318FB296FFFAF695AB5E7B4096CD7AD91EFDE581D80ACA82107C7EA8C
7628WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC8D2.tmp.xmlxml
MD5:BF18609AF2511CDE84A71E73E38D4A19
SHA256:F69AA4298CD234D049BC0E7EB1C1A48D98CF3796FC17FD2AC0166DCB4B74D416
5492explorer.exeC:\Users\admin\AppData\Roaming\ricgshjexecutable
MD5:1CEE14BA4BA5B627536821A38E218F24
SHA256:D025C880EB10592541846301A8B8500CFCD00A12B72D15443724E2B26C905F3D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
51
DNS requests
28
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7988
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7988
SIHClient.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 23.216.77.18
  • 23.216.77.19
  • 23.216.77.11
  • 23.216.77.21
  • 23.216.77.28
  • 23.216.77.12
  • 23.216.77.23
  • 23.216.77.25
  • 23.216.77.10
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 69.192.161.161
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.4
  • 20.190.159.129
  • 20.190.159.0
  • 40.126.31.2
  • 20.190.159.128
whitelisted
ilab4xp457haf.com
unknown
ilab99r8sk4dn.me
unknown
ilab2478jdshd.xyz
malicious
ilabok2498fso.xyz
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-18_1a7f432d61dc5eeed16796bb466518e1_amadey_black-basta_cobalt-strike_elex_luca-stealer_smoke-loader