File name:	2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader
Full analysis:	https://app.any.run/tasks/7adcf054-9ecf-41c6-ac5e-440d48335d7c
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 00:01:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware birele neconyd sinkhole
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:	D0817E7B55D70BFE43E8DCA3835E97FD
SHA1:	64340D4CCCBEE753A3D3912D1B14F067DDC72AAC
SHA256:	DE7BE8661FAD75626F929493C5B9B80C083B296A63B85F501E4CC7F488A892B2
SSDEEP:	3072:rR65qaR6CRp/5y03CwJ3/HxMqMdA33M5tC1isyPFCALzv4mlkVVXV9da:rmqaRRRZ/MnA3cQYFCOzv3AVXV

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:11:23 02:07:58+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit, No debug
PEType:	PE32
LinkerVersion:	8
CodeSize:	28672
InitializedDataSize:	98304
UninitializedDataSize:	-
EntryPoint:	0x18b6
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	2.1.0.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Comments
FileVersion:	0, 1, 2, 0
InternalName:	CompanyName
LegalCopyright:	LegalTrademarks
OriginalFileName:	Build private
ProductName:	Movie name
ProductVersion:	0, 0, 0, 0

PID	CMD	Path	Indicators	Parent process
1020	C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5056 -s 340	C:\Windows\SysWOW64\WerFault.exe	—	omsecor.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800)
1056	C:\Users\admin\AppData\Roaming\omsecor.exe	C:\Users\admin\AppData\Roaming\omsecor.exe		omsecor.exe
User: admin Integrity Level: MEDIUM Description: Comments Version: 0, 1, 2, 0
2196	C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache	C:\Windows\System32\svchost.exe		services.exe
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800)
4008	C:\WINDOWS\System32\slui.exe -Embedding	C:\Windows\System32\slui.exe		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
5056	C:\Users\admin\AppData\Roaming\omsecor.exe /nomove	C:\Users\admin\AppData\Roaming\omsecor.exe		omsecor.exe
User: admin Integrity Level: MEDIUM Description: Comments Exit code: 3221225622 Version: 0, 1, 2, 0
7648	"C:\Users\admin\Desktop\2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe"	C:\Users\admin\Desktop\2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe		explorer.exe
User: admin Integrity Level: MEDIUM Description: Comments Exit code: 3221225622 Version: 0, 1, 2, 0
7668	C:\Users\admin\Desktop\2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe	C:\Users\admin\Desktop\2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe		2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe
User: admin Integrity Level: MEDIUM Description: Comments Exit code: 0 Version: 0, 1, 2, 0
7696	C:\Users\admin\AppData\Roaming\omsecor.exe	C:\Users\admin\AppData\Roaming\omsecor.exe		2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe
User: admin Integrity Level: MEDIUM Description: Comments Exit code: 3221225622 Version: 0, 1, 2, 0
7788	C:\Users\admin\AppData\Roaming\omsecor.exe	C:\Users\admin\AppData\Roaming\omsecor.exe		omsecor.exe
User: admin Integrity Level: MEDIUM Description: Comments Exit code: 0 Version: 0, 1, 2, 0
7888	C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7648 -s 364	C:\Windows\SysWOW64\WerFault.exe	—	2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800)

PID	Process	Filename		Type
7896	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_omsecor.exe_11b31cf36164b98a3bd7973187a2bad1c5b7071_6c60fa87_56b5873a-98c9-4cda-a463-05741746706b\Report.wer		—
		MD5:—	SHA256:—
7888	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-04-28_d0817_f4b7ac24bb233f4bd4fd7198ad890c32e1796fd_f9a70c19_ab7b6f42-6c29-47d7-ae99-267b49c1ab71\Report.wer		—
		MD5:—	SHA256:—
1020	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_omsecor.exe_11b31cf36164b98a3bd7973187a2bad1c5b7071_6c60fa87_9bc96ed3-3f2a-4bfa-8582-a7d254cdb839\Report.wer		—
		MD5:—	SHA256:—
7896	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2A6.tmp.dmp		binary
		MD5:33CE03466791D750734ED8CC23037D15	SHA256:5F73A8AC585F9DBAE6D069C347D9CA70222AEB32E7FFDBAEFA32E4AC4C6FD3DE
7896	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC383.tmp.xml		xml
		MD5:F795C7F472BC425B7478864E63581B3B	SHA256:242F84A058BF402F2011E334165020567E6E4D04B4270C01CB6EFEA276C1C83A
7896	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC344.tmp.WERInternalMetadata.xml		binary
		MD5:A46F1C063046844D480627742260DA71	SHA256:2466106402BFDBE40A049E97E9F82E819408DE8AC2077DC03E10716F96416586
7896	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\omsecor.exe.7696.dmp		binary
		MD5:EB5D81D2E5A05289C05D614C205070AD	SHA256:D6FF05A14E81EF0308374704503BA79E36E22EDBF5EF663A71030C41C15E29BD
1020	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C2D.tmp.xml		xml
		MD5:948B1F362AEE0D87BD020375ABC620B5	SHA256:A562CE56268C93880ED24984F84B14CCA2195313A389FA069FE48713A627DBC7
7668	2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader.exe	C:\Users\admin\AppData\Roaming\omsecor.exe		executable
		MD5:1E7CB3570C63161685F966A3E3B96B91	SHA256:76905E1D70D62DE73193A65B3BB115D5B53B6BD7ECA7873F0F5835996BA2F67F
1020	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BFD.tmp.WERInternalMetadata.xml		xml
		MD5:A37C6192F146A3BC5E59871626565E50	SHA256:0ADF29547E5ACB810DB7F184FF97259447D75D52382FC65FD7D105D93019699A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7788	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/981/438.html	unknown	—	—	malicious
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
2136	SIHClient.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1056	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/226/19.html	unknown	—	—	malicious
1056	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/84/55.html	unknown	—	—	malicious
—	—	GET	200	20.242.39.171:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
2104	svchost.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2136	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7788	omsecor.exe	GET	—	193.166.255.171:80	http://lousta.net/217/319.html	unknown	—	—	malicious
7788	omsecor.exe	GET	403	75.2.18.233:80	http://mkkuei4kdsz.com/55/462.html	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7788	omsecor.exe	193.166.255.171:80	lousta.net	Tieteen tietotekniikan keskus Oy	FI	malicious
2104	svchost.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.38.73.129:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.159.129:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
lousta.net	193.166.255.171	malicious
crl.microsoft.com	23.32.238.107 23.32.238.112 2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	23.38.73.129 95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.159.129 40.126.31.128 20.190.159.23 40.126.31.2 40.126.31.130 40.126.31.129 40.126.31.73 40.126.31.67	whitelisted
mkkuei4kdsz.com	75.2.18.233	malicious
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

PID	Process	Class	Message
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
7788	omsecor.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7788	omsecor.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin
7788	omsecor.exe	Malware Command and Control Activity Detected	ET MALWARE Ransom.Win32.Birele.gsg Checkin

General Info

2025-04-28_d0817e7b55d70bfe43e8dca3835e97fd_amadey_elex_rhadamanthys_smoke-loader

D0817E7B55D70BFE43E8DCA3835E97FD

64340D4CCCBEE753A3D3912D1B14F067DDC72AAC

DE7BE8661FAD75626F929493C5B9B80C083B296A63B85F501E4CC7F488A892B2

3072:rR65qaR6CRp/5y03CwJ3/HxMqMdA33M5tC1isyPFCALzv4mlkVVXV9da:rmqaRRRZ/MnA3cQYFCOzv3AVXV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Neconyd has been detected

BIRELE has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Executes application which crashes

Contacting a server suspected of hosting an CnC

INFO

Creates files or folders in the user directory

Checks proxy server information

Checks supported languages

Reads the software policy settings

Reads the computer name

Failed to create an executable file in Windows directory

The sample compiled with english language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings