| File name: | 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee |
| Full analysis: | https://app.any.run/tasks/5b520f96-8c06-4598-b43e-2ad9b2a1bd7d |
| Verdict: | Malicious activity |
| Analysis date: | May 15, 2025, 14:10:33 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | EA13429B27633D894908BC37C1C36DCF |
| SHA1: | 2ED27A897F1AF965CC91ADD361D21518BA6E13CA |
| SHA256: | F2391955A4E1F292B9F490FF6EDDBB5B2A94B2D8ABA1196B4E3C1CE781C39D55 |
| SSDEEP: | 12288:tMf3I+1Y+QxpOsZE+0F5HxuhqmVBSc/op1r:o33QOs2+0F5HEhFVBUp1r |
MALICIOUS
URELAS has been detected
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
- cmd.exe (PID: 7772)
- tacok.exe (PID: 7752)
- goezx.exe (PID: 2320)
URELAS mutex has been found
- tacok.exe (PID: 7752)
URELAS has been detected (YARA)
- tacok.exe (PID: 7752)
- goezx.exe (PID: 2320)
SUSPICIOUS
Executable content was dropped or overwritten
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
- tacok.exe (PID: 7752)
- goezx.exe (PID: 2320)
Starts itself from another location
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
Reads security settings of Internet Explorer
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
- tacok.exe (PID: 7752)
Starts CMD.EXE for commands execution
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
Executing commands from a ".bat" file
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
There is functionality for taking screenshot (YARA)
- goezx.exe (PID: 2320)
Connects to unusual port
- tacok.exe (PID: 7752)
INFO
Checks supported languages
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
- tacok.exe (PID: 7752)
- goezx.exe (PID: 2320)
Process checks computer location settings
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
- tacok.exe (PID: 7752)
Create files in a temporary directory
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
- tacok.exe (PID: 7752)
- goezx.exe (PID: 2320)
Reads the computer name
- 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe (PID: 7700)
- tacok.exe (PID: 7752)
Checks proxy server information
- slui.exe (PID: 864)
Reads the software policy settings
- slui.exe (PID: 864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2013:10:26 06:32:50+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 132096 |
| InitializedDataSize: | 261120 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11dcf |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
127
Monitored processes
6
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 864 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2320 | "C:\Users\admin\AppData\Local\Temp\goezx.exe" | C:\Users\admin\AppData\Local\Temp\goezx.exe | tacok.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 7700 | "C:\Users\admin\Desktop\2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe" | C:\Users\admin\Desktop\2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7752 | "C:\Users\admin\AppData\Local\Temp\tacok.exe" | C:\Users\admin\AppData\Local\Temp\tacok.exe | 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7772 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" " | C:\Windows\SysWOW64\cmd.exe | 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7784 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 219
Read events
4 219
Write events
0
Delete events
0
Modification events
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7700 | 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe | C:\Users\admin\AppData\Local\Temp\tacok.exe | executable | |
MD5:C7885ADA2C8772A57DC6E0AAD1E51E33 | SHA256:613EF2E13CAFD78C786B6C999FE39C79EAFA191A7CFBC7ABADADF263E896B0C9 | |||
| 7700 | 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe | C:\Users\admin\AppData\Local\Temp\_uinsey.bat | text | |
MD5:CE8F722D1376AF6FF26786E4F139EF0C | SHA256:F450DF291545749EC1658362817CC95CEFCFF22C64B713CC11E34F3BE91365D3 | |||
| 7700 | 2025-05-15_ea13429b27633d894908bc37c1c36dcf_amadey_elex_smoke-loader_stealc_tofsee.exe | C:\Users\admin\AppData\Local\Temp\golfinfo.ini | text | |
MD5:9F86FDCDDE5932D8FCCE2D398188E4AC | SHA256:94C097C8AF9E97180B47B8A33BDBF805005FEC0430BF8331C179B3E4A7411775 | |||
| 7752 | tacok.exe | C:\Users\admin\AppData\Local\Temp\goezx.exe | executable | |
MD5:A14842ABC18DE1425D18DE05AFC6F697 | SHA256:DF64B12C1C8BF16CA8CD90EB1261C364E19737D34E06BD1F70F4E6A0686D6A8A | |||
| 2320 | goezx.exe | C:\Users\admin\AppData\Local\Temp\tacok.exe | executable | |
MD5:57EDB8D1374AFCF8BF257DF9CADBA2E8 | SHA256:B1E87A88500D65AEB1F7289078512AFA7519B0E322ECCE5C70D9A65D9E7F7A69 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
40
DNS requests
12
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
8028 | SIHClient.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
8028 | SIHClient.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7752 | tacok.exe | 218.54.31.226:11120 | — | SK Broadband Co Ltd | KR | malicious |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
8028 | SIHClient.exe | 4.245.163.56:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7752 | tacok.exe | 1.234.83.146:11170 | — | SK Broadband Co Ltd | KR | unknown |
8028 | SIHClient.exe | 2.19.11.105:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
8028 | SIHClient.exe | 23.209.214.100:80 | www.microsoft.com | PT. Telekomunikasi Selular | ID | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
login.live.com |
| whitelisted |