Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
Resource
win11-20250610-en
General
-
Target
2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
-
Size
337KB
-
MD5
94445727af72681bcea091c4977357d4
-
SHA1
0e4e49631e495f0cba2e595268d6067c3eb65171
-
SHA256
1ed9b81662617e8f6dda135faa80468d98a79916d6fc25a3d612a769697016b9
-
SHA512
dfbdb8cff802dedb7a5b7f4a9b037ea61699cb213d383716a3485aaf7a3d77985538219b4ce34b7e3ec7afa5119dc6be62f37a7f6375bf3694698ef08e459035
-
SSDEEP
6144:XsLqdufVUNDaWa1SYOW6tah5EuLIxLfhWpIN7:cFUNDaWa1Srjtah5Eu0xFX7
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 4040 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 912 icsys.icn.exe 1600 explorer.exe 1668 spoolsv.exe 5972 svchost.exe 4240 spoolsv.exe 4744 explorer.exe 4512 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe 912 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1600 explorer.exe 5972 svchost.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 912 icsys.icn.exe 912 icsys.icn.exe 1600 explorer.exe 1600 explorer.exe 1668 spoolsv.exe 1668 spoolsv.exe 5972 svchost.exe 5972 svchost.exe 4240 spoolsv.exe 4240 spoolsv.exe 4744 explorer.exe 4744 explorer.exe 4512 svchost.exe 4512 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3456 wrote to memory of 4040 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 86 PID 3456 wrote to memory of 4040 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 86 PID 3456 wrote to memory of 4040 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 86 PID 3456 wrote to memory of 912 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 87 PID 3456 wrote to memory of 912 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 87 PID 3456 wrote to memory of 912 3456 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 87 PID 912 wrote to memory of 1600 912 icsys.icn.exe 89 PID 912 wrote to memory of 1600 912 icsys.icn.exe 89 PID 912 wrote to memory of 1600 912 icsys.icn.exe 89 PID 1600 wrote to memory of 1668 1600 explorer.exe 90 PID 1600 wrote to memory of 1668 1600 explorer.exe 90 PID 1600 wrote to memory of 1668 1600 explorer.exe 90 PID 1668 wrote to memory of 5972 1668 spoolsv.exe 91 PID 1668 wrote to memory of 5972 1668 spoolsv.exe 91 PID 1668 wrote to memory of 5972 1668 spoolsv.exe 91 PID 5972 wrote to memory of 4240 5972 svchost.exe 92 PID 5972 wrote to memory of 4240 5972 svchost.exe 92 PID 5972 wrote to memory of 4240 5972 svchost.exe 92 PID 4068 wrote to memory of 4744 4068 cmd.exe 97 PID 4068 wrote to memory of 4744 4068 cmd.exe 97 PID 4068 wrote to memory of 4744 4068 cmd.exe 97 PID 5680 wrote to memory of 4512 5680 cmd.exe 98 PID 5680 wrote to memory of 4512 5680 cmd.exe 98 PID 5680 wrote to memory of 4512 5680 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\users\admin\appdata\local\temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exec:\users\admin\appdata\local\temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4040
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5972 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:5680 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4512
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
Filesize202KB
MD5899501650e263fc1aea7e48ebc86a77d
SHA187c33e64c56732f93e8ba04e7c91dfde4f9d0f37
SHA25685a84db46ff36105fec0bdb925f784919c31e44bb4ea2b3f9a7eb98d232cde81
SHA512efe051b5367c5c2789287cf283f7c2b3d79d9b7f4f028028b66967c4fbb4f82661d00de26ef3f443cdeb2e622cd356ac3490def97519ac6a09bccfbd5d09c32f
-
Filesize
135KB
MD541fb5d0cad982b4c7a7f2a1229f6bed0
SHA146888043cbc7f58d85557e42b7f4f975b32164b2
SHA256a4265af4fc191aa0970725ac4ec67b7922b85076758446a6e67e8fcc25297b5c
SHA5127c4c8c53988a67f549caa2cee78663f5ebaaf1494940563635c58df324459145ab2fa3b556cb293f927bd3183f3b9571482858a070f3bce26a6045cba9a323f7
-
Filesize
135KB
MD595add61b3b5420300094422cd62fd8b8
SHA1195558e8937be411463b1cfe67b02c5a9c4f82a1
SHA2569a5e8a8629138843d2f1919d155448642b2b55e9d9ab97c9f7b3040349a0ca13
SHA512446570b7e7beb2afa9fe2523c744cb769fed476b4888ce85cb9f6a206c83cd0da6e5009aef16ff44637ee7984ee7f854ad32b09fb05111606f4322c0a6e879e0
-
Filesize
135KB
MD50ce5f32d5145bb4f2732ecbc267225f4
SHA1f170dff03890ca259dc1f9ee0904b5a051d90d3e
SHA2562a34a3cfa3dc16423bd217f631a1238932ebefbb1f50b3319365ace5e8d2d4f0
SHA51217459d7a044f199bd5c994c8490c3a51752384f2e42cc54226fbf0b960f6c1e893a1813fa51cf21931275e1f5441a2e452c41b0fb45f39d08039fd2c4cb9b471
-
Filesize
135KB
MD5055db2890649a3b3f44358c5372756cd
SHA1c30a742acc75b0b6d61a9267dda20a7712365057
SHA25660e7c21dd35089303fb938f610372e663f310916194bb44b321db752b5eafaf8
SHA512ab1113825381eade49ddff8d0c0b3f8c9bc5d854885e4de98943a978e0ea2176715c2663902612c93aaf5e5517a44188d53dbca823cdd7cff6cfb3601024cdcb