Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
Resource
win11-20250610-en
General
-
Target
2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
-
Size
337KB
-
MD5
94445727af72681bcea091c4977357d4
-
SHA1
0e4e49631e495f0cba2e595268d6067c3eb65171
-
SHA256
1ed9b81662617e8f6dda135faa80468d98a79916d6fc25a3d612a769697016b9
-
SHA512
dfbdb8cff802dedb7a5b7f4a9b037ea61699cb213d383716a3485aaf7a3d77985538219b4ce34b7e3ec7afa5119dc6be62f37a7f6375bf3694698ef08e459035
-
SSDEEP
6144:XsLqdufVUNDaWa1SYOW6tah5EuLIxLfhWpIN7:cFUNDaWa1Srjtah5Eu0xFX7
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 5188 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 4420 icsys.icn.exe 5244 explorer.exe 2384 spoolsv.exe 4816 svchost.exe 4196 spoolsv.exe 2916 svchost.exe 2292 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 4420 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5244 explorer.exe 4816 svchost.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 4420 icsys.icn.exe 4420 icsys.icn.exe 5244 explorer.exe 5244 explorer.exe 2384 spoolsv.exe 2384 spoolsv.exe 4816 svchost.exe 4816 svchost.exe 4196 spoolsv.exe 4196 spoolsv.exe 2916 svchost.exe 2916 svchost.exe 2292 explorer.exe 2292 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 128 wrote to memory of 5188 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 81 PID 128 wrote to memory of 5188 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 81 PID 128 wrote to memory of 5188 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 81 PID 128 wrote to memory of 4420 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 82 PID 128 wrote to memory of 4420 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 82 PID 128 wrote to memory of 4420 128 2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe 82 PID 4420 wrote to memory of 5244 4420 icsys.icn.exe 83 PID 4420 wrote to memory of 5244 4420 icsys.icn.exe 83 PID 4420 wrote to memory of 5244 4420 icsys.icn.exe 83 PID 5244 wrote to memory of 2384 5244 explorer.exe 84 PID 5244 wrote to memory of 2384 5244 explorer.exe 84 PID 5244 wrote to memory of 2384 5244 explorer.exe 84 PID 2384 wrote to memory of 4816 2384 spoolsv.exe 85 PID 2384 wrote to memory of 4816 2384 spoolsv.exe 85 PID 2384 wrote to memory of 4816 2384 spoolsv.exe 85 PID 4816 wrote to memory of 4196 4816 svchost.exe 86 PID 4816 wrote to memory of 4196 4816 svchost.exe 86 PID 4816 wrote to memory of 4196 4816 svchost.exe 86 PID 4180 wrote to memory of 2916 4180 cmd.exe 91 PID 4180 wrote to memory of 2916 4180 cmd.exe 91 PID 4180 wrote to memory of 2916 4180 cmd.exe 91 PID 4548 wrote to memory of 2292 4548 cmd.exe 92 PID 4548 wrote to memory of 2292 4548 cmd.exe 92 PID 4548 wrote to memory of 2292 4548 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:128 -
\??\c:\users\admin\appdata\local\temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exec:\users\admin\appdata\local\temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5188
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5244 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2916
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_94445727af72681bcea091c4977357d4_amadey_elex_rhadamanthys_smoke-loader_stealc_stop_swisyn_tofsee.exe
Filesize202KB
MD5899501650e263fc1aea7e48ebc86a77d
SHA187c33e64c56732f93e8ba04e7c91dfde4f9d0f37
SHA25685a84db46ff36105fec0bdb925f784919c31e44bb4ea2b3f9a7eb98d232cde81
SHA512efe051b5367c5c2789287cf283f7c2b3d79d9b7f4f028028b66967c4fbb4f82661d00de26ef3f443cdeb2e622cd356ac3490def97519ac6a09bccfbd5d09c32f
-
Filesize
135KB
MD5a807604321f6fba1fb5c67285ac831a5
SHA1d8788513cff6cba17840dff5e0fd56a1ef5400c0
SHA256b9a538e11f665ef044bcc4510305341e3923a12ff1786ad94d0a065c2c145d0e
SHA512661abba32a5db55af6a1db38648971853c5d8674d41fe27ade16f935e1cec74633375520421ba2226a433d9aa1f2948e7caeb9007325cc9820e85bbda8312e97
-
Filesize
135KB
MD595add61b3b5420300094422cd62fd8b8
SHA1195558e8937be411463b1cfe67b02c5a9c4f82a1
SHA2569a5e8a8629138843d2f1919d155448642b2b55e9d9ab97c9f7b3040349a0ca13
SHA512446570b7e7beb2afa9fe2523c744cb769fed476b4888ce85cb9f6a206c83cd0da6e5009aef16ff44637ee7984ee7f854ad32b09fb05111606f4322c0a6e879e0
-
Filesize
135KB
MD5b3476c34be1b546634844be18532c6e8
SHA18a8acaecf362296dfb13d1bd693a30ffaa6b1cd8
SHA256763550179bb1aef157895a4e383cc50ebfc90d8de2d33eb5104b7480fed81d53
SHA512cd4d33e37fbe998ba0313cabdd5b63f7aaf76849d45417069855844a9a00d3d1591028edd22c29f24fa52d2ffe2c6856b80c985dfa79d77bbc284a8f03c99f9f
-
Filesize
135KB
MD5aa5e671fde138023d8b4d9ec0bd8daaf
SHA14bd69d1ad214a6bbcf0a0340842c61802cdf29b0
SHA25687eed29a8ab351f837f46b6eb69d75c24ee3bff5db9cbbc3a9b3411def3bc638
SHA512ba7358802b7cc0ad4799df3ec41a277f81bc3035f6e6888676868d94dbb7340d8061fdc12b349a1dd079d2ca7d38d5428cce473f618dde8a116ceda472e6ff8c