Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-phfjlatjv5
Target 2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader
SHA256 1c029938dbe46a6f56e6bfdf7ac191e67d19ee3f9863b8e522fe64439dbba771
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1c029938dbe46a6f56e6bfdf7ac191e67d19ee3f9863b8e522fe64439dbba771

Threat Level: Shows suspicious behavior

The file 2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:19

Reported

2025-07-04 12:22

Platform

win10v2004-20250619-en

Max time kernel

106s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats-182385724-1591972470.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 stats-182385724-1591972470.us-east-1.elb.amazonaws.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5304-0-0x0000000010000000-0x0000000010123000-memory.dmp

memory/5304-5-0x0000000010000000-0x0000000010123000-memory.dmp

memory/5304-6-0x0000000010000000-0x0000000010123000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 12:19

Reported

2025-07-04 12:22

Platform

win11-20250619-en

Max time kernel

100s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ee0f20b4e41843f9790e2375ddfd5353_amadey_elex_smoke-loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\953.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats-182385724-1591972470.us-east-1.elb.amazonaws.com udp

Files

memory/5256-0-0x0000000010000000-0x0000000010123000-memory.dmp

memory/5256-5-0x0000000010000000-0x0000000010123000-memory.dmp

memory/5256-6-0x0000000010000000-0x0000000010123000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\953.bat

MD5 69d6d5d66d75c9877e208f62a32ba07b
SHA1 2898a7a81b327338d7bbd09c694f35798160d4e6
SHA256 1ec5a0cc76ee138e28e663d1f9ca7fa83bb5297806e3928fb5ad1915c309de80
SHA512 e0c9da1421007a8b10bdba52cd2feaf9cc8e4073b381d1eca6591ff1dacebb9694dd497229040d532a3382f8c3e92879d2f8f406e266393663b16383d75ad940

C:\Users\Admin\AppData\Local\Temp\313312.exe

MD5 ee0f20b4e41843f9790e2375ddfd5353
SHA1 452c1cfce69e9dbefd34e8c671f4ac6b1d5c3222
SHA256 1c029938dbe46a6f56e6bfdf7ac191e67d19ee3f9863b8e522fe64439dbba771
SHA512 a9a65672d8a8773333664c49d389244410207e518c5317eb75be8fcfbc16014c61640966bbf67ff1e072e006fa63362fdf584b7025cfaad25606a55046a558eb