File name:	001ece20ef94c85e55ef0a6f365b452dca11fbec2cac6f2a4df55b4c890e3375
Full analysis:	https://app.any.run/tasks/53d6d198-56ce-4cfd-adb2-84b2e205ed08
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 16:02:09
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amadey botnet stealer smoke loader smokeloader redline confuser
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	542C4EAD0D3004314149E8E75EDFCD46
SHA1:	2B7C674B2B2F6AC812A180B8E80AE7B94517685D
SHA256:	001ECE20EF94C85E55EF0A6F365B452DCA11FBEC2CAC6F2A4DF55B4C890E3375
SSDEEP:	24576:CLnTKqndI0z9pMDMKsAMLuHjswi/FX2pH9pRELkBN5JLdPooip86EPskB:CLnemI0z9pMDMKsAMLuHjswi/FX2pdpz

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:24 22:49:06+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	713216
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1

PID	Process	Filename		Type
4688	001ece20ef94c85e55ef0a6f365b452dca11fbec2cac6f2a4df55b4c890e3375.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\v3099591.exe		executable
		MD5:AA6844E362DDF97043D736910C1018C1	SHA256:8E7FB9E21DB7A8AC32F25BF8067532765762868A7192419F4C90EB1C97916A30
1628	v9232368.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\v5307313.exe		executable
		MD5:223F25EDE2EF46BC0B51E2C156CD498D	SHA256:F119D4960E3701F2BBE7ED87EAE7A8B1C466063D917BC757B25334F7E87880EC
1628	v9232368.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\c2452410.exe		executable
		MD5:1A048F1FF412C57789EECAC14C81C9DD	SHA256:74760F39B60DBF83C23FE034168D9F6D6AB3FEB6CB10EBCC9389147DD25E5A8A
1052	v5307313.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\b1350157.exe		executable
		MD5:2646194C5FA0F891AFE999AF5ECED480	SHA256:6975133057D5A72215D74415C73CC23AA54A34A1D91FC084B3F6F4EA254CD3A3
4688	001ece20ef94c85e55ef0a6f365b452dca11fbec2cac6f2a4df55b4c890e3375.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\e4787036.exe		executable
		MD5:05DFE6651E58860FD4C8E68573CB76E9	SHA256:1C2032726166516DDB6EA4B040C636ED119064E4D6C7E7CB8D5985A28B3D0EDC
5956	saves.exe	C:\Users\admin\AppData\Roaming\006700e5a2ab05\clip64.dll		text
		MD5:595E88012A6521AAE3E12CBEBE76EB9E	SHA256:B16E15764B8BC06C5C3F9F19BC8B99FA48E7894AA5A6CCDAD65DA49BBF564793
5024	v3099591.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\v9232368.exe		executable
		MD5:D867FEF685BDA8A20420EFD9164AC2A8	SHA256:33E6D5E25E1D64DD2136403D679B9FBC4C1B4B92F821ACDB3DBB0882F912C116
5956	saves.exe	C:\Users\admin\AppData\Roaming\006700e5a2ab05\cred64.dll		text
		MD5:595E88012A6521AAE3E12CBEBE76EB9E	SHA256:B16E15764B8BC06C5C3F9F19BC8B99FA48E7894AA5A6CCDAD65DA49BBF564793
1020	b1350157.exe	C:\Users\admin\AppData\Local\Temp\b40d11255d\saves.exe		executable
		MD5:2646194C5FA0F891AFE999AF5ECED480	SHA256:6975133057D5A72215D74415C73CC23AA54A34A1D91FC084B3F6F4EA254CD3A3
1052	v5307313.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\a6239898.exe		executable
		MD5:7E93BACBBC33E6652E147E7FE07572A0	SHA256:850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5956	saves.exe	POST	405	77.91.68.18:80	http://77.91.68.18/nice/index.php	unknown	—	—	malicious
5492	explorer.exe	POST	—	77.91.68.29:80	http://77.91.68.29/fks/	unknown	—	—	malicious
5956	saves.exe	GET	302	77.91.68.18:80	http://77.91.68.18/nice/Plugins/clip64.dll	unknown	—	—	malicious
5492	explorer.exe	POST	—	77.91.68.29:80	http://77.91.68.29/fks/	unknown	—	—	malicious
5956	saves.exe	GET	302	77.91.68.18:80	http://77.91.68.18/nice/Plugins/cred64.dll	unknown	—	—	malicious
—	—	GET	404	77.91.68.18:443	https://static.18.68.91.77.ip.webhost1.net/nice/Plugins/cred64.dll	unknown	text	19 b	—
—	—	GET	404	77.91.68.18:443	https://static.18.68.91.77.ip.webhost1.net/nice/Plugins/clip64.dll	unknown	text	19 b	—
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5956	saves.exe	77.91.68.18:80	static.18.68.91.77.ip.webhost1.net	Foton Telecom CJSC	RU	malicious
3900	d5731805.exe	77.91.124.54:19071	—	Foton Telecom CJSC	RU	malicious
5492	explorer.exe	77.91.68.29:80	—	Foton Telecom CJSC	RU	malicious
5956	saves.exe	77.91.68.18:443	static.18.68.91.77.ip.webhost1.net	Foton Telecom CJSC	RU	malicious
2284	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3268	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.142	whitelisted
static.18.68.91.77.ip.webhost1.net	77.91.68.18	unknown
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
5956	saves.exe	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
5956	saves.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Bot Activity (POST) M2
5956	saves.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Check-In
3900	d5731805.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
5492	explorer.exe	A Network Trojan was detected	LOADER [ANY.RUN] Smokeloader HTTP Header
5492	explorer.exe	A Network Trojan was detected	LOADER [ANY.RUN] Smokeloader HTTP Header
5956	saves.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
5956	saves.exe	A Network Trojan was detected	BOTNET [ANY.RUN] Amadey Stealer plugin download request
5956	saves.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
5956	saves.exe	A Network Trojan was detected	BOTNET [ANY.RUN] Amadey Clipper plugin download request

General Info

001ece20ef94c85e55ef0a6f365b452dca11fbec2cac6f2a4df55b4c890e3375

542C4EAD0D3004314149E8E75EDFCD46

2B7C674B2B2F6AC812A180B8E80AE7B94517685D

001ECE20EF94C85E55EF0A6F365B452DCA11FBEC2CAC6F2A4DF55B4C890E3375

24576:CLnTKqndI0z9pMDMKsAMLuHjswi/FX2pH9pRELkBN5JLdPooip86EPskB:CLnemI0z9pMDMKsAMLuHjswi/FX2pdpz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY has been detected (SURICATA)

Connects to the CnC server

AMADEY mutex has been found

AMADEY has been detected (YARA)

SMOKE has been detected (SURICATA)

SMOKE mutex has been found

REDLINE has been detected (YARA)

Runs injected code in another process

Application was injected by another process

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Connects to the server without a host name

Starts itself from another location

Contacting a server suspected of hosting an CnC

Connects to unusual port

The process executes via Task Scheduler

Process requests binary or script from the Internet

INFO

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Confuser has been detected (YARA)

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections