File name:	CBTFE_random.exe
Full analysis:	https://app.any.run/tasks/327fc9c2-6f7c-4b78-8ef5-265df962bb82
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	April 27, 2025, 09:14:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	lumma stealer themida loader amadey botnet rdp telegram vidar stealc rhadamanthys miner metastealer redline auto-sch github shellcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	18EAEA222E5D96C008BC5CA142B17741
SHA1:	C094E3153B2B0FEEABDE36DA28150AF3EA65FDC4
SHA256:	047FBEA603C1CF4AFFFCFE260ADACF28C9258B24D44CE908AEB7CF473ACD458D
SSDEEP:	98304:bEMRMMn2VmJzVaV7utQFakFW3+Fq2fovEi44qyrtrnZZfJ6BvRyQgz5w0LQT0isf:31VU

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:26 14:47:23+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	312320
InitializedDataSize:	38400
UninitializedDataSize:	-
EntryPoint:	0x4b8000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(8152) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8152) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(8152) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7320) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7320) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7320) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1056) fdb0f31429.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn3
Value: C186A95CDAAC125547B4BDB38EB1C49FDB1842704BC4F6617ED128A4F378F6C983D9D9E239D33A1F2D790F5CFE2047F132F949B61ECE51F986052A271957203D
(PID) Process:	(7580) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(7580) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(7580) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2

PID	Process	Filename		Type
8152	saved.exe	C:\Users\admin\AppData\Local\Temp\10037300101\178f26fa21.exe		executable
		MD5:662A3DF17B29B738CF4B89E54DEEB3C3	SHA256:A9CB72A5E2A1C4349508A4941FE1412289CC793B6D141AD8A957DE0DE236455E
7320	MSBuild.exe	C:\ProgramData\gdjmo\iwtjmy		binary
		MD5:FDDE63730E15DD2E18C540BA52B6A945	SHA256:40740EAABD14FC0E08D3B5EE340C1E1B372E158F61EF58AEED1EE4B3A3F4492E
8012	6TUQ7EWY6HXEFZYE9XD.exe	C:\Users\admin\AppData\Local\Temp\c13dbdc4fa\saved.exe		executable
		MD5:F6C20A18AFEAC04964A6CCAD6BE59731	SHA256:CE75F9DEDE6D4E93549D35B816898113B6BEFAB9EF0AADF8949D4887C2C34BEA
8012	6TUQ7EWY6HXEFZYE9XD.exe	C:\Windows\Tasks\saved.job		binary
		MD5:0D9F8845CF5C11039736639DD21D424F	SHA256:3882BC357AE548DE614A5B0C51966425087461A723C4D74D56984F395BC3753B
8152	saved.exe	C:\Users\admin\AppData\Local\Temp\10037280101\47Q6wZM.exe		executable
		MD5:E014AF7599889360B5D5D20EFD5405BA	SHA256:C2E6244EA8D8A99C5ED0B51C44342A8377B34077E3B11B854CDA801C8208FE66
8152	saved.exe	C:\Users\admin\AppData\Local\Temp\10037270101\zb7jDew.exe		executable
		MD5:2FBD4BDECEDF24B45B6AF9B9D1D9B504	SHA256:D5C541A2D1300B9B890659310FED17BC2139DF0A13F4AF7D39A61046C08BB6B7
7580	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF11b63d.TMP		—
		MD5:—	SHA256:—
7580	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF11b63d.TMP		—
		MD5:—	SHA256:—
7580	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF11b63d.TMP		—
		MD5:—	SHA256:—
7580	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7732	CBTFE_random.exe	GET	200	185.39.17.162:80	http://185.39.17.162/mine/random.exe	unknown	—	—	malicious
8152	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8152	saved.exe	GET	200	185.39.17.162:80	http://185.39.17.162/files/6336929412/zb7jDew.exe	unknown	—	—	malicious
8152	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8152	saved.exe	GET	200	94.26.90.80:80	http://94.26.90.80/VisualCode.exe	unknown	—	—	unknown
8152	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8152	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8152	saved.exe	GET	200	185.39.17.162:80	http://185.39.17.162/files/7453936223/47Q6wZM.exe	unknown	—	—	malicious
8152	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8152	saved.exe	GET	200	185.39.17.162:80	http://185.39.17.162/files/qqdoup/random.exe	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7732	CBTFE_random.exe	104.21.85.126:443	clarmodq.top	CLOUDFLARENET	—	malicious
7732	CBTFE_random.exe	185.39.17.162:80	—	Joint Stock Company Tagnet	RU	malicious
8152	saved.exe	185.39.17.163:80	—	Joint Stock Company Tagnet	RU	malicious
8152	saved.exe	185.39.17.162:80	—	Joint Stock Company Tagnet	RU	malicious
8152	saved.exe	94.26.90.80:80	—	Deutsche Telekom AG	GB	unknown
496	zb7jDew.exe	172.67.171.157:443	pomelohgj.top	CLOUDFLARENET	US	malicious
7224	MSBuild.exe	104.102.49.106:443	steamcommunity.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.186.142	whitelisted
clarmodq.top	104.21.85.126 172.67.205.184	malicious
pomelohgj.top	172.67.171.157 104.21.71.199	malicious
longitudde.digital	—	malicious
hemispherexz.top	—	malicious
equatorf.run	—	malicious
latitudert.live	—	malicious
climatologfy.top	—	unknown
steamcommunity.com	104.102.49.106	whitelisted

PID	Process	Class	Message
2196	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (clarmodq .top)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clarmodq .top)
7732	CBTFE_random.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
7732	CBTFE_random.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7732	CBTFE_random.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7732	CBTFE_random.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7732	CBTFE_random.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7732	CBTFE_random.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)

General Info

CBTFE_random.exe

18EAEA222E5D96C008BC5CA142B17741

C094E3153B2B0FEEABDE36DA28150AF3EA65FDC4

047FBEA603C1CF4AFFFCFE260ADACF28C9258B24D44CE908AEB7CF473ACD458D

98304:bEMRMMn2VmJzVaV7utQFakFW3+Fq2fovEi44qyrtrnZZfJ6BvRyQgz5w0LQT0isf:31VU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

LUMMA has been detected (SURICATA)

Connects to the CnC server

LUMMA has been detected (YARA)

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

VIDAR mutex has been found

Stealers network behavior

VIDAR has been detected (YARA)

RHADAMANTHYS mutex has been found

RHADAMANTHYS has been detected (YARA)

Uses Task Scheduler to autorun other applications

Run PowerShell with an invisible window

METASTEALER has been detected (SURICATA)

REDLINE has been detected (SURICATA)

Changes Windows Defender settings

Adds path to the Windows Defender exclusion list

MINER has been detected (SURICATA)

SUSPICIOUS

Reads the BIOS version

Contacting a server suspected of hosting an CnC

Searches for installed software

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Connects to the server without a host name

Starts itself from another location

Process requests binary or script from the Internet

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

There is functionality for enable RDP (YARA)

The process executes via Task Scheduler

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Multiple wallet extension IDs have been found

Connects to unusual port

Executes application which crashes

The process checks if it is being run in the virtual environment

Starts NET.EXE to display or manage information about active sessions

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Application launched itself

Reads the date of Windows installation

Uses TIMEOUT.EXE to delay execution

The executable file from the user directory is run by the CMD process

Crypto Currency Mining Activity Detected

Script adds exclusion path to Windows Defender

Downloads file from URI via Powershell

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Themida protector has been detected

Create files in a temporary directory

Process checks computer location settings

Checks proxy server information

Creates files or folders in the user directory

The sample compiled with english language support

Creates files in the program directory

Attempting to use instant messaging service

Reads CPU info

Reads Environment values

Reads product name