File name:	04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe
Full analysis:	https://app.any.run/tasks/beb56f90-e57d-4a44-9698-d0c520ec25ff
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 10, 2024, 07:43:27
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	lumma stealer amadey botnet loader stealc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	FCC5C005C3CCBDDEE8BEE4DC5CA441E2
SHA1:	D597F7EC6F9309AF338B0BBB2234F9A0A5CA1A92
SHA256:	04CCAC472E7F9760A547E7BBB721C713F00021FCC74A59637C198F4BBEE06C2D
SSDEEP:	98304:gn2GNXZFit7VSPM591xQp288jeW7Wwyhu4CEW/kyA2i0NeVnnQafv25Wbnf+hKHW:xXIKlS65sHGf

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

ProductVersion:	11.00.17763.1
ProductName:	Internet Explorer
OriginalFileName:	WEXTRACT.EXE .MUI
LegalCopyright:	© Microsoft Corporation. All rights reserved.
InternalName:	Wextract
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
FileDescription:	Win32 Cabinet Self-Extractor
CompanyName:	Microsoft Corporation
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	11.0.17763.1
FileVersionNumber:	11.0.17763.1
Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	10
OSVersion:	10
EntryPoint:	0x6a60
UninitializedDataSize:	-
InitializedDataSize:	7173120
CodeSize:	25600
LinkerVersion:	14.13
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2022:05:24 22:49:06+00:00
MachineType:	Intel 386 or later, and compatibles


(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

PID	Process	Filename		Type
2812	1J17n3.exe	C:\Windows\Tasks\skotes.job		binary
		MD5:9B3D4A8C1F5172DDA2467C7BC6AB3927	SHA256:BF10BD0F1EBAB0B08D460F7B84591FABAEB61D5165E95FCC7CD5D283C79896B6
5764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
808	04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\f4R43.exe		executable
		MD5:777D6A67707876286FE17D655C830EBF	SHA256:4280ED645EF5B31060F54161C295196FC3EA72407FC1C466F43D21A96FFB133B
2808	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\5C651ZXJ\random[1].exe		executable
		MD5:327C2F24A87F170DBEDE36CC43A68875	SHA256:E2892813C672C9BC92A7AC23B203E9647C617142222D5C5220A6DF968B24B499
5496	c7ac602eba.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c7ac602eba.exe.log		csv
		MD5:C7D8A2EACA5B0C2CF5D4C133074FB713	SHA256:58EC6C6005ED46789D439F45BB386259479AB2828ED1636527AB68CFE00BDA8B
2808	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\random[1].exe		executable
		MD5:5F300EBC0539EA54FD18FD8E52CA259A	SHA256:A85BCADBD84CAD34D13795EAF7A4A452FF99A7C4DF3C4E838CF623BAB52C32B8
3688	f4R43.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\e0b81.exe		executable
		MD5:DEC11B3CC0EE1492FBF2C3F8F5E21497	SHA256:9223019E435AC3DEB348E7AE211ABE23C5F7BBCCC4D2B9765A5CD1B7BE82C06B
5452	e0b81.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\1J17n3.exe		executable
		MD5:11C23F104D7ECFCB5B535F22214C5DBE	SHA256:C5741977022E908FBE2C233DF25C5D5C6B0B88AF01A026ACC6085F30793708EF
5764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2808	skotes.exe	C:\Users\admin\AppData\Local\Temp\1013650001\82cd910bdd.exe		executable
		MD5:5F300EBC0539EA54FD18FD8E52CA259A	SHA256:A85BCADBD84CAD34D13795EAF7A4A452FF99A7C4DF3C4E838CF623BAB52C32B8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2808	skotes.exe	GET	200	185.215.113.16:80	http://185.215.113.16/luma/random.exe	unknown	—	—	malicious
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/metrics/1/ada6a0b1-7a60-4657-a650-5e32b09dde82	unknown	—	—	whitelisted
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/baseline/1/221d0741-7cda-474f-951c-65e57b8de363	unknown	—	—	whitelisted
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
—	—	POST	200	104.21.32.1:443	https://atten-supporse.biz/api	unknown	—	—	malicious
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/events/1/4997ddbf-7674-4321-8925-ea1ae748f288	unknown	—	—	whitelisted
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/baseline/1/b06e4ce9-fb91-418e-a90a-98488f8662c7	unknown	—	—	whitelisted
—	—	POST	200	104.21.48.1:443	https://atten-supporse.biz/api	unknown	text	18.2 Kb	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
6700	firefox.exe	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	whitelisted
6700	firefox.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
1296	svchost.exe	2.18.64.212:80	—	Administracion Nacional de Telecomunicaciones	UY	unknown
3820	rundll32.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3484	OfficeC2RClient.exe	52.109.32.97:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown
5552	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1408	2U9131.exe	104.21.64.1:443	atten-supporse.biz	CLOUDFLARENET	—	malicious
2808	skotes.exe	185.215.113.43:80	—	1337team Limited	SC	malicious
2808	skotes.exe	185.215.113.16:80	—	1337team Limited	SC	malicious

Domain	IP	Reputation
incoming.telemetry.mozilla.org	34.120.208.123	whitelisted
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	whitelisted
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	whitelisted
google.com	172.217.23.110	whitelisted
atten-supporse.biz	104.21.64.1 104.21.112.1 104.21.16.1 104.21.96.1 104.21.80.1 104.21.32.1 104.21.48.1	malicious
settings-win.data.microsoft.com	4.231.128.59	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	whitelisted
ecs.office.com	52.113.194.132	whitelisted
mrodevicemgr.officeapps.live.com	52.109.89.117	whitelisted

PID	Process	Class	Message
—	—	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)
—	—	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
—	—	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
—	—	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Process	Message
1J17n3.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2U9131.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
82cd910bdd.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
4f5df52420.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
c7ac602eba.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2U9131.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe

FCC5C005C3CCBDDEE8BEE4DC5CA441E2

D597F7EC6F9309AF338B0BBB2234F9A0A5CA1A92

04CCAC472E7F9760A547E7BBB721C713F00021FCC74A59637C198F4BBEE06C2D

98304:gn2GNXZFit7VSPM591xQp288jeW7Wwyhu4CEW/kyA2i0NeVnnQafv25Wbnf+hKHW:xXIKlS65sHGf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

AMADEY has been detected (SURICATA)

Steals credentials from Web Browsers

STEALC has been detected (SURICATA)

Changes the autorun value in the registry

Possible tool for stealing has been detected

SUSPICIOUS

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the BIOS version

Starts itself from another location

Reads the Internet Settings

Contacting a server suspected of hosting an CnC

Reads settings of System Certificates

Searches for installed software

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Connects to the server without a host name

Windows Defender mutex has been found

Uses TASKKILL.EXE to kill Browsers

Uses TASKKILL.EXE to kill process

The process executes via Task Scheduler

INFO

Create files in a temporary directory

Checks supported languages

Sends debugging messages

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

The process uses the downloaded file

Creates files or folders in the user directory

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity