File name:	04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe
Full analysis:	https://app.any.run/tasks/beb56f90-e57d-4a44-9698-d0c520ec25ff
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 10, 2024, 07:43:27
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	lumma stealer amadey botnet loader stealc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	FCC5C005C3CCBDDEE8BEE4DC5CA441E2
SHA1:	D597F7EC6F9309AF338B0BBB2234F9A0A5CA1A92
SHA256:	04CCAC472E7F9760A547E7BBB721C713F00021FCC74A59637C198F4BBEE06C2D
SSDEEP:	98304:gn2GNXZFit7VSPM591xQp288jeW7Wwyhu4CEW/kyA2i0NeVnnQafv25Wbnf+hKHW:xXIKlS65sHGf

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:24 22:49:06+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	7173120
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1

PID	CMD	Path	Indicators	Parent process
256	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -childID 4 -isForBrowser -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 28383 -prefMapSize 243239 -jsInitHandle 1360 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c3f72bf-dad8-4a5b-845c-53000ce5c70c} 5764 "\\.\pipe\gecko-crash-server-pipe.5764" 139534cf4d0 tab	C:\Program Files\Mozilla Firefox\firefox.exe	—	firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0
808	"C:\Users\admin\Desktop\04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe"	C:\Users\admin\Desktop\04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Win32 Cabinet Self-Extractor Version: 11.00.17763.1 (WinBuild.160101.0800)
1408	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\2U9131.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\2U9131.exe		e0b81.exe
User: admin Integrity Level: MEDIUM
1512	"C:\Users\admin\AppData\Local\Temp\1013650001\82cd910bdd.exe"	C:\Users\admin\AppData\Local\Temp\1013650001\82cd910bdd.exe		skotes.exe
User: admin Integrity Level: MEDIUM
1656	C:\Windows\system32\svchost.exe -k NetworkService -p	C:\Windows\System32\svchost.exe		services.exe
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.22000.1 (WinBuild.160101.0800)
1856	\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	taskkill.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800)
2272	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2052 -parentBuildID 20240213221259 -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 25692 -prefMapSize 243239 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3db90a87-7cf5-48fa-8650-c5f986bf4092} 5764 "\\.\pipe\gecko-crash-server-pipe.5764" 1393cc83910 socket	C:\Program Files\Mozilla Firefox\firefox.exe	—	firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0
2416	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1792 -parentBuildID 20240213221259 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 25692 -prefMapSize 243239 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88328e5d-e0ff-4991-9303-d1d634d075f7} 5764 "\\.\pipe\gecko-crash-server-pipe.5764" 13948bd5e10 gpu	C:\Program Files\Mozilla Firefox\firefox.exe	—	firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0
2492	"C:\Users\admin\AppData\Local\Temp\1013651001\4f5df52420.exe"	C:\Users\admin\AppData\Local\Temp\1013651001\4f5df52420.exe		skotes.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2528	taskkill /F /IM brave.exe /T	C:\Windows\SysWOW64\taskkill.exe	—	cc0a5239f0.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 10.0.22000.1 (WinBuild.160101.0800)

PID	Process	Filename		Type
3688	f4R43.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\3w55K.exe		executable
		MD5:82B70CB96DC208843A0380D75FF08F9B	SHA256:697D7F31A1D5ADAB597902CEB9228A77B6E84D776BE1F49A610B04DE25D87801
5764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2812	1J17n3.exe	C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe		executable
		MD5:11C23F104D7ECFCB5B535F22214C5DBE	SHA256:C5741977022E908FBE2C233DF25C5D5C6B0B88AF01A026ACC6085F30793708EF
2808	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\1SZQV1OV\random[1].exe		executable
		MD5:4095397F24BCD2FCDA6BCFEBBC12AA3B	SHA256:B530FA08FFAFCB20017217C66EBDE979245F9A08B3A1F61704EB0351C37954ED
2808	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\5C651ZXJ\random[1].exe		executable
		MD5:327C2F24A87F170DBEDE36CC43A68875	SHA256:E2892813C672C9BC92A7AC23B203E9647C617142222D5C5220A6DF968B24B499
2808	skotes.exe	C:\Users\admin\AppData\Local\Temp\1013652001\cc0a5239f0.exe		executable
		MD5:4095397F24BCD2FCDA6BCFEBBC12AA3B	SHA256:B530FA08FFAFCB20017217C66EBDE979245F9A08B3A1F61704EB0351C37954ED
2808	skotes.exe	C:\Users\admin\AppData\Local\Temp\1013650001\82cd910bdd.exe		executable
		MD5:5F300EBC0539EA54FD18FD8E52CA259A	SHA256:A85BCADBD84CAD34D13795EAF7A4A452FF99A7C4DF3C4E838CF623BAB52C32B8
5764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5496	c7ac602eba.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c7ac602eba.exe.log		csv
		MD5:C7D8A2EACA5B0C2CF5D4C133074FB713	SHA256:58EC6C6005ED46789D439F45BB386259479AB2828ED1636527AB68CFE00BDA8B
5764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2808	skotes.exe	GET	200	185.215.113.16:80	http://185.215.113.16/luma/random.exe	unknown	—	—	malicious
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/metrics/1/ada6a0b1-7a60-4657-a650-5e32b09dde82	unknown	—	—	whitelisted
—	—	POST	200	104.21.32.1:443	https://atten-supporse.biz/api	unknown	text	2 b	malicious
—	—	POST	200	104.21.80.1:443	https://atten-supporse.biz/api	unknown	text	16 b	malicious
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/baseline/1/346ef485-1393-4d1c-a862-a41e654379ce	unknown	—	—	whitelisted
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/metrics/1/67e10232-b4f4-4942-a53c-2b92472ce6df	unknown	—	—	whitelisted
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/events/1/4997ddbf-7674-4321-8925-ea1ae748f288	unknown	—	—	whitelisted
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/events/1/f3b4cb82-aec4-49d9-b7f7-83912f0fa8c8	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
6700	firefox.exe	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	whitelisted
6700	firefox.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
1296	svchost.exe	2.18.64.212:80	—	Administracion Nacional de Telecomunicaciones	UY	unknown
3820	rundll32.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3484	OfficeC2RClient.exe	52.109.32.97:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown
5552	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1408	2U9131.exe	104.21.64.1:443	atten-supporse.biz	CLOUDFLARENET	—	malicious
2808	skotes.exe	185.215.113.43:80	—	1337team Limited	SC	malicious
2808	skotes.exe	185.215.113.16:80	—	1337team Limited	SC	malicious

Domain	IP	Reputation
incoming.telemetry.mozilla.org	34.120.208.123	whitelisted
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	whitelisted
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	whitelisted
google.com	172.217.23.110	whitelisted
atten-supporse.biz	104.21.64.1 104.21.112.1 104.21.16.1 104.21.96.1 104.21.80.1 104.21.32.1 104.21.48.1	malicious
settings-win.data.microsoft.com	4.231.128.59	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	whitelisted
ecs.office.com	52.113.194.132	whitelisted
mrodevicemgr.officeapps.live.com	52.109.89.117	whitelisted

PID	Process	Class	Message
1656	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)
1408	2U9131.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
2808	skotes.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
2808	skotes.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
1408	2U9131.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
1408	2U9131.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
2808	skotes.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2808	skotes.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2808	skotes.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
2808	skotes.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Process	Message
1J17n3.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2U9131.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
82cd910bdd.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
4f5df52420.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
c7ac602eba.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2U9131.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe

FCC5C005C3CCBDDEE8BEE4DC5CA441E2

D597F7EC6F9309AF338B0BBB2234F9A0A5CA1A92

04CCAC472E7F9760A547E7BBB721C713F00021FCC74A59637C198F4BBEE06C2D

98304:gn2GNXZFit7VSPM591xQp288jeW7Wwyhu4CEW/kyA2i0NeVnnQafv25Wbnf+hKHW:xXIKlS65sHGf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

AMADEY has been detected (SURICATA)

Steals credentials from Web Browsers

Changes the autorun value in the registry

STEALC has been detected (SURICATA)

Possible tool for stealing has been detected

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads the BIOS version

Reads security settings of Internet Explorer

Reads the Internet Settings

Reads settings of System Certificates

Contacting a server suspected of hosting an CnC

Searches for installed software

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Connects to the server without a host name

Starts itself from another location

Windows Defender mutex has been found

Uses TASKKILL.EXE to kill Browsers

Uses TASKKILL.EXE to kill process

The process executes via Task Scheduler

INFO

Checks supported languages

Create files in a temporary directory

Sends debugging messages

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

The process uses the downloaded file

Creates files or folders in the user directory

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings