File name:	04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe
Full analysis:	https://app.any.run/tasks/beb56f90-e57d-4a44-9698-d0c520ec25ff
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 10, 2024, 07:43:27
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	lumma stealer amadey botnet loader stealc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	FCC5C005C3CCBDDEE8BEE4DC5CA441E2
SHA1:	D597F7EC6F9309AF338B0BBB2234F9A0A5CA1A92
SHA256:	04CCAC472E7F9760A547E7BBB721C713F00021FCC74A59637C198F4BBEE06C2D
SSDEEP:	98304:gn2GNXZFit7VSPM591xQp288jeW7Wwyhu4CEW/kyA2i0NeVnnQafv25Wbnf+hKHW:xXIKlS65sHGf

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:24 22:49:06+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	7173120
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1


(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2812) 1J17n3.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2808) skotes.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

PID	Process	Filename		Type
5452	e0b81.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\2U9131.exe		executable
		MD5:FFBF4DAC7F1ED0ADE66186644F98132C	SHA256:EA3D6A813BFA00A6FE5888FDB841E24063E24BF7723AC233DF33D1E07129E23C
5452	e0b81.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\1J17n3.exe		executable
		MD5:11C23F104D7ECFCB5B535F22214C5DBE	SHA256:C5741977022E908FBE2C233DF25C5D5C6B0B88AF01A026ACC6085F30793708EF
3688	f4R43.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\e0b81.exe		executable
		MD5:DEC11B3CC0EE1492FBF2C3F8F5E21497	SHA256:9223019E435AC3DEB348E7AE211ABE23C5F7BBCCC4D2B9765A5CD1B7BE82C06B
808	04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\f4R43.exe		executable
		MD5:777D6A67707876286FE17D655C830EBF	SHA256:4280ED645EF5B31060F54161C295196FC3EA72407FC1C466F43D21A96FFB133B
808	04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\4U637G.exe		executable
		MD5:99CFF6034A2010E18F19281AFA021AEC	SHA256:BDA24B571A92286E33963D7790A6CADA3B23B2D5B8C4099EB7F4922D41DF113E
2808	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\FCA342ES\random[1].exe		executable
		MD5:FD134059EA499F3625917D465E84428B	SHA256:ED12D7259BF015A29020861C1102D4780CFBBD8E49847F02BD94BEB797C1B3F3
2808	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\random[1].exe		executable
		MD5:5F300EBC0539EA54FD18FD8E52CA259A	SHA256:A85BCADBD84CAD34D13795EAF7A4A452FF99A7C4DF3C4E838CF623BAB52C32B8
5496	c7ac602eba.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c7ac602eba.exe.log		csv
		MD5:C7D8A2EACA5B0C2CF5D4C133074FB713	SHA256:58EC6C6005ED46789D439F45BB386259479AB2828ED1636527AB68CFE00BDA8B
5764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\compatibility.ini		text
		MD5:1A1E16B0EA4ADE805E22DAE4B6A83476	SHA256:5D8CCAE985792AB2D40F72335CD2B149F04C451F61C0FA37CBE4DC97C9918645
5764	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
2808	skotes.exe	GET	200	185.215.113.16:80	http://185.215.113.16/luma/random.exe	unknown	—	—	malicious
2808	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
2808	skotes.exe	GET	200	185.215.113.16:80	http://185.215.113.16/steam/random.exe	unknown	—	—	malicious
—	—	POST	200	104.21.32.1:443	https://atten-supporse.biz/api	unknown	—	—	malicious
—	—	POST	200	104.21.80.1:443	https://atten-supporse.biz/api	unknown	text	16 b	malicious
—	—	POST	200	104.21.96.1:443	https://atten-supporse.biz/api	unknown	text	18.2 Kb	malicious
—	—	POST	200	34.120.208.123:443	https://incoming.telemetry.mozilla.org/submit/firefox-desktop-background-defaultagent/metrics/1/ada6a0b1-7a60-4657-a650-5e32b09dde82	unknown	—	—	whitelisted
—	—	POST	200	104.21.48.1:443	https://atten-supporse.biz/api	unknown	text	16 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
6700	firefox.exe	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	whitelisted
6700	firefox.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
1296	svchost.exe	2.18.64.212:80	—	Administracion Nacional de Telecomunicaciones	UY	unknown
3820	rundll32.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3484	OfficeC2RClient.exe	52.109.32.97:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown
5552	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1408	2U9131.exe	104.21.64.1:443	atten-supporse.biz	CLOUDFLARENET	—	malicious
2808	skotes.exe	185.215.113.43:80	—	1337team Limited	SC	malicious
2808	skotes.exe	185.215.113.16:80	—	1337team Limited	SC	malicious

Domain	IP	Reputation
incoming.telemetry.mozilla.org	34.120.208.123	whitelisted
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	whitelisted
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	whitelisted
google.com	172.217.23.110	whitelisted
atten-supporse.biz	104.21.64.1 104.21.112.1 104.21.16.1 104.21.96.1 104.21.80.1 104.21.32.1 104.21.48.1	malicious
settings-win.data.microsoft.com	4.231.128.59	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	whitelisted
ecs.office.com	52.113.194.132	whitelisted
mrodevicemgr.officeapps.live.com	52.109.89.117	whitelisted

PID	Process	Class	Message
—	—	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)
—	—	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
—	—	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
—	—	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Process	Message
1J17n3.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2U9131.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
82cd910bdd.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
4f5df52420.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
c7ac602eba.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2U9131.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe

FCC5C005C3CCBDDEE8BEE4DC5CA441E2

D597F7EC6F9309AF338B0BBB2234F9A0A5CA1A92

04CCAC472E7F9760A547E7BBB721C713F00021FCC74A59637C198F4BBEE06C2D

98304:gn2GNXZFit7VSPM591xQp288jeW7Wwyhu4CEW/kyA2i0NeVnnQafv25Wbnf+hKHW:xXIKlS65sHGf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

LUMMA has been detected (SURICATA)

AMADEY has been detected (SURICATA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Changes the autorun value in the registry

STEALC has been detected (SURICATA)

Possible tool for stealing has been detected

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads the BIOS version

Reads security settings of Internet Explorer

Starts itself from another location

Contacting a server suspected of hosting an CnC

Reads the Internet Settings

Reads settings of System Certificates

Process requests binary or script from the Internet

Searches for installed software

Potential Corporate Privacy Violation

Windows Defender mutex has been found

Connects to the server without a host name

Uses TASKKILL.EXE to kill Browsers

Uses TASKKILL.EXE to kill process

The process executes via Task Scheduler

INFO

Checks supported languages

Create files in a temporary directory

Sends debugging messages

Reads the computer name

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

The process uses the downloaded file

Creates files or folders in the user directory

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity