URL:	https://www.mediafire.com/file/8ltj5v2n0uhxl84/Passwrod_2024_With_Setup.rar/file
Full analysis:	https://app.any.run/tasks/808e44ff-0081-41d2-9634-d46bc49efa13
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 02, 2024, 10:32:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	hijackloader loader lumma miner amadey botnet stealer
Indicators:
MD5:	DA50724B9D8B95A68799F5F62B9CE8E3
SHA1:	95333E32F2BA24F0DF495EB3B3C8743E6FD3D82D
SHA256:	0648C135C15A2C5EC1EA5457BD5A7B834454D98155BAA293F7A05233CFFB88C5
SSDEEP:	3:N8DSLw3eGUodGWPI1wWW5oR5KcA:2OLw3eG5G51wWxycA


(PID) Process:	(6128) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6128) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6128) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(6128) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6128) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(6128) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6128) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge
Operation:	write	Name:	UsageStatsInSample
Value: 1
(PID) Process:	(6128) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(6128) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	urlstats
Value: 0
(PID) Process:	(6128) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 74A98451B7602F00

PID	Process	Filename		Type
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFf24a5.TMP		—
		MD5:—	SHA256:—
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFf24b5.TMP		—
		MD5:—	SHA256:—
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFf24e4.TMP		—
		MD5:—	SHA256:—
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old		text
		MD5:63D47248EB1C3F5B97CAAE6599A6FCD0	SHA256:4124BD344E193D3DDBE94EF996C5AFBEA6C00C939F405B3CCBEE9058BA5AE257
6128	msedge.exe	C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\VARIATIONS		binary
		MD5:6E1AF7D7074A6124EFDB62180565A385	SHA256:70811DE44C337675FCFFDA381E8AB2FB66544B07FFCAE651804B75EF71C11748
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RFf24b5.TMP		text
		MD5:5DB127C66F688E2B285A0816EC4BDE1C	SHA256:1A490965A2E4688809FF31A5DB1971688F92700DEFA536BEF28D91512B9AA966
6128	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old		text
		MD5:7785E4691872E5681591BE30B20145DB	SHA256:0695BD71C8EFF522998347212BA7CEEE52F6D8F8BC4C87A21E6991C89CF97634

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3340	msedge.exe	GET	—	104.16.56.101:443	https://static.cloudflareinsights.com/beacon.min.js/v84a3a4012de94ce1a686ba8c167c359c1696973893317	unknown	—	—	—
—	—	GET	200	104.16.113.74:443	https://www.mediafire.com/file/8ltj5v2n0uhxl84/Passwrod_2024_With_Setup.rar/file	unknown	html	91.9 Kb	—
3340	msedge.exe	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/111.0.1661.62?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&scpver=0&osarch=x86_64&osver=10.0.19044&wu=1&devicefamily=desktop&uma=0&sessionid=12&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245	unknown	binary	968 b	—
3340	msedge.exe	POST	200	20.103.180.120:443	https://sploit-edge.smartscreen.microsoft.com/api/browser/edge/ssrs/3?MSURS-Client-Key=gWk17R3rsHpq2NOfGTB9CQ==&MSURS-MAC=rmDFlGJXkNY=	unknown	text	395 b	—
—	—	POST	200	20.103.180.120:443	https://nav-edge.smartscreen.microsoft.com/api/browser/edge/navigate/3/sync	unknown	binary	1.20 Kb	—
—	—	GET	200	172.217.18.104:443	https://www.googletagmanager.com/gtag/js?id=UA-829541-1	unknown	text	173 Kb	—
—	—	GET	200	172.217.18.104:443	https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T	unknown	text	259 Kb	—
3340	msedge.exe	GET	200	104.16.113.74:443	https://static.mediafire.com/images/icons/svg_light/twitter.svg	unknown	image	949 b	—
3340	msedge.exe	POST	204	216.239.34.36:443	https://region1.analytics.google.com/g/collect?v=2&tid=G-K68XP6D85D&gtm=45je3bt0v887485693z86304663&_p=1704191562325&_gaz=1&gcd=11l1l1l1l1&dma_cps=sypham&dma=1&cid=855511322.1704191602&ul=en-us&sr=1280x720&uaa=x86&uab=64&uafvl=Microsoft%2520Edge%3B111.0.1661.62%7CNot(A%253ABrand%3B8.0.0.0%7CChromium%3B111.0.5563.149&uamb=0&uam=&uap=Windows&uapv=10.0.0&uaw=0&_s=1&sid=1704191602&sct=1&seg=0&dl=https%3A%2F%2Fwww.mediafire.com%2Ffile%2F8ltj5v2n0uhxl84%2FPasswrod_2024_With_Setup.rar%2Ffile&dt=Passwrod_2024_With_Setup&en=page_view&_fv=1&_nsi=1&_ss=1&up.page_url=https%3A%2F%2Fwww.mediafire.com%2Ffile%2F8ltj5v2n0uhxl84%2FPasswrod_2024_With_Setup.rar%2Ffile&tfd=42647	unknown	—	—	—
3340	msedge.exe	GET	200	104.16.114.74:443	https://static.mediafire.com/images/backgrounds/header/mf_logo_full_color.svg	unknown	image	3.28 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
5612	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1676	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6128	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
3340	msedge.exe	104.16.114.74:443	www.mediafire.com	CLOUDFLARENET	—	unknown
3340	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3340	msedge.exe	20.103.180.120:443	sploit-edge.smartscreen.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
3340	msedge.exe	20.31.251.109:443	nav-edge.smartscreen.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
3720	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3340	msedge.exe	216.58.212.168:443	www.googletagmanager.com	GOOGLE	US	whitelisted
3340	msedge.exe	2.19.96.90:443	www.bing.com	Akamai International B.V.	DE	unknown

Domain	IP	Reputation
www.mediafire.com	104.16.114.74 104.16.113.74	shared
config.edge.skype.com	13.107.42.16	whitelisted
sploit-edge.smartscreen.microsoft.com	20.103.180.120	whitelisted
nav-edge.smartscreen.microsoft.com	20.31.251.109	whitelisted
data-edge.smartscreen.microsoft.com	20.31.251.109	whitelisted
www.googletagmanager.com	216.58.212.168	whitelisted
static.mediafire.com	104.16.114.74 104.16.113.74	shared
www.bing.com	2.19.96.90 2.19.96.129 2.19.96.82 2.19.96.80 2.19.96.120 2.19.96.50 2.19.96.35 2.19.96.91 92.122.215.95 92.122.215.99 92.122.215.98 92.122.215.60 2.20.142.185 2.20.142.251 92.122.215.53 2.20.142.187 92.122.215.74 92.122.215.56 92.122.215.65	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 40.127.240.158	whitelisted
translate.google.com	216.58.212.174	whitelisted

PID	Process	Class	Message
3340	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
3340	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
3340	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
3340	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
3340	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
3340	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2136	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.pw domain - Likely Hostile
5128	RarExt32.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
5128	RarExt32.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
5128	RarExt32.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

https://www.mediafire.com/file/8ltj5v2n0uhxl84/Passwrod_2024_With_Setup.rar/file

DA50724B9D8B95A68799F5F62B9CE8E3

95333E32F2BA24F0DF495EB3B3C8743E6FD3D82D

0648C135C15A2C5EC1EA5457BD5A7B834454D98155BAA293F7A05233CFFB88C5

3:N8DSLw3eGUodGWPI1wWW5oR5KcA:2OLw3eG5G51wWxycA

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

HIJACKLOADER has been detected (YARA)

LUMMA has been detected (YARA)

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Uses TIMEOUT.EXE to delay execution

Reads the date of Windows installation

Searches for installed software

Loads DLL from Mozilla Firefox

Uses RUNDLL32.EXE to load library

Uses NETSH.EXE to obtain data on the network

Starts POWERSHELL.EXE for commands execution

INFO

Application launched itself

Checks supported languages

Drops the executable file immediately after the start

Reads the computer name

The process uses the downloaded file

Creates files or folders in the user directory

Creates files in the program directory

The executable file from the user directory is run by the CMD process

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the software policy settings

Connects to the server without a host name

Process requests binary or script from the Internet

Reads Environment values

Process checks computer location settings

Starts itself from another location

Checks proxy server information

Unusual connection from system programs

Connects to the CnC server

MINER has been detected (SURICATA)

Connects to unusual port

AMADEY has been detected (SURICATA)

The process executes via Task Scheduler

Malware configuration

Lumma

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity