File name:	2025-05-16_621e96ab28e9a9144067a6cd9448fa4a_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer
Full analysis:	https://app.any.run/tasks/321a744c-ea55-42c4-924f-bc8a044563f2
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 15:15:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-sch loader amadey botnet stealer rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	621E96AB28E9A9144067A6CD9448FA4A
SHA1:	2920C526B211A6BDB7D1D65F6732E7FB67B6BCAE
SHA256:	09CA1BD1F19DE66D3CED8127A04EC63F27B41CF9EE70594D744E5AB78A1A6410
SSDEEP:	49152:KPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtBqXo:AP/mp7t3T4+B/btosJwIA4hHmZlKH2TO

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:05:15 14:21:11+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	633856
InitializedDataSize:	326144
UninitializedDataSize:	-
EntryPoint:	0x20577
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode


(PID) Process:	(7684) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7684) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7684) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7972) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7972) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7972) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7832) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7832) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7832) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7832) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:

PID	Process	Filename		Type
8048	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gvas2yr2.p4q.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7832	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aknulvbp.dcz.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8048	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4ax01nxo.zh0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7648	2025-05-16_621e96ab28e9a9144067a6cd9448fa4a_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\iP1NB2gx1.hta		html
		MD5:C90DF58B520C809F01CFB76AE38826B5	SHA256:3156B5DBA9346B66DE4FD12B99364C5ED74966C6AD359A82D52A866F33F6E3E1
7832	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5iwghzaw.u5r.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7188	TempYS3COY1GHVWZJREQT8MQ0EDQ9APRDTAI.EXE	C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe		executable
		MD5:26CC5A6CFD8E8ECC433337413C14CDDB	SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8
8048	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:02041E652BB913B21B125754A164BD97	SHA256:B6249AD5C2F5A0C4985CF829E6492D8C10963C67D82ED3A98EC4D204BAFEB261
8048	powershell.exe	C:\Users\admin\AppData\Local\TempYS3COY1GHVWZJREQT8MQ0EDQ9APRDTAI.EXE		executable
		MD5:EE7EF20FB86C2D0460968469DDD8F074	SHA256:A69061FD66D532948DA06E199CAB53E84A763A56BCF77E0F66CEE8DC888ACDD1
7188	TempYS3COY1GHVWZJREQT8MQ0EDQ9APRDTAI.EXE	C:\Windows\Tasks\ramez.job		binary
		MD5:4AAF4374A1B6E85E85181B6676E0CD59	SHA256:F40FB1BEA97B2F4B8D00E0CF605D30838D33951243297AED2C9F9D493EC168BC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7832	powershell.exe	GET	200	185.156.72.2:80	http://185.156.72.2/testmine/random.exe	unknown	—	—	unknown
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
7212	ramez.exe	POST	200	185.156.72.96:80	http://185.156.72.96/te4h2nus/index.php	unknown	—	—	malicious
7212	ramez.exe	POST	200	185.156.72.96:80	http://185.156.72.96/te4h2nus/index.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7832	powershell.exe	185.156.72.2:80	—	Tov Vaiz Partner	RU	unknown
7212	ramez.exe	185.156.72.96:80	—	Tov Vaiz Partner	RU	malicious
3868	svchost.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
864	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.186.78	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
7832	powershell.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
7832	powershell.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7832	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
7832	powershell.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7832	powershell.exe	Misc activity	ET INFO Packed Executable Download
7212	ramez.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
7212	ramez.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response
7212	ramez.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response

General Info

2025-05-16_621e96ab28e9a9144067a6cd9448fa4a_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer

621E96AB28E9A9144067A6CD9448FA4A

2920C526B211A6BDB7D1D65F6732E7FB67B6BCAE

09CA1BD1F19DE66D3CED8127A04EC63F27B41CF9EE70594D744E5AB78A1A6410

49152:KPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtBqXo:AP/mp7t3T4+B/btosJwIA4hHmZlKH2TO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

Run PowerShell with an invisible window

Request from PowerShell that ran from MSHTA.EXE

AMADEY mutex has been found

Script downloads file (POWERSHELL)

AMADEY has been detected (YARA)

AMADEY has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Found IP address in command line

Probably download files using WebClient

Starts process via Powershell

Process requests binary or script from the Internet

Manipulates environment variables

Starts itself from another location

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Connects to the server without a host name

Potential Corporate Privacy Violation

The process executes via Task Scheduler

Contacting a server suspected of hosting an CnC

There is functionality for enable RDP (YARA)

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

The sample compiled with english language support

Reads mouse settings

Reads the computer name

Create files in a temporary directory

Reads Internet Explorer settings

Auto-launch of the file from Task Scheduler

Checks proxy server information

Disables trace logs

Manual execution by a user

Script raised an exception (POWERSHELL)

The executable file from the user directory is run by the Powershell process

Process checks computer location settings

Reads the software policy settings

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Amadey

Information

Modules

Information

Modules

Information