File name:	2c4c647bf88dd4a7aa10c5bdec41eaae21c82771bc7139c44d217893cb4d5f66
Full analysis:	https://app.any.run/tasks/2feb9bcc-3539-44e4-9a2f-14784fee3fc3
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 25, 2024, 10:51:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer themida
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	AB7FC466CF411948717BF96DF5BD1360
SHA1:	A66C04B61AEA8530E48EF8FADCEEE0E686203314
SHA256:	2C4C647BF88DD4A7AA10C5BDEC41EAAE21C82771BC7139C44D217893CB4D5F66
SSDEEP:	98304:Yn2HHtp5vTrLqiodenCPV0CKN1F2XhfhkPJi4m/2nVWVeFwN/v/dATyOU44D0l2+:7608GQEg

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:24 22:49:06+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	7405568
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1


(PID) Process:	(4052) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4052) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4052) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
5696	2c4c647bf88dd4a7aa10c5bdec41eaae21c82771bc7139c44d217893cb4d5f66.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\4f926j.exe		executable
		MD5:608D3DA8209E0D1C47B711E477034BC8	SHA256:27325DE4206E0DC0953AD9256E77E3A16A1575A6FC71435C2C389E9FDF6F29B5
6004	x7K05.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\y7h57.exe		executable
		MD5:9E4A6E65C9CC2BFBBAC88A6DF079FC95	SHA256:D443C9AAEC90AE11EF4F234AE23CC90F71069AD4F3FB2511093B945A3DDB51CD
5696	2c4c647bf88dd4a7aa10c5bdec41eaae21c82771bc7139c44d217893cb4d5f66.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\x7K05.exe		executable
		MD5:34A123CBD776B38A22D659F3FA1E0F00	SHA256:9F787805D8A387F7FE694D1161358EBB715E3453CC64DA34EED84244AF2EC456
4592	y7h57.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\1g67n2.exe		executable
		MD5:D1DB9F49809A809C02D7BD1DB1ECE2F6	SHA256:063ED70B1AAABFB3D0B8D4408180BA1C5C507F259D5BC0BDCEF4FE7528ED7B57
1876	1g67n2.exe	C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe		executable
		MD5:D1DB9F49809A809C02D7BD1DB1ECE2F6	SHA256:063ED70B1AAABFB3D0B8D4408180BA1C5C507F259D5BC0BDCEF4FE7528ED7B57
1876	1g67n2.exe	C:\Windows\Tasks\skotes.job		binary
		MD5:5566A0E37477F1CCB1174F6C6F2CF47E	SHA256:08A851377858270B9C31697E0316B17A2738DEE329197CAD7ED0F2D137CF1E45
4592	y7h57.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\2M2766.exe		executable
		MD5:F43DA1849C2034E8B875D5B10B9E1964	SHA256:BEF63829D8B8DC6800078F7DEA23052BA5E21CD55F5AB3E9AAE521B84A758000
6004	x7K05.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\3O96k.exe		executable
		MD5:EC2B785F84C4C57983920F431A8F78CE	SHA256:8C03B7C9BC22DE662F3340049DD7FC98A640B99C0E4B58C1BF3A0D334BE53BA8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
3700	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
432	RUXIMICS.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
3700	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	—	973 b	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	—	973 b	whitelisted
432	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	—	973 b	whitelisted
4052	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	SC	binary	1 b	malicious
4052	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	SC	text	7 b	malicious
—	—	POST	—	104.21.1.25:443	https://story-tense-faz.sbs/api	US	—	—	unknown
—	—	POST	—	104.21.80.208:443	https://blade-govern.sbs/api	US	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3700	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
432	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.187:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3700	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
432	RUXIMICS.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3700	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.23.209.187 2.23.209.137 2.23.209.141 2.23.209.140 2.23.209.135 2.23.209.132 2.23.209.189 2.23.209.191 2.23.209.142	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.106 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
property-imper.sbs	—	unknown
frogs-severz.sbs	188.114.97.3 188.114.96.3	malicious
occupy-blushi.sbs	172.67.187.240 104.21.7.169	unknown
blade-govern.sbs	104.21.80.208 172.67.153.209	unknown
story-tense-faz.sbs	172.67.151.225 104.21.1.25	unknown

PID	Process	Class	Message
4052	skotes.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
4052	skotes.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)

Process	Message
1g67n2.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2M2766.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

2c4c647bf88dd4a7aa10c5bdec41eaae21c82771bc7139c44d217893cb4d5f66

AB7FC466CF411948717BF96DF5BD1360

A66C04B61AEA8530E48EF8FADCEEE0E686203314

2C4C647BF88DD4A7AA10C5BDEC41EAAE21C82771BC7139C44D217893CB4D5F66

98304:Yn2HHtp5vTrLqiodenCPV0CKN1F2XhfhkPJi4m/2nVWVeFwN/v/dATyOU44D0l2+:7608GQEg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Connects to the CnC server

SUSPICIOUS

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Reads the BIOS version

Reads security settings of Internet Explorer

Starts itself from another location

The process executes via Task Scheduler

Connects to the server without a host name

Contacting a server suspected of hosting an CnC

INFO

Checks supported languages

Create files in a temporary directory

Sends debugging messages

Reads the computer name

The process uses the downloaded file

Process checks computer location settings

Themida protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings