File name:	_3907a88fa142d0fc99be51a4421fb0558a6ba960c1a614d839f6f4f173a336f9.exe
Full analysis:	https://app.any.run/tasks/831de96c-0cfb-4ecd-9cf4-04446dfa0c03
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 27, 2026, 23:19:04
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amadey botnet stealer golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 6 sections
MD5:	950231C031E667B92B11FE26D5FAA0ED
SHA1:	70C489B43AB0AD103815F55A470F04369D96192D
SHA256:	3907A88FA142D0FC99BE51A4421FB0558A6BA960C1A614D839F6F4F173A336F9
SSDEEP:	49152:IfKs6r4NOVd64XjYAo1SYT/ltMNrYWv38kmz91uhJkz1tfXOT2KXqZdmkhrZ8xTD:pY4XjYAo1SYT/lW1dm51uhJkz1lX1yqc

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.5)
.exe	\|	Generic Win/DOS Executable (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, 32-bit, No debug
PEType:	PE32
LinkerVersion:	3
CodeSize:	560640
InitializedDataSize:	86528
UninitializedDataSize:	-
EntryPoint:	0x5cf00
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(7816) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(8984) Bwale.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8984) Bwale.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(8984) Bwale.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
4608	_3907a88fa142d0fc99be51a4421fb0558a6ba960c1a614d839f6f4f173a336f9.exe	C:\Windows\Tasks\Bwale.job		binary
		MD5:1485C06518B218A3285CEA7D31B9CCAF	SHA256:0B745779A753B8B9B1CF9E7E2B3B9CFB96A21FE5785DA5FD523B720886C425DA
4608	_3907a88fa142d0fc99be51a4421fb0558a6ba960c1a614d839f6f4f173a336f9.exe	C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exe		executable
		MD5:950231C031E667B92B11FE26D5FAA0ED	SHA256:3907A88FA142D0FC99BE51A4421FB0558A6BA960C1A614D839F6F4F173A336F9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3340	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
3340	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
7816	slui.exe	POST	503	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	—	—	whitelisted
7816	slui.exe	POST	503	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	html	190 b	whitelisted
8984	Bwale.exe	POST	200	91.92.242.236:80	http://91.92.242.236/oPvjr94jfe/index.php	SC	text	9 b	malicious
8984	Bwale.exe	POST	200	91.92.242.236:80	http://91.92.242.236/oPvjr94jfe/index.php	SC	text	7 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
5276	MoUsoCoreWorker.exe	57.153.246.3:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
9208	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3340	svchost.exe	57.153.246.3:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	92.123.104.63:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3340	svchost.exe	23.216.77.6:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
3340	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
3340	svchost.exe	48.209.6.48:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
www.bing.com	92.123.104.63 92.123.104.34 92.123.104.31 92.123.104.32 92.123.104.28	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
google.com	142.251.127.102 142.251.127.138 142.251.127.139 142.251.127.113 142.251.127.100 142.251.127.101	whitelisted
settings-win.data.microsoft.com	48.209.6.48	whitelisted
self.events.data.microsoft.com	13.89.179.8	whitelisted

PID	Process	Class	Message
8984	Bwale.exe	Misc activity	INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
8984	Bwale.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
8984	Bwale.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response

General Info

_3907a88fa142d0fc99be51a4421fb0558a6ba960c1a614d839f6f4f173a336f9.exe

950231C031E667B92B11FE26D5FAA0ED

70C489B43AB0AD103815F55A470F04369D96192D

3907A88FA142D0FC99BE51A4421FB0558A6BA960C1A614D839F6F4F173A336F9

49152:IfKs6r4NOVd64XjYAo1SYT/ltMNrYWv38kmz91uhJkz1tfXOT2KXqZdmkhrZ8xTD:pY4XjYAo1SYT/lW1dm51uhJkz1lX1yqc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

AMADEY has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Contacting a server suspected of hosting an CnC

The process executes via Task Scheduler

INFO

Checks supported languages

Reads security settings of Internet Explorer

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Application based on Golang

There is functionality for taking screenshot (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings