File name:	2025-05-18_60c0867e88de1261640d9f30bab5b9d2_amadey_black-basta_cobalt-strike_elex_luca-stealer
Full analysis:	https://app.any.run/tasks/15d78e45-1711-4549-81d5-71e3b0195a4f
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 18, 2025, 21:44:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg amadey botnet stealer loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	60C0867E88DE1261640D9F30BAB5B9D2
SHA1:	13CA201F8CD63BF3C952392812D84D32314F8A48
SHA256:	3ED3615C1C73B0F9BF84AC5AEBA9C557EFEE4DA63609B2779379DBDAF4FB4285
SSDEEP:	3072:kHGIxvLxlvLhsw9IAt/NyKrGAQ+JMtDhKlS/L5hEberewx8MnnrpV2HwtZY:Q1dlds4I4/y+JMVhK6rrZwQn

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:24 12:21:28+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	177664
InitializedDataSize:	53760
UninitializedDataSize:	-
EntryPoint:	0x1563f
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(7792) pdates.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:	write	Name:	Startup
Value: C:\Users\admin\AppData\Local\Temp\925e7e99c5\
(PID) Process:	(7792) pdates.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7792) pdates.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7792) pdates.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
7736	2025-05-18_60c0867e88de1261640d9f30bab5b9d2_amadey_black-basta_cobalt-strike_elex_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\925e7e99c5\pdates.exe		executable
		MD5:60C0867E88DE1261640D9F30BAB5B9D2	SHA256:3ED3615C1C73B0F9BF84AC5AEBA9C557EFEE4DA63609B2779379DBDAF4FB4285

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7192	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7792	pdates.exe	POST	—	77.91.68.61:80	http://77.91.68.61/rock/index.php	unknown	—	—	malicious
7192	SIHClient.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7192	SIHClient.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7192	SIHClient.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7192	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7192	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7792	pdates.exe	GET	—	77.91.68.61:80	http://77.91.68.61/rock/Plugins/clip64.dll	unknown	—	—	malicious
7192	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7192	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7792	pdates.exe	77.91.68.61:80	—	Foton Telecom CJSC	RU	malicious
7192	SIHClient.exe	52.149.20.212:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7192	SIHClient.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
7192	SIHClient.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
7192	SIHClient.exe	20.242.39.171:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7396	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	216.58.206.78	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
login.live.com	20.190.160.65 20.190.160.20 40.126.32.140 40.126.32.72 20.190.160.131 40.126.32.134 20.190.160.4 20.190.160.22	whitelisted

PID	Process	Class	Message
7792	pdates.exe	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
7792	pdates.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Check-In
7792	pdates.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Bot Activity (POST) M2
7792	pdates.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
7792	pdates.exe	A Network Trojan was detected	BOTNET [ANY.RUN] Amadey Clipper plugin download request
7792	pdates.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
7792	pdates.exe	A Network Trojan was detected	BOTNET [ANY.RUN] Amadey Stealer plugin download request

General Info

2025-05-18_60c0867e88de1261640d9f30bab5b9d2_amadey_black-basta_cobalt-strike_elex_luca-stealer

60C0867E88DE1261640D9F30BAB5B9D2

13CA201F8CD63BF3C952392812D84D32314F8A48

3ED3615C1C73B0F9BF84AC5AEBA9C557EFEE4DA63609B2779379DBDAF4FB4285

3072:kHGIxvLxlvLhsw9IAt/NyKrGAQ+JMtDhKlS/L5hEberewx8MnnrpV2HwtZY:Q1dlds4I4/y+JMVhK6rrZwQn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

AMADEY mutex has been found

Changes the autorun value in the registry

AMADEY has been detected (YARA)

Connects to the CnC server

AMADEY has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Application launched itself

Process requests binary or script from the Internet

The process executes via Task Scheduler

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Uses ICACLS.EXE to modify access control lists

INFO

Reads the computer name

Create files in a temporary directory

Checks supported languages

Process checks computer location settings

Auto-launch of the file from Registry key

Checks proxy server information

Creates files or folders in the user directory

Reads the software policy settings

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Amadey

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats