File name:	file.exe
Full analysis:	https://app.any.run/tasks/c37ffdae-3817-41a7-be0f-85314371c810
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 14, 2024, 03:56:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer themida
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	C34A786DE9705B019FFA55C575B12412
SHA1:	105A41ABBA38C4420D3B6ED6F7F464374257559B
SHA256:	423D31C445F4F1B659E88A21E588D5C96910E86C6F40EA271201FBB55D40F39D
SSDEEP:	98304:KiOIMGTJOyM6NNJZnjApX64g0mh3rtRqLIxRyroGbAydBw1GnEu9qJFWQv3Bl2By:x+Cw

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0x31b000
UninitializedDataSize:	-
InitializedDataSize:	104448
CodeSize:	322048
LinkerVersion:	14.24
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2024:09:22 17:40:44+00:00
MachineType:	Intel 386 or later, and compatibles


(PID) Process:	(1616) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1616) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1616) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
712	file.exe	C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe		executable
		MD5:C34A786DE9705B019FFA55C575B12412	SHA256:423D31C445F4F1B659E88A21E588D5C96910E86C6F40EA271201FBB55D40F39D
712	file.exe	C:\Windows\Tasks\skotes.job		binary
		MD5:4CB4F13B366CF63454B7A30C9918A22E	SHA256:22E1361F098BF48FF6525F88C16D0E5216C5A649BD5B1156654BAE5760CC7F78

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4328	svchost.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1616	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
4328	svchost.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1616	skotes.exe	POST	200	185.215.113.43:80	http://185.215.113.43/Zu7JuNko/index.php	unknown	—	—	malicious
5208	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5208	RUXIMICS.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5208	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4328	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
5208	RUXIMICS.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
4328	svchost.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
4712	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5208	RUXIMICS.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	142.250.184.206	whitelisted
crl.microsoft.com	2.20.245.138 2.20.245.133 2.20.245.135 2.20.245.139	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
self.events.data.microsoft.com	20.50.73.9	whitelisted

PID	Process	Class	Message
—	—	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
—	—	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)

Process	Message
file.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

file.exe

C34A786DE9705B019FFA55C575B12412

105A41ABBA38C4420D3B6ED6F7F464374257559B

423D31C445F4F1B659E88A21E588D5C96910E86C6F40EA271201FBB55D40F39D

98304:KiOIMGTJOyM6NNJZnjApX64g0mh3rtRqLIxRyroGbAydBw1GnEu9qJFWQv3Bl2By:x+Cw

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

SUSPICIOUS

Reads the BIOS version

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts itself from another location

Contacting a server suspected of hosting an CnC

The process executes via Task Scheduler

Connects to the server without a host name

INFO

Sends debugging messages

Checks supported languages

Create files in a temporary directory

Reads the computer name

The process uses the downloaded file

Process checks computer location settings

Checks proxy server information

Themida protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings