File name:	4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91
Full analysis:	https://app.any.run/tasks/b7160e69-5bf3-49db-9421-cb31cd5c100e
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 04, 2024, 16:27:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	98E538D63EC5A23A3ACC374236AE20B6
SHA1:	F3FEC38F80199E346CAC912BF8B65249988A2A7E
SHA256:	4D8FBC7578DCA954407746A1D73E3232CD8DB79DCCD57ACBEEF80DA369069A91
SSDEEP:	24576:TwzmSMrgSB+MRSynBUp0htJ77XhJW4kHIBWUpFdY7CGO:TwrMrgSB+MRBnBUpstJ77XhJW4kHIBWy

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2060:10:07 07:51:44+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	647680
InitializedDataSize:	103936
UninitializedDataSize:	-
EntryPoint:	0x224e2
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	228.569.201.458
ProductVersionNumber:	228.569.201.458
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Identifiersethierarchy
CompanyName:	Win32CompilePool
FileDescription:	SolutionSHARErepeatExAUnsafe
FileVersion:	228.569.201.458
InternalName:	random
LegalCopyright:	BuildargumentAnyAppDomainSend © 2006
LegalTrademarks:	-
OriginalFileName:	random
ProductName:	listreadExAContext
ProductVersion:	228.569.201.458
AssemblyVersion:	404.561.589.196


(PID) Process:	(7108) AppLaunch.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7108) AppLaunch.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7108) AppLaunch.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
1732	4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91.exe	C:\ProgramData\ogriIqEF\Application.exe		executable
		MD5:98E538D63EC5A23A3ACC374236AE20B6	SHA256:4D8FBC7578DCA954407746A1D73E3232CD8DB79DCCD57ACBEEF80DA369069A91
1732	4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ogriIqEF.url		binary
		MD5:579A3BBC08A3A7026E254FD8B5EB4F3E	SHA256:C65160D5A4D3B07965616BD1A0D717683DC40D71E570AF429D814A1E775A1249
7108	AppLaunch.exe	C:\Users\admin\AppData\Local\Temp\693682860607		image
		MD5:A5FED718F274901B8FE883AEF7C49B74	SHA256:5146590081E2B0069EB665C9F22FF100636E5A53D911DA214FE67E9F71F12E44

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5640	RUXIMICS.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7108	AppLaunch.exe	POST	200	185.215.113.217:80	http://185.215.113.217/CoreOPT/index.php?scr=1	unknown	—	—	malicious
—	—	POST	200	185.215.113.217:80	http://185.215.113.217/CoreOPT/index.php	unknown	—	—	malicious
7108	AppLaunch.exe	POST	200	185.215.113.217:80	http://185.215.113.217/CoreOPT/index.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.23.209.141:443	—	Akamai International B.V.	GB	unknown
5640	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6944	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5640	RUXIMICS.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6944	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
6944	svchost.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	23.32.185.131	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
self.events.data.microsoft.com	51.104.15.252	whitelisted

PID	Process	Class	Message
7108	AppLaunch.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
7108	AppLaunch.exe	A Network Trojan was detected	ET MALWARE Amadey Bot Activity (POST) M1
7108	AppLaunch.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)

General Info

4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91

98E538D63EC5A23A3ACC374236AE20B6

F3FEC38F80199E346CAC912BF8B65249988A2A7E

4D8FBC7578DCA954407746A1D73E3232CD8DB79DCCD57ACBEEF80DA369069A91

24576:TwzmSMrgSB+MRSynBUp0htJ77XhJW4kHIBWUpFdY7CGO:TwrMrgSB+MRBnBUpstJ77XhJW4kHIBWy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY has been detected (SURICATA)

Connects to the CnC server

AMADEY has been detected (YARA)

SUSPICIOUS

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Executable content was dropped or overwritten

There is functionality for enable RDP (YARA)

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

Amadey

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings