| File name: | 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe |
| Full analysis: | https://app.any.run/tasks/1cded0c0-1488-4831-b90e-048a77f90fd8 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | March 01, 2025, 03:12:04 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections |
| MD5: | 36E536A514745CAB05F83CBE5F4A412E |
| SHA1: | BEFB59B14249E5F240BB80281F1A14663438B126 |
| SHA256: | 539B89630BF205ECE9A5E8E8A1326534C5A39DC511839C68ECB99EF9F5A97715 |
| SSDEEP: | 98304:Jcbe1/0JVyOlzP21GVDc+bVcaBE06/OTnoL48zq54WwzQ5m02Fh+pgIxIeKHn662:4iLpb |
MALICIOUS
Executing a file with an untrusted certificate
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
- mlffoto.exe (PID: 4244)
- winnet.exe (PID: 6640)
- Gxtuum.exe (PID: 7156)
- Gxtuum.exe (PID: 7468)
AMADEY mutex has been found
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
- Gxtuum.exe (PID: 7156)
- Gxtuum.exe (PID: 7468)
AMADEY has been detected (SURICATA)
- Gxtuum.exe (PID: 7956)
AMADEY has been detected (YARA)
- Gxtuum.exe (PID: 7956)
TAS17 has been detected
- winnet.exe (PID: 6640)
SYSTEMBC mutex has been found
- mlffoto.exe (PID: 4244)
SUSPICIOUS
Reads the BIOS version
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
- winnet.exe (PID: 6640)
- mlffoto.exe (PID: 4244)
- Gxtuum.exe (PID: 7156)
- Gxtuum.exe (PID: 7468)
Executable content was dropped or overwritten
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
- winnet.exe (PID: 6640)
Starts itself from another location
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
Reads security settings of Internet Explorer
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
Contacting a server suspected of hosting an CnC
- Gxtuum.exe (PID: 7956)
Process requests binary or script from the Internet
- Gxtuum.exe (PID: 7956)
Connects to the server without a host name
- Gxtuum.exe (PID: 7956)
Potential Corporate Privacy Violation
- Gxtuum.exe (PID: 7956)
There is functionality for enable RDP (YARA)
- Gxtuum.exe (PID: 7956)
The process executes via Task Scheduler
- mlffoto.exe (PID: 4244)
- Gxtuum.exe (PID: 7468)
- Gxtuum.exe (PID: 7156)
Connects to unusual port
- mlffoto.exe (PID: 4244)
INFO
Checks supported languages
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
- winnet.exe (PID: 6640)
- mlffoto.exe (PID: 4244)
- Gxtuum.exe (PID: 7156)
- Gxtuum.exe (PID: 7468)
Process checks computer location settings
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
Reads the computer name
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
- Gxtuum.exe (PID: 7956)
- winnet.exe (PID: 6640)
- mlffoto.exe (PID: 4244)
Create files in a temporary directory
- 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe (PID: 7800)
Checks proxy server information
- Gxtuum.exe (PID: 7956)
- slui.exe (PID: 7320)
Creates files or folders in the user directory
- Gxtuum.exe (PID: 7956)
Creates files in the program directory
- winnet.exe (PID: 6640)
Themida protector has been detected
- Gxtuum.exe (PID: 7956)
- winnet.exe (PID: 6640)
- mlffoto.exe (PID: 4244)
Reads the software policy settings
- slui.exe (PID: 7320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(7956) Gxtuum.exe
C2cobolrationumelawrtewarms.com
Strings (125)d1
/Plugins/
cred.dll
.jpg
|
%-lu
<d>
lv:
shell32.dll
GetNativeSystemInfo
Content-Disposition: form-data; name="data"; filename="
Powershell.exe
\
Kaspersky Lab
\0000
cred.dll|clip.dll|
kernel32.dll
" && ren
------
rundll32
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sd:
&&
rb
VideoID
Content-Type: application/x-www-form-urlencoded
2016
0123456789
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
r=
CurrentBuild
a58456755d
Doctor Web
ComputerName
\App
0000043f
cmd
DefaultSettings.XResolution
Bitdefender
WinDefender
av:
Content-Type: multipart/form-data; boundary=----
ar:
--
2022
Startup
/k
abcdefghijklmnopqrstuvwxyz0123456789-_
=
SYSTEM\ControlSet001\Services\BasicDisplay\Video
00000419
2019
&unit=
" && timeout 1 && del
Main
S-%lu-
shutdown -s -t 0
DefaultSettings.YResolution
GET
"taskkill /f /im "
Norton
Gxtuum.exe
exe
dm:
5.21
SOFTWARE\Microsoft\Windows NT\CurrentVersion
-%lu
cobolrationumelawrtewarms.com
360TotalSecurity
bi:
random
os:
http://
id:
pc:
dll
wb
zip
<c>
AVG
+++
msi
Sophos
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
:::
-unicode-
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
#
ProductName
00000422
ESET
"
Content-Type: application/octet-stream
/quiet
Keyboard Layout\Preload
un:
2025
"
00000423
https://
clip.dll
/3ofn3jf3e2ljk/index.php
e3
AVAST Software
Programs
vs:
ps1
Avira
Comodo
og:
&& Exit"
st=s
e1
?scr=1
POST
cmd /C RMDIR /s/q
%USERPROFILE%
------
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
e2
Rem
rundll32.exe
Panda Security
ProgramData\
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
-executionpolicy remotesigned -File "
TRiD
| .dll | | | Win32 Dynamic Link Library (generic) (43.5) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (29.8) |
| .exe | | | Generic Win/DOS Executable (13.2) |
| .exe | | | DOS Executable Generic (13.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:02:21 12:56:58+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 324096 |
| InitializedDataSize: | 114688 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x4b2000 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
129
Monitored processes
8
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4244 | "C:\ProgramData\elmjegc\mlffoto.exe" | C:\ProgramData\elmjegc\mlffoto.exe | svchost.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 6640 | "C:\Users\admin\AppData\Roaming\10000440100\winnet.exe" | C:\Users\admin\AppData\Roaming\10000440100\winnet.exe | Gxtuum.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7156 | "C:\Users\admin\AppData\Local\Temp\a58456755d\Gxtuum.exe" | C:\Users\admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7320 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7468 | "C:\Users\admin\AppData\Local\Temp\a58456755d\Gxtuum.exe" | C:\Users\admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7800 | "C:\Users\admin\Desktop\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe" | C:\Users\admin\Desktop\539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7956 | "C:\Users\admin\AppData\Local\Temp\a58456755d\Gxtuum.exe" | C:\Users\admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(7956) Gxtuum.exe C2cobolrationumelawrtewarms.com Strings (125)d1 /Plugins/ cred.dll .jpg | %-lu <d> lv: shell32.dll GetNativeSystemInfo Content-Disposition: form-data; name="data"; filename=" Powershell.exe \ Kaspersky Lab \0000 cred.dll|clip.dll| kernel32.dll " && ren ------ rundll32 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders sd: && rb VideoID Content-Type: application/x-www-form-urlencoded 2016 0123456789 SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ r= CurrentBuild a58456755d Doctor Web ComputerName \App 0000043f cmd DefaultSettings.XResolution Bitdefender WinDefender av: Content-Type: multipart/form-data; boundary=---- ar: -- 2022 Startup /k abcdefghijklmnopqrstuvwxyz0123456789-_ = SYSTEM\ControlSet001\Services\BasicDisplay\Video 00000419 2019 &unit= " && timeout 1 && del Main S-%lu- shutdown -s -t 0 DefaultSettings.YResolution GET "taskkill /f /im " Norton Gxtuum.exe exe dm: 5.21 SOFTWARE\Microsoft\Windows NT\CurrentVersion -%lu cobolrationumelawrtewarms.com 360TotalSecurity bi: random os: http:// id: pc: dll wb zip <c> AVG +++ msi Sophos SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName ::: -unicode- SOFTWARE\Microsoft\Windows\CurrentVersion\Run # ProductName 00000422 ESET "
Content-Type: application/octet-stream /quiet Keyboard Layout\Preload un: 2025 " 00000423 https:// clip.dll /3ofn3jf3e2ljk/index.php e3 AVAST Software Programs vs: ps1 Avira Comodo og: && Exit" st=s e1 ?scr=1 POST cmd /C RMDIR /s/q %USERPROFILE% ------ SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders e2 Rem rundll32.exe Panda Security ProgramData\ SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -executionpolicy remotesigned -File " | |||||||||||||||
Total events
4 803
Read events
4 800
Write events
3
Delete events
0
Modification events
| (PID) Process: | (7956) Gxtuum.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7956) Gxtuum.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7956) Gxtuum.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
4
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7956 | Gxtuum.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\winnet[1].exe | executable | |
MD5:598CBB4775BEC2B1AAC2CB43EF00321E | SHA256:A89977186920E1F4104C034B686663B530FE1DF480632685301EA0AC643290DE | |||
| 6640 | winnet.exe | C:\Windows\Tasks\Test Task17.job | binary | |
MD5:25747CBC250D87CC013557E86C33F146 | SHA256:22A150AE792120E786D63DFC481EDCDC7F4449160050AB10CB03654970E867FF | |||
| 7800 | 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe | C:\Windows\Tasks\Gxtuum.job | binary | |
MD5:3F9E6A4B284ACF423887F246B921CDBC | SHA256:D3BE4CDAF9043E5F1C15F7627697E0464D64C4331732C2CD1B9B36C6B90477DE | |||
| 7800 | 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715.exe | C:\Users\admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | executable | |
MD5:36E536A514745CAB05F83CBE5F4A412E | SHA256:539B89630BF205ECE9A5E8E8A1326534C5A39DC511839C68ECB99EF9F5A97715 | |||
| 7956 | Gxtuum.exe | C:\Users\admin\AppData\Roaming\10000440100\winnet.exe | executable | |
MD5:598CBB4775BEC2B1AAC2CB43EF00321E | SHA256:A89977186920E1F4104C034B686663B530FE1DF480632685301EA0AC643290DE | |||
| 6640 | winnet.exe | C:\ProgramData\elmjegc\mlffoto.exe | executable | |
MD5:598CBB4775BEC2B1AAC2CB43EF00321E | SHA256:A89977186920E1F4104C034B686663B530FE1DF480632685301EA0AC643290DE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
7
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7956 | Gxtuum.exe | GET | 200 | 45.59.120.8:80 | http://45.59.120.8/files/release/winnet.exe | unknown | — | — | unknown |
7956 | Gxtuum.exe | POST | 200 | 107.189.27.66:80 | http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php | unknown | — | — | malicious |
7956 | Gxtuum.exe | POST | 200 | 107.189.27.66:80 | http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php | unknown | — | — | malicious |
7956 | Gxtuum.exe | POST | 200 | 107.189.27.66:80 | http://cobolrationumelawrtewarms.com/3ofn3jf3e2ljk/index.php | unknown | — | — | malicious |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7956 | Gxtuum.exe | 107.189.27.66:80 | cobolrationumelawrtewarms.com | PONYNET | US | malicious |
7956 | Gxtuum.exe | 45.59.120.8:80 | — | — | CA | unknown |
7544 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4244 | mlffoto.exe | 62.60.226.86:4000 | towerbingobongoboom.com | Iranian Research Organization for Science & Technology | HK | malicious |
4244 | mlffoto.exe | 62.60.226.86:4280 | towerbingobongoboom.com | Iranian Research Organization for Science & Technology | HK | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
cobolrationumelawrtewarms.com |
| malicious |
activation-v2.sls.microsoft.com |
| whitelisted |
towerbingobongoboom.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7956 | Gxtuum.exe | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
7956 | Gxtuum.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
7956 | Gxtuum.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
7956 | Gxtuum.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
7956 | Gxtuum.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |