File name:	_6bc3a6a1c3f7f9663f507c45252fe476cfdbc07d20cc5f2180a366675042e375.exe
Full analysis:	https://app.any.run/tasks/014a6503-da83-4b03-8a5e-69ebc77878a1
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 17, 2026, 23:25:19
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amadey botnet stealer loader golang auto-reg
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	170AE8BB220382C5160F6A026D113B40
SHA1:	FC1BAAA398D369822CB6DF06D3B5E512B54D93E5
SHA256:	6BC3A6A1C3F7F9663F507C45252FE476CFDBC07D20CC5F2180A366675042E375
SSDEEP:	49152:94HGhxdtj/w2iGgx/uqiwTNzf6xU2iLBWXwbUyE8/QbClN2q6i5OTDRqZKmMf+Hs:yY9jw086S2mk6RErOlY

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Win16/32 Executable Delphi generic (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	3
CodeSize:	653312
InitializedDataSize:	29696
UninitializedDataSize:	-
EntryPoint:	0x79040
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(7408) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(5448) Bwale.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5448) Bwale.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5448) Bwale.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5448) Bwale.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	file_d65cadee3f4b64a5.dll
Value: rundll32 C:\Users\admin\AppData\Local\Temp\10000270111\file_d65cadee3f4b64a5.dll, DllMain

PID	Process	Filename		Type
5448	Bwale.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\file_d65cadee3f4b64a5[1].dll		executable
		MD5:EE8EE0017DEF162A9056E8D7069DC4F4	SHA256:85EAFDDDDC17A03F7BE9261B28AB49B2566CEDF9D0B96D22D27F758B22CAE828
5448	Bwale.exe	C:\Users\admin\AppData\Local\Temp\10000270111\file_d65cadee3f4b64a5.dll		executable
		MD5:EE8EE0017DEF162A9056E8D7069DC4F4	SHA256:85EAFDDDDC17A03F7BE9261B28AB49B2566CEDF9D0B96D22D27F758B22CAE828
5264	_6bc3a6a1c3f7f9663f507c45252fe476cfdbc07d20cc5f2180a366675042e375.exe	C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exe		executable
		MD5:170AE8BB220382C5160F6A026D113B40	SHA256:6BC3A6A1C3F7F9663F507C45252FE476CFDBC07D20CC5F2180A366675042E375
5264	_6bc3a6a1c3f7f9663f507c45252fe476cfdbc07d20cc5f2180a366675042e375.exe	C:\Windows\Tasks\Bwale.job		binary
		MD5:CD03CF07356180049DCD840E9216F85D	SHA256:BA5B9A1BD928E6E960D4B95DDB18EA9D75FCDB747CE4702300C0DA4FF14B4733

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	51.124.78.146:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
6076	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
1312	SIHClient.exe	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
6076	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
7408	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted
7408	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted
5316	svchost.exe	POST	200	20.190.160.64:443	https://login.live.com/RST2.srf	US	text	1.24 Kb	whitelisted
5316	svchost.exe	POST	200	20.190.159.128:443	https://login.live.com/RST2.srf	US	text	1.24 Kb	whitelisted
—	—	POST	400	20.190.160.64:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6076	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5412	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6076	svchost.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6076	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5208	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7408	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
google.com	142.251.13.113 142.251.13.101 142.251.13.102 142.251.13.138 142.251.13.139 142.251.13.100	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	88.221.169.152 23.52.181.212	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.159.128 40.126.31.71 20.190.159.0 20.190.159.64 40.126.31.129 20.190.159.75 20.190.159.71 20.190.159.130	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted
fe3cr.delivery.mp.microsoft.com	74.178.240.51	whitelisted
self.events.data.microsoft.com	104.208.16.95	whitelisted

PID	Process	Class	Message
5276	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5448	Bwale.exe	Misc activity	INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
5448	Bwale.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 14
5448	Bwale.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
5448	Bwale.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response
5448	Bwale.exe	Misc activity	INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
5448	Bwale.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
5448	Bwale.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 14
5448	Bwale.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

General Info

_6bc3a6a1c3f7f9663f507c45252fe476cfdbc07d20cc5f2180a366675042e375.exe

170AE8BB220382C5160F6A026D113B40

FC1BAAA398D369822CB6DF06D3B5E512B54D93E5

6BC3A6A1C3F7F9663F507C45252FE476CFDBC07D20CC5F2180A366675042E375

49152:94HGhxdtj/w2iGgx/uqiwTNzf6xU2iLBWXwbUyE8/QbClN2q6i5OTDRqZKmMf+Hs:yY9jw086S2mk6RErOlY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

AMADEY has been detected (SURICATA)

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Contacting a server suspected of hosting an CnC

The process executes via Task Scheduler

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads security settings of Internet Explorer

Process checks computer location settings

Creates files or folders in the user directory

The sample compiled with english language support

There is functionality for taking screenshot (YARA)

Application based on Golang

Manual execution by a user

Launching a file from a Registry key

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings