File name:

exe

Full analysis: https://app.any.run/tasks/5ab507ec-f254-4f9e-9077-3c99e69655e7
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: April 17, 2026, 23:08:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amadey
botnet
stealer
golang
loader
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

170AE8BB220382C5160F6A026D113B40

SHA1:

FC1BAAA398D369822CB6DF06D3B5E512B54D93E5

SHA256:

6BC3A6A1C3F7F9663F507C45252FE476CFDBC07D20CC5F2180A366675042E375

SSDEEP:

49152:94HGhxdtj/w2iGgx/uqiwTNzf6xU2iLBWXwbUyE8/QbClN2q6i5OTDRqZKmMf+Hs:yY9jw086S2mk6RErOlY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • exe.exe (PID: 7800)
      • Bwale.exe (PID: 7408)
      • Bwale.exe (PID: 5304)
      • Bwale.exe (PID: 1108)

    • AMADEY has been detected (SURICATA)

      • Bwale.exe (PID: 7408)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • exe.exe (PID: 7800)
      • Bwale.exe (PID: 7408)

    • Starts itself from another location

      • exe.exe (PID: 7800)

    • Contacting a server suspected of hosting an CnC

      • Bwale.exe (PID: 7408)

    • The process executes via Task Scheduler

      • Bwale.exe (PID: 5304)
      • Bwale.exe (PID: 1108)

  • INFO

    • Process checks computer location settings

      • exe.exe (PID: 7800)
      • Bwale.exe (PID: 7408)

    • Reads the computer name

      • exe.exe (PID: 7800)
      • Bwale.exe (PID: 7408)

    • Create files in a temporary directory

      • exe.exe (PID: 7800)
      • Bwale.exe (PID: 7408)

    • Checks supported languages

      • Bwale.exe (PID: 7408)
      • exe.exe (PID: 7800)
      • Bwale.exe (PID: 5304)
      • Bwale.exe (PID: 1108)

    • Reads security settings of Internet Explorer

      • exe.exe (PID: 7800)
      • Bwale.exe (PID: 7408)

    • The sample compiled with english language support

      • Bwale.exe (PID: 7408)

    • Creates files or folders in the user directory

      • Bwale.exe (PID: 7408)

    • Reads the machine GUID from the registry

      • Bwale.exe (PID: 7408)

    • There is functionality for taking screenshot (YARA)

      • Bwale.exe (PID: 7408)

    • Application based on Golang

      • Bwale.exe (PID: 7408)

    • Compiled with Borland Delphi (YARA)

      • rundll32.exe (PID: 7356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 653312
InitializedDataSize: 29696
UninitializedDataSize: -
EntryPoint: 0x79040
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exe.exe #AMADEY bwale.exe rundll32.exe no specs bwale.exe no specs bwale.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1108"C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exe"C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\adb7f46c0c\bwale.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\powrprof.dll
5304"C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exe"C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\adb7f46c0c\bwale.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\powrprof.dll
7356"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\10000250111\file_9d060a15df6994b0.dll, DllMainC:\Windows\SysWOW64\rundll32.exeBwale.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7408"C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exe" C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exe
exe.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\adb7f46c0c\bwale.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7800"C:\Users\admin\AppData\Local\Temp\exe.exe" C:\Users\admin\AppData\Local\Temp\exe.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
Total events
1 463
Read events
1 460
Write events
3
Delete events
0

Modification events

(PID) Process:(7408) Bwale.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7408) Bwale.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7408) Bwale.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
3
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7408Bwale.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4CE3F21C0C824DAED90EBF3947CEF4AA_935562BCD5687510E92AB7CB749FF569binary
MD5:C3C396E8AF13F1A3C23415EAF761684E
SHA256:5A4212E1DACEC2E7AA9FD81F4B51311B09AE418FD5FC0023F1270E00B6142550
7408Bwale.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_09AD44C44544E9A5157C0605D4B879EDbinary
MD5:1D805DFDD024BBD521E5085087A652C3
SHA256:CAFE8017C80058A1A8E4964B1B15D3F6BC496133C19BAF0461BEE74D3613A94A
7800exe.exeC:\Windows\Tasks\Bwale.jobbinary
MD5:FF04134F3AAC91119B818ED7D25F5AE1
SHA256:CD6C92AA6D05F520EB94DB55305A56AA3EB6D43EB534ECB0E46F18DA8D5D1645
7408Bwale.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_09AD44C44544E9A5157C0605D4B879EDbinary
MD5:9AF0F1E5951AE79F20FAF0530E11F194
SHA256:ED95EE9B6390C813F2B4171D5A106BC3204578E2E5B62632C5C474A950499A01
7408Bwale.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4CE3F21C0C824DAED90EBF3947CEF4AA_935562BCD5687510E92AB7CB749FF569binary
MD5:9A07A13ED314B9E415A41F29699BFA76
SHA256:22AF31D1AC44E83C9ABAC6C7B45592CDDF60BB8F05F7F767083F898EC0243AC0
7408Bwale.exeC:\Users\admin\AppData\Local\Temp\10000030101\exe.exetext
MD5:5195B6954F5211D1CE35F721EF480FC7
SHA256:B5E6FAC35C0635D967746F1A6C16032141E69C9D0A327E469DC6564BA71A78E8
7800exe.exeC:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exeexecutable
MD5:170AE8BB220382C5160F6A026D113B40
SHA256:6BC3A6A1C3F7F9663F507C45252FE476CFDBC07D20CC5F2180A366675042E375
7408Bwale.exeC:\Users\admin\AppData\Local\Temp\10000250111\file_9d060a15df6994b0.dllexecutable
MD5:EE8EE0017DEF162A9056E8D7069DC4F4
SHA256:85EAFDDDDC17A03F7BE9261B28AB49B2566CEDF9D0B96D22D27F758B22CAE828
7408Bwale.exeC:\Users\admin\AppData\Roaming\10000170100\exe.exetext
MD5:5195B6954F5211D1CE35F721EF480FC7
SHA256:B5E6FAC35C0635D967746F1A6C16032141E69C9D0A327E469DC6564BA71A78E8
7408Bwale.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\file_9d060a15df6994b0[1].dllexecutable
MD5:EE8EE0017DEF162A9056E8D7069DC4F4
SHA256:85EAFDDDDC17A03F7BE9261B28AB49B2566CEDF9D0B96D22D27F758B22CAE828
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
31
DNS requests
20
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7408
Bwale.exe
GET
302
35.176.92.19:443
https://site.com/folder/exe.e
US
unknown
7408
Bwale.exe
GET
302
35.176.92.19:443
https://site.com/folder/exe.e
US
unknown
680
svchost.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
NL
binary
312 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
7408
Bwale.exe
GET
301
35.176.92.19:80
http://site.com/folder/exe.e
US
unknown
2648
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
2648
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
680
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
23.55.110.193:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.241.218:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.201
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
google.com
  • 142.251.20.113
  • 142.251.20.138
  • 142.251.20.102
  • 142.251.20.139
  • 142.251.20.100
  • 142.251.20.101
whitelisted
site.com
  • 35.176.92.19
  • 34.226.36.51
  • 34.211.108.46
  • 13.113.196.52
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
7408
Bwale.exe
Misc activity
INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
7408
Bwale.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
7408
Bwale.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
7408
Bwale.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
680
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7408
Bwale.exe
Misc activity
INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
7408
Bwale.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
7408
Bwale.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
7408
Bwale.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info