File name:	GM2SC_random.exe
Full analysis:	https://app.any.run/tasks/c7fec258-5432-4d13-b493-6ae5861f665e
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 18, 2025, 17:19:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer loader stealc themida lumma credentialflusher gcleaner
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	FA93EE30BA0FF259954673B85347CF2E
SHA1:	A1EA1E175E4585FCB0345EF5A00D4B047384DD73
SHA256:	8E04D767B94A24732BE0868059F2D2FD09B86E73FAEF0C753E8AA6B604630CED
SSDEEP:	98304:Il4fERgKGmsltDOVCcYDeDIT48QWJ8dpt1HDfrHtj9azvT1K83HyB63s3xsJT6Ho:pOp

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:25 12:10:38+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	321024
InitializedDataSize:	104960
UninitializedDataSize:	-
EntryPoint:	0x4be000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(4244) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4244) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4244) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4244) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	aeb8a77c3e.exe
Value: C:\Users\admin\AppData\Local\Temp\1014393001\aeb8a77c3e.exe
(PID) Process:	(5464) aeb8a77c3e.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5464) aeb8a77c3e.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5464) aeb8a77c3e.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4244) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	571439c8b1.exe
Value: C:\Users\admin\AppData\Local\Temp\1014394001\571439c8b1.exe
(PID) Process:	(2076) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2076) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
3140	GM2SC_random.exe	C:\Windows\Tasks\axplong.job		binary
		MD5:2179147812CF4E7B902459C1F2395FD6	SHA256:117E300946149F45AC1B61ED582259A640E0969681DCA168282E90BAC6ED1732
4244	axplong.exe	C:\Users\admin\AppData\Local\Temp\1014393001\aeb8a77c3e.exe		executable
		MD5:CFED3795B5DF45BBD48F493175331240	SHA256:F2A959CAED0D99D3FF313F6C7F70A8752D8BC2DBFDA56EA577596FFADD980E67
3208	571439c8b1.exe	C:\Users\admin\AppData\Local\Temp\abc3bc1985\skotes.exe		executable
		MD5:2C780BD0B93D85AFBAD23124CF8994C2	SHA256:96A1EEA0F525785429D36CFF82916E54227BE6A3750796E05D594E952A213EC2
7140	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
4244	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\random[1].exe		executable
		MD5:2C780BD0B93D85AFBAD23124CF8994C2	SHA256:96A1EEA0F525785429D36CFF82916E54227BE6A3750796E05D594E952A213EC2
4244	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[1].exe		executable
		MD5:CFED3795B5DF45BBD48F493175331240	SHA256:F2A959CAED0D99D3FF313F6C7F70A8752D8BC2DBFDA56EA577596FFADD980E67
3140	GM2SC_random.exe	C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe		executable
		MD5:FA93EE30BA0FF259954673B85347CF2E	SHA256:8E04D767B94A24732BE0868059F2D2FD09B86E73FAEF0C753E8AA6B604630CED
3208	571439c8b1.exe	C:\Windows\Tasks\skotes.job		binary
		MD5:A818706E6AA133F7883744D684D72300	SHA256:0721B1E5FB4605E1561D625FF4A7C7EA92C98642DFAA4F54E10C2BFDBF37F426
4244	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[2].exe		executable
		MD5:8C98F00647FCF80B28C982C2D02D2C80	SHA256:5064A5D432B8AA2C46752D5D680BB56AC1A0C100330226FC7C66BB3B87AC91B1
2076	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\random[2].exe		executable
		MD5:C7973E44BF12EFC64100C761EF3978EB	SHA256:423E9F7892E7929955DCB8F97FF0F29F2255AF24BC5E6F753A3DCE8DBF7F582B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4244	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4244	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
4712	MoUsoCoreWorker.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4244	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
4244	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/mine/random.exe	unknown	—	—	malicious
4244	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/steam/random.exe	unknown	—	—	malicious
5464	aeb8a77c3e.exe	GET	200	185.215.113.206:80	http://185.215.113.206/	unknown	—	—	malicious
4244	axplong.exe	GET	200	185.215.113.39:80	http://185.215.113.39/files/unique2/random.exe	unknown	—	—	malicious
5464	aeb8a77c3e.exe	POST	200	185.215.113.206:80	http://185.215.113.206/c4becf79229cb002.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	184.86.251.16:443	—	Akamai International B.V.	DE	unknown
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4244	axplong.exe	185.215.113.16:80	—	1337team Limited	SC	malicious
4712	MoUsoCoreWorker.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3976	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
tawdrydadysz.icu	—	unknown
nearycrepso.shop	—	malicious
abruptyopsn.shop	—	malicious
wholersorie.shop	—	malicious
framekgirus.shop	—	malicious
tirepublicerj.shop	—	malicious

PID	Process	Class	Message
4244	axplong.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
4244	axplong.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
4244	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
4244	axplong.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
4244	axplong.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4244	axplong.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
4244	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
4244	axplong.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
5464	aeb8a77c3e.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
5464	aeb8a77c3e.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Stealc HTTP POST Request

Process	Message
GM2SC_random.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
aeb8a77c3e.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
571439c8b1.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
969778179c.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
c2a795d497.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
54d9e0f2b2.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
021949f0ac.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

GM2SC_random.exe

FA93EE30BA0FF259954673B85347CF2E

A1EA1E175E4585FCB0345EF5A00D4B047384DD73

8E04D767B94A24732BE0868059F2D2FD09B86E73FAEF0C753E8AA6B604630CED

98304:Il4fERgKGmsltDOVCcYDeDIT48QWJ8dpt1HDfrHtj9azvT1K83HyB63s3xsJT6Ho:pOp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY mutex has been found

Connects to the CnC server

AMADEY has been detected (SURICATA)

Changes the autorun value in the registry

StealC has been detected

STEALC has been detected (SURICATA)

AMADEY has been detected (YARA)

LUMMA has been detected (SURICATA)

LUMMA mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Possible tool for stealing has been detected

LUMMA has been detected (YARA)

GCLEANER has been detected (SURICATA)

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Uses Task Scheduler to run other applications

Run PowerShell with an invisible window

Request from PowerShell that ran from MSHTA.EXE

Executing a file with an untrusted certificate

Script downloads file (POWERSHELL)

Disables Windows Defender

Changes the Windows auto-update feature

SUSPICIOUS

Reads the BIOS version

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Contacting a server suspected of hosting an CnC

Executable content was dropped or overwritten

Connects to the server without a host name

Process requests binary or script from the Internet

Windows Defender mutex has been found

Starts itself from another location

Searches for installed software

Uses TASKKILL.EXE to kill Browsers

Uses TASKKILL.EXE to kill process

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Application launched itself

Starts POWERSHELL.EXE for commands execution

Executes application which crashes

Probably obfuscated PowerShell command line is found

Reads the Windows owner or organization settings

Process drops legitimate windows executable

The process drops C-runtime libraries

The process executes via Task Scheduler

The process executes Powershell scripts

Manipulates environment variables

Starts process via Powershell

Probably download files using WebClient

Found IP address in command line

The process creates files with name similar to system file names

Connects to unusual port

The executable file from the user directory is run by the CMD process

Detected use of alternative data streams (AltDS)

Connects to SMTP port

INFO

Reads the computer name

Checks supported languages

Sends debugging messages

Create files in a temporary directory

Checks proxy server information

Creates files or folders in the user directory

The process uses the downloaded file

Process checks computer location settings

The sample compiled with czech language support

Themida protector has been detected