File name:	4ef8c35a2b15849e46afa1a0ae8c0f86.exe
Full analysis:	https://app.any.run/tasks/e146fe44-c240-4624-a54f-0d79151f5311
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 21, 2025, 21:08:28
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amadey botnet stealer auto-reg loader confuser redline
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	4EF8C35A2B15849E46AFA1A0AE8C0F86
SHA1:	82E1E3A3066487546D8C5EB8EA1D9033D599DFE3
SHA256:	8EC4090935DE015F46E08416F184677B909B2A7CF1D20DC5E5093448E52EBB63
SSDEEP:	24576:sya9ZGM6E12s6XLPp6o6Pi8EEAxNRvtc/kqC8TAUtvD1j:baacgs6bhp6+EINRv6/kpmtvDB

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:24 22:49:06+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	1328128
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1


(PID) Process:	(6108) explonde.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6108) explonde.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6108) explonde.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6108) explonde.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:	write	Name:	Startup
Value: C:\Users\admin\AppData\Local\Temp\fefffe8cea\

PID	Process	Filename		Type
3240	y6218145.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\o9944988.exe		executable
		MD5:AEEA100B781F51B08F3606C656BB1BCD	SHA256:262BB4320591D11F5A332E9613AF7B16070E928A1F8FDE460A98F9B8F0368B4B
1324	y0372651.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\y3144302.exe		executable
		MD5:4F7998524EA53D1206883289448DFF4A	SHA256:49800C26AA45DEDFC2A25E1A4D86289E5077C901D6C268AE09C241098A3807A6
1324	y0372651.exe	C:\Users\admin\AppData\Local\Temp\IXP002.TMP\n5201710.exe		executable
		MD5:8EAC42D01E3BF1649F16F973867C757B	SHA256:582C10B86C88E3FA1D9592A3B5A98EBAAA12617FCC4B71C5547EB1E298373146
5392	y3144302.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\l4906456.exe		executable
		MD5:DC24E7B910C18590F133099C38415488	SHA256:7194821FFFB8FBA0008B0312BBCE6AE69612924B06826622A9AB6774D2BE0BA6
5392	y3144302.exe	C:\Users\admin\AppData\Local\Temp\IXP003.TMP\m9886759.exe		executable
		MD5:A4C12584CDB25AA2FE9383C5B8B17075	SHA256:142DC624A0D096B23A56C885983FFB8E2B65C3D8BEF290FD6E18DDD0312B0C44
3240	y6218145.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\y0372651.exe		executable
		MD5:4AC11FB5BE023F4183599C50F86B95B9	SHA256:C89B662C9F649B92009AEB3C0D5AA9E7FEE1BBA9D892A1725EF4254BFB8168CE
5416	4ef8c35a2b15849e46afa1a0ae8c0f86.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\p9391921.exe		executable
		MD5:D89B0BF012ADC625D3E7F20A7A3EEAAD	SHA256:2307AA651DB455BDE39421EABBA6FC27395EE82A4927EDEB908BD91C6E1B7258
5416	4ef8c35a2b15849e46afa1a0ae8c0f86.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\y6218145.exe		executable
		MD5:5BBCC4D3BB23C6EF6773069E33A211BB	SHA256:6D0098818987F19CF8F8AC1182B0DE5CBB2EB20A01587968F1C0D49DDA2C6783
6112	l4906456.exe	C:\Users\admin\AppData\Local\Temp\fefffe8cea\explonde.exe		executable
		MD5:DC24E7B910C18590F133099C38415488	SHA256:7194821FFFB8FBA0008B0312BBCE6AE69612924B06826622A9AB6774D2BE0BA6
6108	explonde.exe	C:\Users\admin\AppData\Roaming\006700e5a2ab05\cred64.dll		text
		MD5:595E88012A6521AAE3E12CBEBE76EB9E	SHA256:B16E15764B8BC06C5C3F9F19BC8B99FA48E7894AA5A6CCDAD65DA49BBF564793

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6108	explonde.exe	POST	405	77.91.68.52:80	http://77.91.68.52/mac/index.php	unknown	—	—	malicious
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
5380	SIHClient.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5380	SIHClient.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5380	SIHClient.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5380	SIHClient.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
5380	SIHClient.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5380	SIHClient.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6108	explonde.exe	77.91.68.52:80	static.52.68.91.77.ip.webhost1.net	Foton Telecom CJSC	RU	malicious
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4400	n5201710.exe	77.91.124.82:19071	—	Foton Telecom CJSC	RU	malicious
5380	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
5380	SIHClient.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5380	SIHClient.exe	104.119.109.218:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5380	SIHClient.exe	20.3.187.198:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.174	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	104.119.109.218	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
static.52.68.91.77.ip.webhost1.net	77.91.68.52	unknown
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted

PID	Process	Class	Message
6108	explonde.exe	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
6108	explonde.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Check-In
6108	explonde.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Bot Activity (POST) M2
4400	n5201710.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
6108	explonde.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
6108	explonde.exe	A Network Trojan was detected	BOTNET [ANY.RUN] Amadey Stealer plugin download request
6108	explonde.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
6108	explonde.exe	A Network Trojan was detected	BOTNET [ANY.RUN] Amadey Clipper plugin download request
4400	n5201710.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity

General Info

4ef8c35a2b15849e46afa1a0ae8c0f86.exe

4EF8C35A2B15849E46AFA1A0AE8C0F86

82E1E3A3066487546D8C5EB8EA1D9033D599DFE3

8EC4090935DE015F46E08416F184677B909B2A7CF1D20DC5E5093448E52EBB63

24576:sya9ZGM6E12s6XLPp6o6Pi8EEAxNRvtc/kqC8TAUtvD1j:baacgs6bhp6+EINRv6/kpmtvDB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY mutex has been found

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Connects to the CnC server

REDLINE has been detected (YARA)

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts itself from another location

Starts CMD.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

Application launched itself

Contacting a server suspected of hosting an CnC

Connects to unusual port

The process executes via Task Scheduler

Process requests binary or script from the Internet

Connects to the server without a host name

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Auto-launch of the file from Registry key

Reads the machine GUID from the registry

Checks proxy server information

Confuser has been detected (YARA)

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files