| File name: | rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999 |
| Full analysis: | https://app.any.run/tasks/1de36b59-8aa9-4b80-a1ea-7ae4127143c2 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | July 04, 2025, 13:41:31 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | A5E6484EEF2B273591AD13582EB657DE |
| SHA1: | D9C52DFB831C575DCA98EEF953DA8816DA73DB8E |
| SHA256: | 93B52C63C8EA6E739CB32F1CCEDCD96C0ED769E06A5FBA5A1BDD5BBE9EB44999 |
| SSDEEP: | 6144:ao7lZnTZRGRdq0lbE1xoEIr2pVzl+hbeSiV/SM0WCex:7ZIRnYPoEIyvzlobRa/SAx |
MALICIOUS
AMADEY mutex has been found
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
- suker.exe (PID: 2468)
- suker.exe (PID: 3876)
- suker.exe (PID: 2044)
AMADEY has been detected (SURICATA)
- suker.exe (PID: 1216)
Connects to the CnC server
- suker.exe (PID: 1216)
AMADEY has been detected (YARA)
- suker.exe (PID: 1216)
SUSPICIOUS
Executable content was dropped or overwritten
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
Reads security settings of Internet Explorer
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
- suker.exe (PID: 1216)
Starts itself from another location
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
Connects to the server without a host name
- suker.exe (PID: 1216)
Contacting a server suspected of hosting an CnC
- suker.exe (PID: 1216)
There is functionality for taking screenshot (YARA)
- suker.exe (PID: 1216)
There is functionality for enable RDP (YARA)
- suker.exe (PID: 1216)
The process executes via Task Scheduler
- suker.exe (PID: 3876)
- suker.exe (PID: 2468)
- suker.exe (PID: 2044)
INFO
Checks supported languages
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
- suker.exe (PID: 1216)
- suker.exe (PID: 2468)
- suker.exe (PID: 3876)
- suker.exe (PID: 2044)
Create files in a temporary directory
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
Process checks computer location settings
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
Reads the computer name
- rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe (PID: 1044)
Checks proxy server information
- suker.exe (PID: 1216)
- slui.exe (PID: 4120)
Reads the software policy settings
- slui.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(1216) suker.exe
C2176.46.157.50
URLhttp://176.46.157.50/tu3d2rom/index.php
Version5.50
Options
Drop directorybd4cae89c3
Drop namesuker.exe
Strings (125)GET
SOFTWARE\Microsoft\Windows NT\CurrentVersion
00000419
av:
?scr=1
+++
Panda Security
wb
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
:::
------
2025
SYSTEM\ControlSet001\Services\BasicDisplay\Video
WinDefender
shutdown -s -t 0
ComputerName
00000423
ProductName
%USERPROFILE%
d1
lv:
Main
Doctor Web
<d>
abcdefghijklmnopqrstuvwxyz0123456789-_
bd4cae89c3
random
0123456789
exe
S-%lu-
#
" && timeout 1 && del
\0000
2019
kernel32.dll
5.50
/quiet
=
ESET
Powershell.exe
AVAST Software
rundll32.exe
shell32.dll
vs:
&&
<c>
\
os:
e1
VideoID
Content-Disposition: form-data; name="data"; filename="
id:
------
rundll32
pc:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
suker.exe
Keyboard Layout\Preload
Content-Type: application/x-www-form-urlencoded
ProgramData\
dll
http://
%-lu
176.46.157.50
-%lu
og:
Comodo
GetNativeSystemInfo
0000043f
/k
bi:
|
Sophos
sd:
Content-Type: multipart/form-data; boundary=----
Kaspersky Lab
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
.jpg
"
Content-Type: application/octet-stream
-unicode-
dm:
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
ar:
"taskkill /f /im "
\App
Programs
ps1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
-executionpolicy remotesigned -File "
Bitdefender
r=
/Plugins/
2016
Norton
00000422
msi
Avira
360TotalSecurity
2022
/tu3d2rom/index.php
https://
AVG
&unit=
st=s
zip
rb
e3
" && ren
e2
Rem
"
cmd
&& Exit"
DefaultSettings.XResolution
CurrentBuild
Startup
--
cmd /C RMDIR /s/q
cred.dll
clip.dll
un:
POST
DefaultSettings.YResolution
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
cred.dll|clip.dll|
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:07:03 18:56:12+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 318464 |
| InitializedDataSize: | 123392 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x28ce9 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
136
Monitored processes
6
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1044 | "C:\Users\admin\Desktop\rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe" | C:\Users\admin\Desktop\rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 1216 | "C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe" | C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe | rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(1216) suker.exe C2176.46.157.50 URLhttp://176.46.157.50/tu3d2rom/index.php Version5.50 Options Drop directorybd4cae89c3 Drop namesuker.exe Strings (125)GET SOFTWARE\Microsoft\Windows NT\CurrentVersion 00000419 av: ?scr=1 +++ Panda Security wb SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ ::: ------ 2025 SYSTEM\ControlSet001\Services\BasicDisplay\Video WinDefender shutdown -s -t 0 ComputerName 00000423 ProductName %USERPROFILE% d1 lv: Main Doctor Web <d> abcdefghijklmnopqrstuvwxyz0123456789-_ bd4cae89c3 random 0123456789 exe S-%lu- # " && timeout 1 && del \0000 2019 kernel32.dll 5.50 /quiet = ESET Powershell.exe AVAST Software rundll32.exe shell32.dll vs: && <c> \ os: e1 VideoID Content-Disposition: form-data; name="data"; filename=" id: ------ rundll32 pc: SOFTWARE\Microsoft\Windows\CurrentVersion\Run suker.exe Keyboard Layout\Preload Content-Type: application/x-www-form-urlencoded ProgramData\ dll http:// %-lu 176.46.157.50 -%lu og: Comodo GetNativeSystemInfo 0000043f /k bi: | Sophos sd: Content-Type: multipart/form-data; boundary=---- Kaspersky Lab SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName .jpg "
Content-Type: application/octet-stream -unicode- dm: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ar: "taskkill /f /im " \App Programs ps1 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -executionpolicy remotesigned -File " Bitdefender r= /Plugins/ 2016 Norton 00000422 msi Avira 360TotalSecurity 2022 /tu3d2rom/index.php https:// AVG &unit= st=s zip rb e3 " && ren e2 Rem " cmd && Exit" DefaultSettings.XResolution CurrentBuild Startup -- cmd /C RMDIR /s/q cred.dll clip.dll un: POST DefaultSettings.YResolution SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce cred.dll|clip.dll| | |||||||||||||||
| 2044 | "C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe" | C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2468 | "C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe" | C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3876 | "C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe" | C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4120 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 178
Read events
4 175
Write events
3
Delete events
0
Modification events
| (PID) Process: | (1216) suker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (1216) suker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1216) suker.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1044 | rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe | C:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exe | executable | |
MD5:A5E6484EEF2B273591AD13582EB657DE | SHA256:93B52C63C8EA6E739CB32F1CCEDCD96C0ED769E06A5FBA5A1BDD5BBE9EB44999 | |||
| 1044 | rl_93b52c63c8ea6e739cb32f1ccedcd96c0ed769e06a5fba5a1bdd5bbe9eb44999.exe | C:\Windows\Tasks\suker.job | binary | |
MD5:1A72F64E13C135FF7243A58605B2CB86 | SHA256:461738605F327D80C0ED9B298EC9DD96D42869A42E2255D400097C9183C93927 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
22
DNS requests
6
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2276 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
1216 | suker.exe | POST | 200 | 176.46.157.50:80 | http://176.46.157.50/tu3d2rom/index.php | unknown | — | — | malicious |
1216 | suker.exe | POST | 200 | 176.46.157.50:80 | http://176.46.157.50/tu3d2rom/index.php | unknown | — | — | malicious |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
1268 | svchost.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
2276 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1216 | suker.exe | 176.46.157.50:80 | — | — | IR | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1216 | suker.exe | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
1216 | suker.exe | Malware Command and Control Activity Detected | ET MALWARE Amadey CnC Response |
1216 | suker.exe | Malware Command and Control Activity Detected | ET MALWARE Amadey CnC Response |