File name:	ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe
Full analysis:	https://app.any.run/tasks/67c985a5-5f37-4e86-bd52-221d7faefc28
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	May 24, 2026, 06:03:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader powershell stealer stealc vidar lumma amadey botnet attachments attc-unc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 19 sections
MD5:	814D8CA6614937AFB3ECE9E3AB05D76A
SHA1:	824C0089DE1D85E4259DE989F09D9568B3D869CC
SHA256:	AB28151431A6C9E8A59A722AD639C1E3C1ED11B33EA1DDC648CBB0B9B6938960
SSDEEP:	1536:iB6mruejWfpHK8d1RZnerVurqWX9sLizoWpCemj7IjUlrPtttEHKq9uFmFpfD7i3:iImrue6fpNdDomKSHPoj3

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2026:05:24 02:44:50+00:00
ImageFileCharacteristics:	Executable, No line numbers, Large address aware
PEType:	PE32+
LinkerVersion:	2.45
CodeSize:	10240
InitializedDataSize:	10240
UninitializedDataSize:	512
EntryPoint:	0x13e0
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(6412) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(4692) ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	TS_26b799fa
Value: BAE9799

PID	Process	Filename		Type
1504	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_in405xvd.yq5.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1504	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kuqpszo3.y2d.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5288	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJB74IV6T9QEK7EWFLXT.temp		binary
		MD5:B0F11B76AE968BC5D622DA903C53FEC7	SHA256:AF02EBC1232E2044A944CFB128752BCF137B1315BFEC79F5E2E24984CEE6D437
6236	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RFe3813.TMP		—
		MD5:—	SHA256:—
5288	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe31ca.TMP		binary
		MD5:FB6E503EAFA1E8553CA6761B666DEBAA	SHA256:2ECEABF9CFCC03C4875A7FD29210B60A533B7F03D2AF6231C3FD6D8E46668920
6236	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFe3823.TMP		—
		MD5:—	SHA256:—
6236	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RFe3823.TMP		—
		MD5:—	SHA256:—
6236	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6236	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old		—
		MD5:—	SHA256:—
6236	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFe3832.TMP		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	57.153.246.3:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
3352	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
4692	ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe	GET	200	89.125.188.171:80	http://89.125.188.171/nah11/file.exe	NL	executable	743 Kb	unknown
5276	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
6412	slui.exe	POST	500	128.24.231.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
5616	powershell.exe	GET	200	89.125.188.171:80	http://89.125.188.171/div/55.ps1	NL	text	3.80 Kb	unknown
6412	slui.exe	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
3352	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4692	ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe	POST	200	172.67.209.149:443	https://dip.matriculador.digital/	US	text	2.81 Kb	unknown
4692	ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe	POST	200	104.21.77.157:443	https://dip.matriculador.digital/	US	text	43 b	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	57.153.246.3 48.209.138.168	whitelisted
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
www.bing.com	184.86.251.27 184.86.251.22 184.86.251.19 64.7.118.171 64.7.118.170 64.7.118.179 92.123.104.58 92.123.104.65 92.123.104.54 92.123.104.53 92.123.104.12 92.123.104.52 92.123.104.61 92.123.104.51 92.123.104.66	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
google.com	142.250.154.139 142.250.154.113 142.250.154.138 142.250.154.100 142.250.154.101 142.250.154.102	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
telegram.me	149.154.167.99	whitelisted
dip.matriculador.digital	104.21.77.157 172.67.209.149	unknown
clients2.google.com	142.251.20.138 142.251.20.139 142.251.20.113 142.251.20.102 142.251.20.101 142.251.20.100	whitelisted
safebrowsingohttpgateway.googleapis.com	142.251.110.95 142.251.20.95 142.251.13.95 142.251.127.95 142.250.154.95 142.251.14.95 192.178.183.95	whitelisted

PID	Process	Class	Message
5276	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5616	powershell.exe	Potentially Bad Traffic	ET INFO PS1 Powershell File Request
5616	powershell.exe	Potentially Bad Traffic	ET HUNTING Generic Powershell Launching Hidden Window
5616	powershell.exe	Potentially Bad Traffic	ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
—	—	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
4692	ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
4692	ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
4692	ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Process	Message
chrome.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local directory exists )
msedge.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\noeUpate directory exists )

General Info

ab28151431a6c9e8a59a722ad639c1e3c1ed11b33ea1ddc648cbb0b9b6938960.exe

814D8CA6614937AFB3ECE9E3AB05D76A

824C0089DE1D85E4259DE989F09D9568B3D869CC

AB28151431A6C9E8A59A722AD639C1E3C1ED11B33EA1DDC648CBB0B9B6938960

1536:iB6mruejWfpHK8d1RZnerVurqWX9sLizoWpCemj7IjUlrPtttEHKq9uFmFpfD7i3:iImrue6fpNdDomKSHPoj3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Run PowerShell with an invisible window

Downloads the requested resource (POWERSHELL)

Changes settings for real-time protection

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for protection against network attacks (IPS)

Changes Controlled Folder Access settings

Adds IP address to the Windows Defender exclusion list

Changes Windows Defender settings

STEALC has been detected (SURICATA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

VIDAR has been detected (SURICATA)

Creates scheduled task from XML file

LUMMA has been detected (SURICATA)

Uses Task Scheduler to run other applications

AMADEY mutex has been found

LUMMA mutex has been found

AMADEY has been detected (SURICATA)

LUMMA has been detected (YARA)

SUSPICIOUS

Found IP address in command line

The process bypasses the loading of PowerShell profile settings

Probably download files using WebClient

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Bypass execution policy to execute commands

Starts a new process with hidden mode (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Application launched itself

Gets path to any of the special folders (POWERSHELL)

Usage of PowerShell observed

Searches for installed software

Possible stealing from crypto wallets

Possible stealing from password managers

Contacting a server suspected of hosting an CnC

Possible stealing of email data

Browser launch with unusual user-data-dir

Possible stealing from browsers

The process verifies whether the antivirus software is installed

Browser headless start

Possible stealing of FTP data

Possible stealing of cloud data

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Executable content was dropped or overwritten

The process deletes folder without confirmation

Starts CMD.EXE with special quote handling

Starts CMD.EXE with output disabled

Possible stealing from 2fa

Possible stealing from notes

PowerShell delay command usage (probably sleep evasion)

Starts process via Powershell

Downloads file from URI via Powershell

INFO

Reads the computer name

Checks whether the specified file exists (POWERSHELL)

Checks supported languages

Gets a random number, or selects objects randomly from a collection (POWERSHELL)

Create files in a temporary directory

Checks if a key exists in the options dictionary (POWERSHELL)

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Reads product name

Reads Environment values

Reads CPU info

Application launched itself