File name:

423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.zip

Full analysis: https://app.any.run/tasks/8bdc7163-2b9f-4204-a608-886a55c5c0f7
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: January 10, 2025, 21:52:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
amadey
arch-exec
botnet
stealer
loader
lumma
telegram
stealc
cryptbot
credentialflusher
gcleaner
generic
autoit
themida
arch-doc
redline
metastealer
python
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

A512F9E9CC528ECB91EFB5D4FE0A7D61

SHA1:

F74BA40BB098ACD18A3AD20350C815660D1C6E4C

SHA256:

BAA29B024B81CB4F53301765CC0B390E087AF829AD6F404726AA26E9D79AA7AA

SSDEEP:

98304:LzEbp3HXF9V63UtzofkZ5T8JpGD4AM1uk/zH8yjrGP5eiJ+k3CdmamMAWPKMdksT:chW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5628)
    • AMADEY has been found (auto)

      • WinRAR.exe (PID: 5628)
      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
    • AMADEY mutex has been found

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • axplong.exe (PID: 5240)
      • 9951e44dc3.exe (PID: 3032)
      • S0BN1R0H0XKO5U3AX723.exe (PID: 8384)
      • skotes.exe (PID: 9628)
      • axplong.exe (PID: 9620)
    • Connects to the CnC server

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
      • 1e47c9e0f5.exe (PID: 6500)
      • svchost.exe (PID: 2192)
      • 4c07665b1a.exe (PID: 7760)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
      • msedge.exe (PID: 7356)
      • e43b75b85c.exe (PID: 6316)
    • AMADEY has been detected (SURICATA)

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
    • LUMMA mutex has been found

      • p6QawnP.exe (PID: 1684)
      • 0878f3a676.exe (PID: 5308)
      • 559836d6ec.exe (PID: 628)
      • 6ff1c48559.exe (PID: 7408)
    • StealC has been detected

      • 1e47c9e0f5.exe (PID: 6500)
      • 4c07665b1a.exe (PID: 7760)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
    • Steals credentials from Web Browsers

      • p6QawnP.exe (PID: 1684)
      • 0878f3a676.exe (PID: 5308)
      • 559836d6ec.exe (PID: 628)
      • 6ff1c48559.exe (PID: 7408)
      • d173aaff2c.exe (PID: 9200)
      • BitLockerToGo.exe (PID: 9996)
    • Actions looks like stealing of personal data

      • p6QawnP.exe (PID: 1684)
      • 1e47c9e0f5.exe (PID: 6500)
      • wTahOob.exe (PID: 6576)
      • 559836d6ec.exe (PID: 628)
      • 0878f3a676.exe (PID: 5308)
      • 6ff1c48559.exe (PID: 7408)
      • d173aaff2c.exe (PID: 9200)
      • BitLockerToGo.exe (PID: 9996)
      • 98611be704.exe (PID: 9880)
      • 123b830ae4.exe (PID: 8332)
      • 823ed1cb69.exe (PID: 9664)
      • e43b75b85c.exe (PID: 6316)
    • STEALC has been detected (SURICATA)

      • 1e47c9e0f5.exe (PID: 6500)
      • 4c07665b1a.exe (PID: 7760)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
    • Changes the autorun value in the registry

      • axplong.exe (PID: 5240)
      • skotes.exe (PID: 6988)
      • reg.exe (PID: 9932)
    • CRYPTBOT mutex has been found

      • 05716c07bb.exe (PID: 3696)
    • AMADEY has been detected (YARA)

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
    • Possible tool for stealing has been detected

      • ce386e843e.exe (PID: 7896)
      • firefox.exe (PID: 2148)
    • GCLEANER has been detected (SURICATA)

      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
    • Executing a file with an untrusted certificate

      • 96b65865d1.exe (PID: 8236)
      • 96b65865d1.exe (PID: 8664)
      • 50158ed5f6.exe (PID: 7852)
    • GENERIC has been found (auto)

      • 1e47c9e0f5.exe (PID: 6500)
    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • msedge.exe (PID: 7356)
    • STEALC has been detected (YARA)

      • 1e47c9e0f5.exe (PID: 6500)
    • Dynamically loads an assembly (POWERSHELL)

      • AutoIt3_x64.exe (PID: 8752)
    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 9532)
      • 98611be704.exe (PID: 9880)
      • 123b830ae4.exe (PID: 8332)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 9516)
      • powershell.exe (PID: 8720)
      • powershell.exe (PID: 6240)
    • UAC/LUA settings modification

      • reg.exe (PID: 8652)
    • Adds path to the Windows Defender exclusion list

      • d173aaff2c.exe (PID: 9200)
      • cmd.exe (PID: 9260)
      • cmd.exe (PID: 9168)
    • METASTEALER has been detected (SURICATA)

      • e43b75b85c.exe (PID: 6316)
    • REDLINE has been detected (SURICATA)

      • e43b75b85c.exe (PID: 6316)
    • Stealers network behavior

      • e43b75b85c.exe (PID: 6316)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5628)
      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • 1e47c9e0f5.exe (PID: 6500)
      • axplong.exe (PID: 5240)
      • wTahOob.exe (PID: 6576)
      • 96b65865d1.exe (PID: 8236)
      • AutoIt3_x64.exe (PID: 8752)
      • 4c07665b1a.exe (PID: 7760)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
      • 50158ed5f6.exe (PID: 7852)
      • f8dd12f54d.exe (PID: 9960)
      • BitLockerToGo.exe (PID: 6356)
    • Reads the BIOS version

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • axplong.exe (PID: 5240)
      • wTahOob.exe (PID: 6576)
      • 1e47c9e0f5.exe (PID: 6500)
      • 9951e44dc3.exe (PID: 3032)
      • 559836d6ec.exe (PID: 1140)
      • 559836d6ec.exe (PID: 628)
      • 0878f3a676.exe (PID: 5308)
      • 528ee1a4ce.exe (PID: 7240)
      • cd2d7612de.exe (PID: 7176)
      • 6ff1c48559.exe (PID: 7408)
      • skotes.exe (PID: 9628)
      • axplong.exe (PID: 9620)
      • f8dd12f54d.exe (PID: 9960)
      • e43b75b85c.exe (PID: 6316)
      • axplong.exe (PID: 6984)
      • axplong.exe (PID: 6796)
    • Starts itself from another location

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • 4add842157.exe (PID: 3680)
      • O7JDGpK.exe (PID: 7488)
    • Executable content was dropped or overwritten

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • axplong.exe (PID: 5240)
      • 0878f3a676.exe (PID: 5308)
      • O7JDGpK.exe (PID: 7488)
      • 1e47c9e0f5.exe (PID: 6500)
      • 96b65865d1.exe (PID: 8664)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
      • d173aaff2c.exe (PID: 2216)
      • csc.exe (PID: 9828)
      • d173aaff2c.exe (PID: 9200)
      • python-installer.exe (PID: 8316)
      • python-installer.exe (PID: 2728)
      • python.exe (PID: 9584)
    • Contacting a server suspected of hosting an CnC

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
      • 1e47c9e0f5.exe (PID: 6500)
      • svchost.exe (PID: 2192)
      • 4c07665b1a.exe (PID: 7760)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
      • msedge.exe (PID: 7356)
    • Process requests binary or script from the Internet

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
      • 1e47c9e0f5.exe (PID: 6500)
      • 0878f3a676.exe (PID: 5308)
    • Potential Corporate Privacy Violation

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
      • 1e47c9e0f5.exe (PID: 6500)
      • 0878f3a676.exe (PID: 5308)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
    • Connects to the server without a host name

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
      • 1e47c9e0f5.exe (PID: 6500)
      • 0878f3a676.exe (PID: 5308)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
      • 4c07665b1a.exe (PID: 7760)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • wTahOob.exe (PID: 6576)
      • f8dd12f54d.exe (PID: 9960)
      • BitLockerToGo.exe (PID: 6356)
    • Windows Defender mutex has been found

      • 1e47c9e0f5.exe (PID: 6500)
      • 4c07665b1a.exe (PID: 7760)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
    • Checks Windows Trust Settings

      • wTahOob.exe (PID: 6576)
      • AutoIt3_x64.exe (PID: 8752)
      • msiexec.exe (PID: 9284)
      • skotes.exe (PID: 6988)
      • f8dd12f54d.exe (PID: 9960)
      • BitLockerToGo.exe (PID: 6356)
    • Searches for installed software

      • 1e47c9e0f5.exe (PID: 6500)
      • p6QawnP.exe (PID: 1684)
      • wTahOob.exe (PID: 6576)
      • 05716c07bb.exe (PID: 3696)
      • 0878f3a676.exe (PID: 5308)
      • python-installer.exe (PID: 2728)
    • Uses TASKKILL.EXE to kill Browsers

      • ce386e843e.exe (PID: 7896)
    • Uses TASKKILL.EXE to kill process

      • ce386e843e.exe (PID: 7896)
    • The process drops Mozilla's DLL files

      • 1e47c9e0f5.exe (PID: 6500)
    • Process drops legitimate windows executable

      • 1e47c9e0f5.exe (PID: 6500)
      • 96b65865d1.exe (PID: 8664)
      • python-installer.exe (PID: 2728)
      • skotes.exe (PID: 6988)
      • msiexec.exe (PID: 9284)
    • The process drops C-runtime libraries

      • 1e47c9e0f5.exe (PID: 6500)
      • python-installer.exe (PID: 2728)
      • msiexec.exe (PID: 9284)
    • Reads the date of Windows installation

      • 96b65865d1.exe (PID: 8236)
    • Application launched itself

      • 96b65865d1.exe (PID: 8236)
      • 823ed1cb69.exe (PID: 6284)
      • cmd.exe (PID: 5728)
      • python.exe (PID: 9920)
    • Starts the AutoIt3 executable file

      • 96b65865d1.exe (PID: 8664)
      • cmd.exe (PID: 5728)
    • Executes application which crashes

      • 1e47c9e0f5.exe (PID: 6500)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
      • 823ed1cb69.exe (PID: 6284)
    • The process executes via Task Scheduler

      • axplong.exe (PID: 9620)
      • skotes.exe (PID: 9628)
      • skotes.exe (PID: 6976)
      • axplong.exe (PID: 6984)
      • skotes.exe (PID: 6476)
      • axplong.exe (PID: 6796)
      • skotes.exe (PID: 8116)
      • axplong.exe (PID: 8100)
    • Executing commands from ".cmd" file

      • 96b65865d1.exe (PID: 8664)
      • 50158ed5f6.exe (PID: 7852)
    • Starts CMD.EXE for commands execution

      • 96b65865d1.exe (PID: 8664)
      • d173aaff2c.exe (PID: 2216)
      • d173aaff2c.exe (PID: 9200)
      • 50158ed5f6.exe (PID: 7852)
      • cmd.exe (PID: 5728)
      • wTahOob.exe (PID: 6576)
      • BitLockerToGo.exe (PID: 6356)
    • Uses base64 encoding (POWERSHELL)

      • AutoIt3_x64.exe (PID: 8752)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 9332)
      • cmd.exe (PID: 9532)
      • cmd.exe (PID: 4076)
      • cmd.exe (PID: 7896)
      • cmd.exe (PID: 9260)
      • cmd.exe (PID: 9168)
      • 98611be704.exe (PID: 9880)
      • 123b830ae4.exe (PID: 8332)
    • Starts process via Powershell

      • powershell.exe (PID: 9460)
    • The process executes Powershell scripts

      • cmd.exe (PID: 9532)
      • 98611be704.exe (PID: 9880)
      • 123b830ae4.exe (PID: 8332)
    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 9828)
    • Get information on the list of running processes

      • d173aaff2c.exe (PID: 9200)
      • cmd.exe (PID: 9700)
      • cmd.exe (PID: 8616)
      • cmd.exe (PID: 5728)
    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 9884)
      • cmd.exe (PID: 9288)
    • Cryptography encrypted command line is found

      • cmd.exe (PID: 4076)
      • powershell.exe (PID: 7716)
      • cmd.exe (PID: 7896)
      • powershell.exe (PID: 9104)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7636)
      • cmd.exe (PID: 9472)
    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 9260)
      • cmd.exe (PID: 9168)
    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 10052)
      • cmd.exe (PID: 4468)
    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7872)
      • cmd.exe (PID: 7000)
    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 10120)
      • WMIC.exe (PID: 4672)
    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 10084)
    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 10140)
    • Accesses computer name via WMI (SCRIPT)

      • WMIC.exe (PID: 10084)
    • Uses WMIC.EXE to obtain memory chip information

      • cmd.exe (PID: 4976)
    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 7760)
    • Connects to unusual port

      • e43b75b85c.exe (PID: 6316)
    • Loads Python modules

      • python-installer.exe (PID: 2728)
    • Starts a Microsoft application from unusual location

      • 823ed1cb69.exe (PID: 6284)
      • 823ed1cb69.exe (PID: 9380)
      • 823ed1cb69.exe (PID: 9664)
    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 9284)
    • Process drops python dynamic module

      • msiexec.exe (PID: 9284)
    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5728)
    • Starts application with an unusual extension

      • cmd.exe (PID: 5728)
    • The executable file from the user directory is run by the CMD process

      • Thu.com (PID: 1612)
    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 6316)
  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5628)
      • firefox.exe (PID: 1020)
      • msiexec.exe (PID: 9284)
    • Sends debugging messages

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • axplong.exe (PID: 5240)
      • 1e47c9e0f5.exe (PID: 6500)
      • wTahOob.exe (PID: 6576)
      • 9951e44dc3.exe (PID: 3032)
      • 559836d6ec.exe (PID: 628)
      • 559836d6ec.exe (PID: 1140)
      • 0878f3a676.exe (PID: 5308)
      • 4c07665b1a.exe (PID: 7760)
      • 05716c07bb.exe (PID: 3696)
      • 528ee1a4ce.exe (PID: 7240)
      • cd2d7612de.exe (PID: 7176)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
      • S0BN1R0H0XKO5U3AX723.exe (PID: 8384)
      • 6ff1c48559.exe (PID: 7408)
      • skotes.exe (PID: 9628)
      • axplong.exe (PID: 9620)
      • f8dd12f54d.exe (PID: 9960)
      • e43b75b85c.exe (PID: 6316)
      • 123b830ae4.exe (PID: 8332)
    • Checks supported languages

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • p6QawnP.exe (PID: 1684)
      • 4add842157.exe (PID: 3680)
      • wTahOob.exe (PID: 6576)
      • 1e47c9e0f5.exe (PID: 6500)
      • 9951e44dc3.exe (PID: 3032)
      • axplong.exe (PID: 5240)
      • 559836d6ec.exe (PID: 628)
      • 559836d6ec.exe (PID: 1140)
      • 05716c07bb.exe (PID: 3696)
      • 0878f3a676.exe (PID: 5308)
      • ce386e843e.exe (PID: 7896)
      • S0BN1R0H0XKO5U3AX723.exe (PID: 8384)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
      • il73gIbwAcMT.exe (PID: 7464)
      • 6ff1c48559.exe (PID: 7408)
      • 96b65865d1.exe (PID: 8236)
      • 43533fef59.exe (PID: 9092)
      • 1a4ced42a1.exe (PID: 8464)
      • axplong.exe (PID: 9620)
      • skotes.exe (PID: 9628)
      • AutoIt3_x64.exe (PID: 8752)
      • d173aaff2c.exe (PID: 2216)
      • f804901c2d.exe (PID: 5980)
      • d173aaff2c.exe (PID: 9200)
      • csc.exe (PID: 9828)
      • cvtres.exe (PID: 9848)
      • b56a7c4993.exe (PID: 8208)
      • ae273868cb.exe (PID: 6896)
      • f8dd12f54d.exe (PID: 9960)
      • 98611be704.exe (PID: 9880)
      • 50158ed5f6.exe (PID: 7852)
      • BitLockerToGo.exe (PID: 9996)
      • 638d919cfc.exe (PID: 8284)
      • e43b75b85c.exe (PID: 6316)
      • 123b830ae4.exe (PID: 8332)
      • msiexec.exe (PID: 9284)
      • 823ed1cb69.exe (PID: 6284)
      • BitLockerToGo.exe (PID: 6356)
      • skotes.exe (PID: 6976)
      • extrac32.exe (PID: 1064)
      • axplong.exe (PID: 6796)
      • skotes.exe (PID: 8116)
      • msiexec.exe (PID: 1856)
      • python.exe (PID: 9920)
    • The process uses the downloaded file

      • WinRAR.exe (PID: 5628)
      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • 4add842157.exe (PID: 3680)
      • axplong.exe (PID: 5240)
      • skotes.exe (PID: 6988)
      • 96b65865d1.exe (PID: 8664)
    • Reads the computer name

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • p6QawnP.exe (PID: 1684)
      • axplong.exe (PID: 5240)
      • wTahOob.exe (PID: 6576)
      • 1e47c9e0f5.exe (PID: 6500)
      • 559836d6ec.exe (PID: 628)
      • 05716c07bb.exe (PID: 3696)
      • 0878f3a676.exe (PID: 5308)
      • 4c07665b1a.exe (PID: 7760)
      • ce386e843e.exe (PID: 7896)
      • 559836d6ec.exe (PID: 1140)
      • il73gIbwAcMT.exe (PID: 7464)
      • 96b65865d1.exe (PID: 8236)
      • 1a4ced42a1.exe (PID: 8464)
      • d173aaff2c.exe (PID: 2216)
      • d173aaff2c.exe (PID: 9200)
      • 50158ed5f6.exe (PID: 7852)
      • 98611be704.exe (PID: 9880)
      • BitLockerToGo.exe (PID: 9996)
      • e43b75b85c.exe (PID: 6316)
      • 123b830ae4.exe (PID: 8332)
      • BitLockerToGo.exe (PID: 6356)
      • Thu.com (PID: 1612)
      • msiexec.exe (PID: 1856)
      • python.exe (PID: 9584)
      • python.exe (PID: 9920)
    • Process checks computer location settings

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • axplong.exe (PID: 5240)
      • 96b65865d1.exe (PID: 8236)
      • d173aaff2c.exe (PID: 2216)
      • d173aaff2c.exe (PID: 9200)
      • 50158ed5f6.exe (PID: 7852)
      • BitLockerToGo.exe (PID: 6356)
    • Create files in a temporary directory

      • 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe (PID: 6832)
      • skotes.exe (PID: 6988)
      • 4add842157.exe (PID: 3680)
      • axplong.exe (PID: 5240)
      • 0878f3a676.exe (PID: 5308)
      • 96b65865d1.exe (PID: 8664)
      • AutoIt3_x64.exe (PID: 8752)
      • 559836d6ec.exe (PID: 1140)
      • d173aaff2c.exe (PID: 2216)
      • d173aaff2c.exe (PID: 9200)
      • csc.exe (PID: 9828)
      • python-installer.exe (PID: 2728)
    • Checks proxy server information

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
      • 1e47c9e0f5.exe (PID: 6500)
      • wTahOob.exe (PID: 6576)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
      • WerFault.exe (PID: 9168)
      • 4c07665b1a.exe (PID: 7760)
      • WerFault.exe (PID: 9600)
      • f8dd12f54d.exe (PID: 9960)
      • BitLockerToGo.exe (PID: 6356)
    • Creates files or folders in the user directory

      • skotes.exe (PID: 6988)
      • 1e47c9e0f5.exe (PID: 6500)
      • wTahOob.exe (PID: 6576)
      • axplong.exe (PID: 5240)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
      • WerFault.exe (PID: 9168)
      • JU580DTKK55D70ECK8L2SIRU.exe (PID: 8200)
      • d173aaff2c.exe (PID: 9200)
      • 50158ed5f6.exe (PID: 7852)
      • msiexec.exe (PID: 9284)
    • Reads the software policy settings

      • p6QawnP.exe (PID: 1684)
      • wTahOob.exe (PID: 6576)
      • 559836d6ec.exe (PID: 628)
      • 0878f3a676.exe (PID: 5308)
      • 6ff1c48559.exe (PID: 7408)
      • WerFault.exe (PID: 9168)
      • WerFault.exe (PID: 10080)
      • WerFault.exe (PID: 6268)
      • msiexec.exe (PID: 9284)
      • 823ed1cb69.exe (PID: 9664)
      • skotes.exe (PID: 6988)
      • 123b830ae4.exe (PID: 8332)
      • BitLockerToGo.exe (PID: 8988)
      • BitLockerToGo.exe (PID: 6356)
      • ae273868cb.exe (PID: 6896)
    • Reads the machine GUID from the registry

      • wTahOob.exe (PID: 6576)
      • 05716c07bb.exe (PID: 3696)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
      • AutoIt3_x64.exe (PID: 8752)
      • csc.exe (PID: 9828)
      • e43b75b85c.exe (PID: 6316)
      • python-installer.exe (PID: 2728)
      • msiexec.exe (PID: 9284)
      • skotes.exe (PID: 6988)
      • f8dd12f54d.exe (PID: 9960)
      • BitLockerToGo.exe (PID: 6356)
    • Reads product name

      • 1e47c9e0f5.exe (PID: 6500)
      • wTahOob.exe (PID: 6576)
      • d173aaff2c.exe (PID: 9200)
      • f8dd12f54d.exe (PID: 9960)
    • Reads CPU info

      • 1e47c9e0f5.exe (PID: 6500)
      • wTahOob.exe (PID: 6576)
    • Reads Environment values

      • 1e47c9e0f5.exe (PID: 6500)
      • wTahOob.exe (PID: 6576)
      • AutoIt3_x64.exe (PID: 8752)
      • d173aaff2c.exe (PID: 9200)
      • f8dd12f54d.exe (PID: 9960)
    • The sample compiled with english language support

      • 1e47c9e0f5.exe (PID: 6500)
      • skotes.exe (PID: 6988)
      • 96b65865d1.exe (PID: 8664)
      • python-installer.exe (PID: 8316)
      • d173aaff2c.exe (PID: 9200)
      • python-installer.exe (PID: 2728)
      • msiexec.exe (PID: 9284)
      • python.exe (PID: 9584)
    • The sample compiled with czech language support

      • axplong.exe (PID: 5240)
      • skotes.exe (PID: 6988)
    • Application launched itself

      • chrome.exe (PID: 3540)
      • chrome.exe (PID: 7628)
      • msedge.exe (PID: 8016)
      • firefox.exe (PID: 2148)
      • firefox.exe (PID: 1020)
      • chrome.exe (PID: 7672)
      • msedge.exe (PID: 8932)
      • chrome.exe (PID: 9852)
      • msedge.exe (PID: 9724)
    • Themida protector has been detected

      • skotes.exe (PID: 6988)
      • axplong.exe (PID: 5240)
      • wTahOob.exe (PID: 6576)
      • 1e47c9e0f5.exe (PID: 6500)
      • 559836d6ec.exe (PID: 1140)
      • cd2d7612de.exe (PID: 7176)
    • Creates files in the program directory

      • wTahOob.exe (PID: 6576)
      • 1e47c9e0f5.exe (PID: 6500)
      • d173aaff2c.exe (PID: 9200)
    • Reads mouse settings

      • AutoIt3_x64.exe (PID: 8752)
    • Checks whether the specified file exists (POWERSHELL)

      • AutoIt3_x64.exe (PID: 8752)
    • The executable file from the user directory is run by the Powershell process

      • d173aaff2c.exe (PID: 9200)
    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 9736)
      • WMIC.exe (PID: 10120)
      • WMIC.exe (PID: 10048)
      • WMIC.exe (PID: 6476)
      • WMIC.exe (PID: 2976)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 9644)
      • powershell.exe (PID: 8996)
      • powershell.exe (PID: 8720)
      • powershell.exe (PID: 6240)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 9644)
      • powershell.exe (PID: 8996)
    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 2496)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 9284)
    • Creates a new folder

      • cmd.exe (PID: 2220)
    • Python executable

      • python.exe (PID: 9920)
      • python.exe (PID: 9584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe
ZipUncompressedSize: 3013632
ZipCompressedSize: 1812567
ZipCRC: 0x5104bca8
ZipModifyDate: 2024:12:14 05:15:18
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
354
Monitored processes
213
Malicious processes
45
Suspicious processes
12

Behavior graph

Click at the process to see the details
start #AMADEY winrar.exe #AMADEY 423d31c445f4f1b659e88a21e588d5c96910e86c6f40ea271201fbb55d40f39d.exe #AMADEY skotes.exe #LUMMA p6qawnp.exe 4add842157.exe #AMADEY axplong.exe wtahoob.exe #STEALC 1e47c9e0f5.exe 9951e44dc3.exe #GCLEANER 559836d6ec.exe #LUMMA 559836d6ec.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs #CRYPTBOT 05716c07bb.exe #LUMMA 0878f3a676.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #STEALC 4c07665b1a.exe #CREDENTIALFLUSHER ce386e843e.exe no specs taskkill.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs taskkill.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs 528ee1a4ce.exe taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs #CREDENTIALFLUSHER firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #GCLEANER cd2d7612de.exe firefox.exe no specs chrome.exe chrome.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #STEALC ju580dtkk55d70eck8l2siru.exe s0bn1r0h0xko5u3ax723.exe 1a4ced42a1.exe o7jdgpk.exe no specs chrome.exe no specs o7jdgpk.exe il73gibwacmt.exe #LUMMA 6ff1c48559.exe 96b65865d1.exe no specs 96b65865d1.exe autoit3_x64.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs #LUMMA msedge.exe msedge.exe no specs 43533fef59.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe #LUMMA svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs axplong.exe skotes.exe cmd.exe no specs conhost.exe no specs werfault.exe d173aaff2c.exe conhost.exe no specs werfault.exe cmd.exe no specs powershell.exe no specs d173aaff2c.exe f804901c2d.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs 98611be704.exe cmd.exe no specs cmd.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs b56a7c4993.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe no specs reg.exe ae273868cb.exe cmd.exe no specs powershell.exe no specs f8dd12f54d.exe bitlockertogo.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs 50158ed5f6.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs #METASTEALER e43b75b85c.exe cmd.exe no specs getmac.exe no specs 638d919cfc.exe no specs python-installer.exe 123b830ae4.exe python-installer.exe powershell.exe no specs conhost.exe no specs msiexec.exe bitlockertogo.exe 823ed1cb69.exe conhost.exe no specs 823ed1cb69.exe no specs 823ed1cb69.exe werfault.exe powershell.exe no specs conhost.exe no specs axplong.exe skotes.exe bitlockertogo.exe tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs thu.com choice.exe no specs skotes.exe no specs axplong.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs