File name:	2b862bda2c1965adf06eaf8467fb07c0.exe
Full analysis:	https://app.any.run/tasks/f2fa06ff-907b-4399-9ea0-c55745f81875
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 16:59:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer lumma themida opendir loader amadey botnet rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	2B862BDA2C1965ADF06EAF8467FB07C0
SHA1:	732EB40CD8998908E6A052BD4F1B6B12FC159636
SHA256:	C27C8F644F8CA6CECACFC6B590BEF2977B41BE11ED3B8A1B81A7C91BBAA42415
SSDEEP:	98304:00V9MlqczLwah6u+8GJP6oE8hae3ZJjFXtJ+GR+qhwd7XjxlTS4Ue/zwEvpap79q:zpz9

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:20 19:41:41+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	311808
InitializedDataSize:	46592
UninitializedDataSize:	-
EntryPoint:	0x301000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(4868) rapes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4868) rapes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4868) rapes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
5024	3V6XXHV8045LMH5KB.exe	C:\Windows\Tasks\rapes.job		binary
		MD5:AB5DB06F0ED906635793EBCB3B1AC738	SHA256:A0599A413DF9282DBC485BF83DA9622E19C53DB4B6B7B238F9CD8E2DB9EF5E47
5024	3V6XXHV8045LMH5KB.exe	C:\Users\admin\AppData\Local\Temp\bb556cff4a\rapes.exe		executable
		MD5:ABAF63F73723934CB35B5332D5776100	SHA256:A512BAF13D7076E8CE286C510D8B4195B0857339C6E1C1A487A0A74903230532
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	C:\Users\admin\AppData\Local\Temp\3V6XXHV8045LMH5KB.exe		executable
		MD5:ABAF63F73723934CB35B5332D5776100	SHA256:A512BAF13D7076E8CE286C510D8B4195B0857339C6E1C1A487A0A74903230532

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4868	rapes.exe	POST	200	176.113.115.6:80	http://176.113.115.6/Ni9kiput/index.php	unknown	—	—	malicious
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	GET	200	176.113.115.7:80	http://176.113.115.7/mine/random.exe	unknown	—	—	malicious
4868	rapes.exe	POST	200	176.113.115.6:80	http://176.113.115.6/Ni9kiput/index.php	unknown	—	—	malicious
—	—	POST	200	104.21.112.1:443	https://wxayfarer.live/ALosnz	unknown	binary	60 b	malicious
—	—	POST	200	104.21.96.1:443	https://wxayfarer.live/ALosnz	unknown	binary	60 b	malicious
—	—	POST	200	104.21.112.1:443	https://wxayfarer.live/ALosnz	unknown	binary	34.1 Kb	malicious
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	200	104.21.16.1:443	https://wxayfarer.live/ALosnz	unknown	binary	60 b	malicious
—	—	POST	200	104.21.32.1:443	https://wxayfarer.live/ALosnz	unknown	binary	60 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	104.21.64.1:443	wxayfarer.live	CLOUDFLARENET	—	malicious
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	176.113.115.7:80	—	Red Bytes LLC	RU	malicious
4868	rapes.exe	176.113.115.6:80	—	Red Bytes LLC	RU	malicious
7524	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4408	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
wxayfarer.live	104.21.64.1 104.21.112.1 104.21.48.1 104.21.32.1 104.21.16.1 104.21.96.1 104.21.80.1	malicious
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 29
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7804	2b862bda2c1965adf06eaf8467fb07c0.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4868	rapes.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 29
4868	rapes.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
4868	rapes.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response
4868	rapes.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response

General Info

2b862bda2c1965adf06eaf8467fb07c0.exe

2B862BDA2C1965ADF06EAF8467FB07C0

732EB40CD8998908E6A052BD4F1B6B12FC159636

C27C8F644F8CA6CECACFC6B590BEF2977B41BE11ED3B8A1B81A7C91BBAA42415

98304:00V9MlqczLwah6u+8GJP6oE8hae3ZJjFXtJ+GR+qhwd7XjxlTS4Ue/zwEvpap79q:zpz9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

AMADEY mutex has been found

AMADEY has been detected (SURICATA)

Connects to the CnC server

AMADEY has been detected (YARA)

SUSPICIOUS

Reads the BIOS version

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Searches for installed software

Connects to the server without a host name

Reads security settings of Internet Explorer

Starts itself from another location

Contacting a server suspected of hosting an CnC

There is functionality for enable RDP (YARA)

The process executes via Task Scheduler

INFO

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Themida protector has been detected

Create files in a temporary directory

Reads the software policy settings

Process checks computer location settings

Checks proxy server information

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Amadey

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings