File name:	xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe
Full analysis:	https://app.any.run/tasks/a08b8ba9-2dd2-4c4d-89f3-3c42b22ffa57
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 25, 2026, 06:42:08
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealc stealer auto-reg auto clipbanker python amadey botnet pyinstaller openssl tool
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	7F2BE5C20B45CA6837E3EA60392200D0
SHA1:	0813910F5D43306C7DBE398D2C6DA64D02FE193D
SHA256:	C83F7D68FA77BA191D01E23878D433E2A894732A20C8AA71E72E82896C7E8DA6
SSDEEP:	98304:ymrfIZ4eaYoSfMVIQMu5IK/0CZFdaNoMZqeLnc1ZaDPHUFK/uXbQKn352U0mTZwY:jIQMu5IpgK8bTyYpNUfuthnS94

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2026:04:23 23:30:44+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.5
CodeSize:	49152
InitializedDataSize:	11638784
UninitializedDataSize:	-
EntryPoint:	0x154c
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(4696) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F0062000000000000000000000001000000FFFFFFFFFFFF9B13
(PID) Process:	(3212) wdhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	winhost.exe
Value: C:\Users\admin\AppData\Roaming\wdhost.exe
(PID) Process:	(3212) wdhost.exe	Key:	HKEY_CURRENT_USER\Environment
Operation:	write	Name:	UserInitMprLogonScript
Value: "C:\WINDOWS\system32\cmd.exe" /c start /b "" "C:\Users\admin\AppData\Roaming\wdhost.exe"
(PID) Process:	(8156) wmiprv.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Defender Security
Value: C:\Users\admin\AppData\Roaming\wmiprv.exe
(PID) Process:	(6988) shhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6988) shhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6988) shhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3212) wdhost.exe	Key:	HKEY_CURRENT_USER\Environment
Operation:	write	Name:	UserInitMprLogonScript
Value: "C:\WINDOWS\system32\cmd.exe" /c start /b "" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Services\winhost.exe"
(PID) Process:	(7408) svcx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Defender Security
Value: C:\Users\admin\AppData\Roaming\svcx.exe
(PID) Process:	(8128) xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

PID	Process	Filename		Type
8128	xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe	C:\Users\admin\AppData\Roaming\rssync.exe		executable
		MD5:80E815D62DA2C2A2F2917E876A55BC3E	SHA256:DA0AC1068D9E88C53613CB2CAB84DEDE321E5CD9F356593C4E0124C5C2339C79
3212	wdhost.exe	C:\Users\admin\AppData\Local\Temp\wd.tmp		executable
		MD5:15E7FC24B76E7BB99C368FDEBD13110F	SHA256:F63CDFA3C9792B5E3671C3ECE15871CD3DA22A57C498BD31849954B91F07040F
4696	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		text
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
8128	xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe	C:\Users\admin\AppData\Roaming\wdhost.exe		executable
		MD5:9545E8F1A1900B8899B129839AD17024	SHA256:A38926B27A00B97BB98971CF4C8A538FCC7A4B9BC85CC6F77F4A0ABC036B66AA
8128	xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe	C:\Users\admin\AppData\Roaming\wmiprv.exe		executable
		MD5:FD4547636601289B5B9C1D713AB01816	SHA256:7B5393D8D7A7A6D1EDF9493EDBBB5F0B037206EE254C47A25530705C75838A62
8128	xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe	C:\Users\admin\AppData\Roaming\shhost.exe		executable
		MD5:B1ED5BA271AB4CBB5A0C5121DFCE2405	SHA256:0215F734867BD71C57FF5C524D8CC670BE5B4F1861B2C390CF46D18784A53624
3212	wdhost.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Services\winhost.exe		executable
		MD5:9545E8F1A1900B8899B129839AD17024	SHA256:A38926B27A00B97BB98971CF4C8A538FCC7A4B9BC85CC6F77F4A0ABC036B66AA
8128	xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe	C:\Users\admin\AppData\Roaming\svcx.exe		executable
		MD5:78CCDDA7E2EC038A97079BFD324CB558	SHA256:E9A3C496009714128863CE18CE5F63F9F0D8F233607F04AF77B299F9F1C8BE6C
8128	xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe	C:\Users\admin\Desktop\NexiloNitroGen.exe		executable
		MD5:E080E0A7B4C5A03B8D509FD03D1E0354	SHA256:B16CAB80EE48AC65466977663CC6B583F0B693D413506AFE1413F3F50C720F61
7576	NexiloNitroGen.exe	C:\Users\admin\AppData\Local\Temp\_MEI75762\VCRUNTIME140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
680	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
680	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
3212	wdhost.exe	POST	200	62.60.226.159:80	http://62.60.226.159/post.php	GB	—	—	unknown
3212	wdhost.exe	POST	200	62.60.226.159:80	http://62.60.226.159/post.php	GB	—	—	unknown
6988	shhost.exe	POST	200	196.251.107.130:80	http://196.251.107.130/16b022998f754137b60a.php	GB	text	64 b	malicious
—	—	POST	500	128.24.231.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
6208	slui.exe	POST	500	128.24.231.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
7364	donym.exe	POST	200	62.60.226.159:80	http://62.60.226.159/xvzpjyddlu/getdata.php	GB	—	—	malicious
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	US	binary	813 b	whitelisted
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	US	binary	400 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8028	slui.exe	128.24.231.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	184.86.251.30:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
680	svchost.exe	23.216.77.6:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
680	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
680	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3212	wdhost.exe	62.60.226.159:80	—	FEMOIT	GB	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
activation-v2.sls.microsoft.com	128.24.231.64	whitelisted
www.bing.com	184.86.251.30 184.86.251.24 184.86.251.15 184.86.251.13 184.86.251.21 184.86.251.20 184.86.251.4 184.86.251.7 184.86.251.14	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
google.com	142.251.14.101 142.251.14.138 142.251.14.139 142.251.14.113 142.251.14.102 142.251.14.100	whitelisted
losslvs.surf	93.127.214.44	unknown
self.events.data.microsoft.com	20.189.173.13	whitelisted

PID	Process	Class	Message
3212	wdhost.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
6988	shhost.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 44
3212	wdhost.exe	A Network Trojan was detected	ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
3212	wdhost.exe	A Network Trojan was detected	ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
7364	donym.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7364	donym.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Amadey associated URI (/xvzpjyddlu/getdata.php)
3212	wdhost.exe	A Network Trojan was detected	ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
3212	wdhost.exe	A Network Trojan was detected	ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
3212	wdhost.exe	A Network Trojan was detected	ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
6988	shhost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Stealc stealer activity observed

General Info

xc83f7d68fa77ba191d01e23878d433e2a894732a20c8aa71e72e82896c7e8da6.exe

7F2BE5C20B45CA6837E3EA60392200D0

0813910F5D43306C7DBE398D2C6DA64D02FE193D

C83F7D68FA77BA191D01E23878D433E2A894732A20C8AA71E72E82896C7E8DA6

98304:ymrfIZ4eaYoSfMVIQMu5IK/0CZFdaNoMZqeLnc1ZaDPHUFK/uXbQKn352U0mTZwY:jIQMu5IpgK8bTyYpNUfuthnS94

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the login/logoff helper path in the registry

Changes the autorun value in the registry

Runs injected code in another process

CLIPBANKER has been found (auto)

STEALC has been detected

Application was injected by another process

STEALC has been detected (SURICATA)

AMADEY has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Reads the date of Windows installation

The process executes files with name similar to system file names

The process drops C-runtime libraries

Process drops python dynamic module

Application launched itself

Loads Python modules

Starts CMD.EXE for commands execution

OpenSSL has been detected (YARA)

Starts itself from another location

INFO

Creates files or folders in the user directory

Reads security settings of Internet Explorer

The sample compiled with english language support

Reads the computer name

Process checks computer location settings

Checks supported languages

Launching a file from a Registry key

Create files in a temporary directory

Reads product name

Reads Environment values

Manual execution by a user

Reads the machine GUID from the registry

There is functionality for taking screenshot (YARA)

PyInstaller has been detected (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events