File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/ad2f7f42-6c9f-4157-94bf-698161e6dbe3
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 12, 2024, 20:15:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma hijackloader loader stealer exfiltration miner amadey botnet xmrig
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	CF6D8ED410DD3CA38FC9ED02D44DAFF1
SHA1:	85D0BEF448DBE4711C23327DD80A05B6F80EBCA6
SHA256:	C9A9E7B788E7E9147DBDB52DF63A71EAD448B86FEE5D4E7EBD52BC08167E1511
SSDEEP:	98304:j+cD4dnWUZsdIStSfe/jvwjFOJN4jbFAoO1wLwaLFm2h4/ooR6/4PqzaG4TwVDi2:7RCQtoMMQgZ

.exe	\|	Inno Setup installer (51.8)
.exe	\|	InstallShield setup (20.3)
.exe	\|	Win32 EXE PECompact compressed (generic) (19.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.1)
.exe	\|	Win32 Executable (generic) (2.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:02:15 14:54:16+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	48640
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6
ImageVersion:	6
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	4.2131.88.1
ProductVersionNumber:	4.2131.88.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	UN_Writer Setup
FileVersion:	4.2131.88.1
LegalCopyright:
OriginalFileName:
ProductName:	UN_Writer
ProductVersion:	4.2131.88.1


(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 080E00005445F74705BDDA01
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 8F31286E110F9AB0732293465EDF049EA02B8BFED82AE0F06D20F0C859FEEDC2
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	delete value	Name:	Sequence
Value:
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	delete value	Name:	SessionHash
Value: ㆏渨༑낚≳䚓�鸄⮠ﺋ⫘⁭죰﹙십
(PID) Process:	(3592) Setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	delete value	Name:	Owner
Value: จ

PID	Process	Filename		Type
5720	comp.exe	C:\Users\admin\AppData\Local\Temp\kcndbk		—
		MD5:—	SHA256:—
3592	Setup.tmp	C:\Users\admin\AppData\Local\Temp\is-H33VI.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4360	Setup.exe	C:\Users\admin\AppData\Local\Temp\is-G8G6V.tmp\Setup.tmp		executable
		MD5:74D1ED8EC351C94F7788CF548162E292	SHA256:62BBBE03B6C4A600FAD73D2301668C0056C02EFDB3987196A76C1EC3AB8F71B0
4140	Setup.tmp	C:\Users\admin\AppData\Local\Temp\is-S7QUQ.tmp\_isetup\_iscrypt.dll		executable
		MD5:A69559718AB506675E907FE49DEB71E9	SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
4140	Setup.tmp	C:\Users\admin\AppData\Local\UN_Writer\config\tdrfyg.rar		compressed
		MD5:2AEFE05B99CEA70AF791E87BFF66D92B	SHA256:E1FC1E36130998C6024ED553AF45A4B2672520E881B5C35AF00799E91A60E6BF
1720	identity_helper.exe	C:\Users\admin\AppData\Roaming\UploadMon\bistro.txt		binary
		MD5:9EECE5CE9AAB4DBE80C1C3D44C728F5E	SHA256:4B91F45EF006660953D2C71DB41336F9CBEBCDF68FC6074631E72406533C7B15
4140	Setup.tmp	C:\Users\admin\AppData\Local\Temp\is-S7QUQ.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4140	Setup.tmp	C:\Users\admin\AppData\Local\UN_Writer\config\is-6U9EQ.tmp		compressed
		MD5:2AEFE05B99CEA70AF791E87BFF66D92B	SHA256:E1FC1E36130998C6024ED553AF45A4B2672520E881B5C35AF00799E91A60E6BF
4140	Setup.tmp	C:\Users\admin\AppData\Local\Temp\is-S7QUQ.tmp\is-7NOQ0.tmp		executable
		MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68	SHA256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
4500	UnRAR.exe	C:\Users\admin\AppData\Local\UN_Writer\config\bistro.txt		binary
		MD5:9EECE5CE9AAB4DBE80C1C3D44C728F5E	SHA256:4B91F45EF006660953D2C71DB41336F9CBEBCDF68FC6074631E72406533C7B15

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5952	svchost.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
3652	explorer.exe	POST	200	45.152.112.146:80	http://proresupdate.com/h9fmdW5/index.php	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5256	RUXIMICS.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5952	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
2920	MSBuild.exe	POST	200	135.181.22.88:80	http://135.181.22.88/COCACOLA.php	unknown	—	—	unknown
—	—	POST	—	null:443	https://specialadventurousw.shop/api	unknown	—	—	—
—	—	POST	200	null:443	https://specialadventurousw.shop/api	unknown	text	16 b	—
—	—	POST	200	null:443	https://specialadventurousw.shop/api	unknown	text	16 b	—
—	—	POST	200	null:443	https://specialadventurousw.shop/api	unknown	—	16 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	unknown
5952	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4364	svchost.exe	239.255.255.250:1900	—	—	—	unknown
5256	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5140	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5952	svchost.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
5256	RUXIMICS.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
5140	MoUsoCoreWorker.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
5952	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5456	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
crl.microsoft.com	2.16.164.106 2.16.164.72	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
specialadventurousw.shop	172.67.193.197 104.21.90.30	malicious
businessdownloads.ltd	104.21.16.123 172.67.212.123	unknown
i.imgur.com	199.232.192.193 199.232.196.193	shared
self.events.data.microsoft.com	20.189.173.2	whitelisted
proresupdate.com	45.152.112.146	unknown

PID	Process	Class	Message
5180	coml.au3	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
2184	svchost.exe	A Network Trojan was detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (specialadventurousw .shop)
5180	coml.au3	A Network Trojan was detected	ET MALWARE Observed Lumma Stealer Domain (specialadventurousw .shop) in TLS SNI
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity
—	—	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity M2
—	—	Malware Command and Control Activity Detected	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
—	—	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
5180	coml.au3	A Network Trojan was detected	ET MALWARE Observed Lumma Stealer Domain (specialadventurousw .shop) in TLS SNI
5180	coml.au3	A Network Trojan was detected	ET MALWARE Observed Lumma Stealer Domain (specialadventurousw .shop) in TLS SNI

General Info

Setup.exe

CF6D8ED410DD3CA38FC9ED02D44DAFF1

85D0BEF448DBE4711C23327DD80A05B6F80EBCA6

C9A9E7B788E7E9147DBDB52DF63A71EAD448B86FEE5D4E7EBD52BC08167E1511

98304:j+cD4dnWUZsdIStSfe/jvwjFOJN4jbFAoO1wLwaLFm2h4/ooR6/4PqzaG4TwVDi2:7RCQtoMMQgZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

LUMMA has been detected (YARA)

HIJACKLOADER has been detected (YARA)

LUMMA has been detected (SURICATA)

Actions looks like stealing of personal data

Connects to the CnC server

AMADEY has been detected (YARA)

AMADEY has been detected (SURICATA)

XMRIG has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Reads the date of Windows installation

Creates file in the systems drive root

Process drops legitimate windows executable

Starts application with an unusual extension

Starts itself from another location

The executable file from the user directory is run by the CMD process

Starts CMD.EXE for commands execution

Searches for installed software

Potential Corporate Privacy Violation

Connects to unusual port

Connects to the server without a host name

Contacting a server suspected of hosting an CnC

Crypto Currency Mining Activity Detected

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files or folders in the user directory

Drops the executable file immediately after the start

Reads the machine GUID from the registry

Reads the software policy settings

Reads security settings of Internet Explorer

Checks proxy server information

Reads Environment values

Disables trace logs

Creates files in the program directory

Malware configuration

Lumma

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules