| File name: | amt.exe |
| Full analysis: | https://app.any.run/tasks/5fdf0455-5111-4afa-96da-0f9f3fad4166 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | April 08, 2025, 05:41:58 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections |
| MD5: | 6F30426A8392938A2D3B2471DA2ED5A9 |
| SHA1: | F12973BEFB4D51D1453AB8C4C6F5AEFB44C8B6C9 |
| SHA256: | D390C4D0A52BA577A76397B908CD1B0E1855FCE236171CEF091487B5967142CD |
| SSDEEP: | 98304:i3FW99pamy16jY3YJa39155dEPKcKlSwMs7BdbPrGEoFPx+p0/oMlPULcY7hzDt/:Ny166D77QNpamk |
MALICIOUS
HIJACKLOADER has been detected (YARA)
- amt.exe (PID: 1616)
AMADEY has been detected (SURICATA)
- explorer.exe (PID: 728)
AMADEY has been detected (YARA)
- explorer.exe (PID: 728)
SUSPICIOUS
Starts application with an unusual extension
- amt.exe (PID: 1616)
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 728)
Connects to the server without a host name
- explorer.exe (PID: 728)
There is functionality for enable RDP (YARA)
- explorer.exe (PID: 728)
There is functionality for taking screenshot (YARA)
- explorer.exe (PID: 728)
INFO
Checks supported languages
- amt.exe (PID: 1616)
- more.com (PID: 1244)
The sample compiled with english language support
- amt.exe (PID: 1616)
Reads the computer name
- amt.exe (PID: 1616)
- more.com (PID: 1244)
Create files in a temporary directory
- amt.exe (PID: 1616)
- more.com (PID: 1244)
Compiled with Borland Delphi (YARA)
- amt.exe (PID: 1616)
Checks proxy server information
- explorer.exe (PID: 728)
- slui.exe (PID: 6192)
Reads security settings of Internet Explorer
- explorer.exe (PID: 728)
Reads the software policy settings
- slui.exe (PID: 6192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(728) explorer.exe
C262.60.226.15
URLhttp://62.60.226.15/8fj482jd9/index.php
Version5.10
Options
Drop directoryf39a3c5206
Drop nameGxtuum.exe
Strings (125)pc:
\App
2022
&unit=
rb
id:
Norton
------
http://
" && ren
2016
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00000419
--
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
st=s
0123456789
5.10
Comodo
msi
Panda Security
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Doctor Web
/Plugins/
-unicode-
:::
&&
|
DefaultSettings.YResolution
dm:
------
Main
ar:
cmd /C RMDIR /s/q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
&& Exit"
rundll32
Content-Disposition: form-data; name="data"; filename="
<c>
/quiet
=
2019
<d>
Kaspersky Lab
cred.dll|clip.dll|
ps1
%-lu
un:
kernel32.dll
DefaultSettings.XResolution
ESET
WinDefender
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Powershell.exe
?scr=1
.jpg
ProductName
shutdown -s -t 0
random
Gxtuum.exe
POST
bi:
zip
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Programs
/8fj482jd9/index.php
Sophos
r=
AVG
%USERPROFILE%
og:
cmd
rundll32.exe
Bitdefender
+++
exe
f39a3c5206
cred.dll
62.60.226.15
lv:
VideoID
S-%lu-
e2
d1
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ProgramData\
sd:
GetNativeSystemInfo
360TotalSecurity
os:
\0000
Avira
abcdefghijklmnopqrstuvwxyz0123456789-_
-%lu
AVAST Software
-executionpolicy remotesigned -File "
SYSTEM\ControlSet001\Services\BasicDisplay\Video
e1
wb
" && timeout 1 && del
av:
dll
/k
"taskkill /f /im "
ComputerName
Startup
CurrentBuild
2025
00000423
GET
#
\
Content-Type: multipart/form-data; boundary=----
https://
"
vs:
"
Content-Type: application/octet-stream
Content-Type: application/x-www-form-urlencoded
Rem
0000043f
shell32.dll
Keyboard Layout\Preload
e3
00000422
clip.dll
TRiD
| .exe | | | Win32 Executable (generic) (42.6) |
|---|---|---|
| .exe | | | Win16/32 Executable Delphi generic (19.5) |
| .exe | | | Generic Win/DOS Executable (18.9) |
| .exe | | | DOS Executable Generic (18.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:10:31 20:19:20+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 5609472 |
| InitializedDataSize: | 2740224 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x55a61c |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.0.6775 |
| ProductVersionNumber: | 2.0.0.6775 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Cfx.re |
| FileDescription: | RedM |
| InternalName: | RedM |
| FileVersion: | 2.0.0.6775 |
| LegalCopyright: | (C) 2015-2022 Cfx.re |
| OriginalFileName: | CitizenMP.exe |
| ProductName: | RedM |
| ProductVersion: | 2.0.0.6775 |
Total processes
128
Monitored processes
5
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 728 | C:\WINDOWS\SysWOW64\explorer.exe | C:\Windows\SysWOW64\explorer.exe | more.com | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
Amadey(PID) Process(728) explorer.exe C262.60.226.15 URLhttp://62.60.226.15/8fj482jd9/index.php Version5.10 Options Drop directoryf39a3c5206 Drop nameGxtuum.exe Strings (125)pc: \App 2022 &unit= rb id: Norton ------ http:// " && ren 2016 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders 00000419 -- SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName st=s 0123456789 5.10 Comodo msi Panda Security SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ Doctor Web /Plugins/ -unicode- ::: && | DefaultSettings.YResolution dm: ------ Main ar: cmd /C RMDIR /s/q SOFTWARE\Microsoft\Windows NT\CurrentVersion && Exit" rundll32 Content-Disposition: form-data; name="data"; filename=" <c> /quiet = 2019 <d> Kaspersky Lab cred.dll|clip.dll| ps1 %-lu un: kernel32.dll DefaultSettings.XResolution ESET WinDefender SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Powershell.exe ?scr=1 .jpg ProductName shutdown -s -t 0 random Gxtuum.exe POST bi: zip SOFTWARE\Microsoft\Windows\CurrentVersion\Run Programs /8fj482jd9/index.php Sophos r= AVG %USERPROFILE% og: cmd rundll32.exe Bitdefender +++ exe f39a3c5206 cred.dll 62.60.226.15 lv: VideoID S-%lu- e2 d1 SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ProgramData\ sd: GetNativeSystemInfo 360TotalSecurity os: \0000 Avira abcdefghijklmnopqrstuvwxyz0123456789-_ -%lu AVAST Software -executionpolicy remotesigned -File " SYSTEM\ControlSet001\Services\BasicDisplay\Video e1 wb " && timeout 1 && del av: dll /k "taskkill /f /im " ComputerName Startup CurrentBuild 2025 00000423 GET # \ Content-Type: multipart/form-data; boundary=---- https:// " vs: "
Content-Type: application/octet-stream Content-Type: application/x-www-form-urlencoded Rem 0000043f shell32.dll Keyboard Layout\Preload e3 00000422 clip.dll | |||||||||||||||
| 1244 | C:\WINDOWS\SysWOW64\more.com | C:\Windows\SysWOW64\more.com | — | amt.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1616 | "C:\Users\admin\Desktop\amt.exe" | C:\Users\admin\Desktop\amt.exe | explorer.exe | ||||||||||||
User: admin Company: Cfx.re Integrity Level: MEDIUM Description: RedM Exit code: 1 Version: 2.0.0.6775 Modules
| |||||||||||||||
| 6192 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6388 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | more.com | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 810
Read events
3 807
Write events
3
Delete events
0
Modification events
| (PID) Process: | (728) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (728) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (728) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
0
Suspicious files
1
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1244 | more.com | C:\Users\admin\AppData\Local\Temp\yhirvht | — | |
MD5:— | SHA256:— | |||
| 1616 | amt.exe | C:\Users\admin\AppData\Local\Temp\ed151e76 | image | |
MD5:D2AC740E7F02D1857D23CC613D2A3015 | SHA256:B820EC17CFC9EEC57CABAA1B6E79173A5E6EF6BC0FDF0B456EC943E02BCA4D5F | |||
| 1616 | amt.exe | C:\Users\admin\AppData\Local\Temp\ed3833df | binary | |
MD5:3EA2C501708F03256D7325F88D4049D3 | SHA256:209FF14CE4B1AB9BAF5CA9996D56D720F8E2EF27CA15A2F03CC9684CB038EDE3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
56
DNS requests
16
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
6676 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
6676 | SIHClient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
6676 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6676 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
728 | explorer.exe | POST | — | 62.60.226.15:80 | http://62.60.226.15/8fj482jd9/index.php | unknown | — | — | malicious |
6676 | SIHClient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
6676 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.126.31.73:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
6544 | svchost.exe | 40.126.31.73:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | FR | unknown |
2112 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
728 | explorer.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 6 |
728 | explorer.exe | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |