File name:	db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe
Full analysis:	https://app.any.run/tasks/85e12077-0b9a-4cc5-b2c5-fb060411f6d6
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 05, 2024, 04:27:39
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer exfiltration loader stealc amadey botnet themida
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	22855D02FCD9DD28C0C47DEFCD45BAF6
SHA1:	EE0ECF0CC237907E9F8CB835E423B710CCF98B7D
SHA256:	DB5E1F211E4989246FB82F9EAF04A521BE5A6322AE6E8B4D0430FC78139B79CB
SSDEEP:	98304:Un2mXCPJmSSadYa15fYvB2h47Zzl9AqknTIVucsbCeWIVnsom4HCA4PqwBH0rKpH:zj+LJ4fYF/E+QQy0q

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:05:24 22:49:06+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	25600
InitializedDataSize:	5789184
UninitializedDataSize:	-
EntryPoint:	0x6a60
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.17763.1
ProductVersionNumber:	11.0.17763.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.17763.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.17763.1


(PID) Process:	(5196) 2l7025.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5196) 2l7025.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5196) 2l7025.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4080) 3C12L.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4080) 3C12L.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4080) 3C12L.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1172) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1172) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1172) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1172) skotes.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	a792b66409.exe
Value: C:\Users\admin\AppData\Local\Temp\1004017001\a792b66409.exe

PID	Process	Filename		Type
944	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
6828	L2n14.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\2l7025.exe		executable
		MD5:94F7FD12C529BC5D28BE7319B857E96B	SHA256:2367242EDE5C10E68FDB4A893D23A8257BBE5E78347E6E24676CBE36139E25EE
6828	L2n14.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\3C12L.exe		executable
		MD5:5C4E5D818A24CB9D69FC18CE0DBBD9BE	SHA256:C2295F41E3E74394823EBC9F99265D4021DE67F36E3C257600D610781E2F4FFB
7020	4e702J.exe	C:\Windows\Tasks\skotes.job		binary
		MD5:C65FE552FEAEAE6FC9F2E2F0C23B3237	SHA256:73F048D4C533ABC101BACAE094A699C862FE6E1794D069455AF8B6ADE1B4E874
944	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1172	skotes.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[1].exe		executable
		MD5:E9FD4BECFD9B49F223D2FD97CFB1902B	SHA256:E76DD541C5CBE86AE033519A325658848102F7F2A0B2B1866EC80BD9F0E8BAC4
944	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.bin		binary
		MD5:C09FF302D57C404B61E6A89B0B9F36E7	SHA256:6A5B4F82595799346D0E501FE6CC8629E0FD6ED27B74D0E6CB5073DDB2E3C40B
6708	db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\L2n14.exe		executable
		MD5:9C6484EE43B103F6D28C96CC9DBBE612	SHA256:C676483C04388A44C33648542699CDA4A54048AF8E0FD186E00D76DE5C5E84D3
1172	skotes.exe	C:\Users\admin\AppData\Local\Temp\1004017001\a792b66409.exe		executable
		MD5:E9FD4BECFD9B49F223D2FD97CFB1902B	SHA256:E76DD541C5CBE86AE033519A325658848102F7F2A0B2B1866EC80BD9F0E8BAC4
6708	db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\4e702J.exe		executable
		MD5:9D1AA74DAFD0FEEE66682C1D23C0C038	SHA256:646A778B6A1BE550A37A9A2AC948E5DB5CD4A9FF4A2E4956040513EFEFE2D349

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3396	RUXIMICS.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3396	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5196	2l7025.exe	GET	200	185.215.113.206:80	http://185.215.113.206/	unknown	—	—	malicious
5196	2l7025.exe	GET	200	185.215.113.16:80	http://185.215.113.16/steam/random.exe	unknown	—	—	malicious
4080	3C12L.exe	POST	200	185.215.113.206:80	http://185.215.113.206/6c4adf523b719729.php	unknown	—	—	malicious
4080	3C12L.exe	GET	200	185.215.113.206:80	http://185.215.113.206/	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3396	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	92.123.104.38:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3396	RUXIMICS.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
www.bing.com	92.123.104.38 92.123.104.32 92.123.104.34	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
presticitpo.store	—	unknown
crisiwarny.store	—	malicious
fadehairucw.store	—	unknown
thumbystriw.store	—	malicious
necklacedmny.store	—	malicious

PID	Process	Class	Message
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)
5196	2l7025.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (founpiuer .store in TLS SNI)
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer CnC Host Checkin
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity M2

Process	Message
2l7025.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
2l7025.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
3C12L.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
4e702J.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
a792b66409.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
113bf88fca.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
577ea44605.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
skotes.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
a792b66409.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe

22855D02FCD9DD28C0C47DEFCD45BAF6

EE0ECF0CC237907E9F8CB835E423B710CCF98B7D

DB5E1F211E4989246FB82F9EAF04A521BE5A6322AE6E8B4D0430FC78139B79CB

98304:Un2mXCPJmSSadYa15fYvB2h47Zzl9AqknTIVucsbCeWIVnsom4HCA4PqwBH0rKpH:zj+LJ4fYF/E+QQy0q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (YARA)

Connects to the CnC server

STEALC has been detected (SURICATA)

LUMMA has been detected (SURICATA)

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Possible tool for stealing has been detected

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Reads the BIOS version

Connects to the server without a host name

Process requests binary or script from the Internet

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

Uses TASKKILL.EXE to kill Browsers

Starts itself from another location

The process executes via Task Scheduler

Uses TASKKILL.EXE to kill process

INFO

Create files in a temporary directory

Checks supported languages

Sends debugging messages

Reads the computer name

Reads the software policy settings

Reads the machine GUID from the registry

Themida protector has been detected

Application launched itself

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests